How long do I have to assess and report a data breach in Queensland?
Technology LawThe Notifiable Data Breaches (NDB) scheme sets strict timeframes under the Privacy Act 1988 (Cth). For many businesses, failing to act within these deadlines is a separate legal contravention that results in substantial fines.
1. The 30-Day Assessment Clock
The most critical timeframe is found in section 26WH of the Act. Once your business has reasonable grounds to suspect that an eligible data breach may have occurred, you must take all reasonable steps to complete an assessment within 30 days.
2. Notification as Soon as Reasonably Practicable
Once your assessment is complete and you have determined that an “eligible” data breach exists, you must notify the OAIC and affected individuals. This notification must be made as soon as reasonably practicable.
3. The ASD 72-Hour Ransomware Requirement
Queensland businesses should note that a separate reporting obligation exists under the Cyber Security Act 2024 (Cth). If your business makes a ransomware or cyber extortion payment, this must be reported to the Australian Signals Directorate (ASD) via the ReportCyber portal within 72 hours of the payment being made.
4. Key Deadlines Summary
- Suspicion: The 30-day assessment window begins immediately.
- Confirmation: Notify affected individuals and the OAIC as soon as possible.
- Cyber Ransomware Payment: Report to ASD within 72 hours of making the payment.
Related Topics
- What is an Eligible Data Breach?
- Penalties for Failing to Report a Data Breach
- NDB Scheme Checklist for QLD Business
- Commercial Law Practice Area
Is your 30-day assessment window running? Bell & Senior Lawyers provides priority legal reviews for data breach incidents. Call (07) 5532 8777.
Read our Complete Startup Legal Guide for Queensland
Need Specific Legal Advice?
The answers above are general. For advice tailored to your specific situation, contact our Southport solicitors today.
Enquiry Sent
Thank you. Our team will contact you shortly.