What is an eligible data breach under the Privacy Act?

The Notifiable Data Breaches (NDB) scheme does not require you to notify the OAIC or affected individuals for every minor data security incident. Section 26WE of the Privacy Act 1988 (Cth) specifies three criteria that must all be met for an “eligible data breach” to exist.

1. Unauthorised Access, Disclosure, or Loss

The first criterion is that there must have been unauthorised access to, unauthorised disclosure of, or loss of personal information. This includes hacking, employees accessing files they are not authorised to see, or a lost laptop or USB drive that is not correctly encrypted.

2. Likely to Result in Serious Harm

The breach must be likely to result in serious harm to one or more of the individuals whose information was involved. Determining serious harm involves assessing the nature and sensitivity of the data. For example, a breach involving medical records or financial account details carries a higher risk of serious harm than a public business phone number.

3. Remedial Action Cannot Prevent Serious Harm

Even if the first two criteria are satisfied, the incident is not an eligible data breach if you have taken remedial action that successfully prevents the likely serious harm before it occurs. For instance, if you remotely wipe a lost phone before any of its personal data is accessed, the breach is no longer “eligible” and does not require notification.

Summary Checklist

• Was the information accessed by someone who wasn’t authorised?
• Is it likely that someone could experience serious harm?
• Can you take immediate action to stop that harm? (If yes, notification may not be required.)

Related Topics

• Data Breach Notification Timeframes
• NDB Scheme Checklist for QLD Business
• Commercial Law Practice Area

Are you unsure if your data breach is “eligible” for notification? Bell & Senior Lawyers provides same-day legal assessments for Queensland businesses. Call (07) 5532 8777.

Read our Complete Startup Legal Guide for Queensland