-
On this page
Last updated: 5 June 2024
This guide has focussed on how to manage data breaches affecting personal information for entities with obligations under the Privacy Act.
Entities may need to consider whether the circumstances of a data breach triggers other requirements, or if the type of information that they hold warrants specific actions to prepare for and manage a data breach. For instance, it may be appropriate to seek advice from the Australian Taxation Office for a data breach that involves tax file numbers; or to seek guidance from the Australian Digital Health Agency if a data breach involves information stored in the My Health Record system.
Entities may also be required to notify other regulators about certain matters under industry-specific regulation; or to notify professional associations about matters related to a data breach. Contractual arrangements may also create obligations to do certain things to prepare for a data breach, and to share certain information in the event of a data breach.
Relevant sources of advice in the event of a data breach (in addition to the Commissioner) may include:
- federal or State or Territory police or law enforcement bodies
- the affected entity’s financial services provider
- Australian Securities & Investments Commission (ASIC)
- Australian Prudential Regulation Authority (APRA)
- Australian Taxation Office (ATO)
- Australian Cyber Security Centre (ACSC)[37]
- CERT Australia
- Australian Transaction Reports and Analysis Centre (AUSTRAC)
- Australian Digital Health Agency (ADHA)[38]
- Department of Health[39]
- State or Territory Privacy and Information Commissioners[40]
- IDcare, or other organisations that support individuals affected by data breaches
- professional associations and professional regulatory bodies
- third parties under an agreement or contract, for example contracted service providers or insurance providers.
Other OAIC resources
The following resources can be found on the OAIC website <https://www.oaic.gov.au>:
- Guide to Securing Personal Information
- Chapter 9: Data Breach Incidents in the Guide to Privacy Regulatory Action
- Chapter 1 and Chapter 11 of the APP Guidelines
- Consumer resources: Data Breaches
- Guide to Mandatory Data Breach Notification in the My Health Record System
- Chapter 12 of the CDR Privacy Safeguard Guidelines
Cyber security resources
Technical standards and guidance that may assist entities to prepare for and respond to a data breach include the following:
- CERT Australia, Australia’s national computer emergency response team — CERT Australia provides advice and support on cyber threats and vulnerabilities to the owners and operators of Australia’s critical infrastructure and other systems of national interest.
- International standards published by the International Organization for Standardization (ISO) and Australian standards published by Standards Australia, including the AS/NZS ISO/IEC 27000 series of information security management standards
- National Institute of Standards and Technology (USA), provides detailed frameworks based on ISO standards (see Cybersecurity on the NIST website)
- Control Objectives for Information and Related Technology (COBIT) — COBIT 5 is the latest edition of Information Systems Audit and Control Association’s (ISACA) international framework for information technology (IT) management and IT governance.
- The National eHealth Security and Access Framework (NESAF) is a comprehensive suite of documents regarding health security for the health industry and specific Australian health organisations. The NESAF aims to assist health organisations in meeting their security obligations.
The following resources are particularly relevant to Australian Government agencies but are also useful for other organisations and government agencies:
- Australian Government Protective Security Policy Framework (PSPF), aims to enhance Australia’s information security culture and provide a common approach to the implementation of protective security by Australian Government agencies. The PSPF may also be used by other government agencies (including State and Territory agencies), as well as the private sector as a model for better security practice
- Australian Cyber Security Centre (cyber.gov.au) provides a range of resources on cyber security for businesses, individuals and government, including the Australian Government Information Security Manual and the Essential Eight Maturity Model.
[35] The Guide to Privacy Regulatory Action sets out a detailed explanation of particular privacy regulatory powers, looking at the legislative framework and purpose of the power, and the procedural steps the OAIC will take in the exercise of the regulatory power. See the OAIC website.
[36] For more information about civil penalty provisions in the Privacy Act, see Guide to Privacy Regulatory Action, Chapter 6: Civil Penalties — Serious or Repeated Interference With Privacy and Other Penalty Provisions.
[37] Further information about cyber security incidents that should be reported is available at www.cyber.gov.au/report.
[38] For data breaches involving the My Health Record system.
[39] For data breaches involving the National Cancer Screening Register.
[40] For more information about state and territory jurisdictions, see Privacy in Your State, OAIC website.