Australian Privacy Principles and Data Breaches

When personal information gets exposed, the Australian Privacy Principles require you to act fast. You have 30 days from the moment you become aware of a suspected breach to complete your assessment. Not 30 days to start thinking about it. Thirty days to finish.

Most SMEs I work with have a vague plan that amounts to "call our IT person." That's not a plan. And when a breach actually happens, the panic sets in quickly. So here's the process, step by step, before you need it.

The 30-Day Clock Under the Australian Privacy Principles

The Notifiable Data Breaches scheme sits under Part IIIC of the Privacy Act 1988. If you're covered by the Australian Privacy Principles, you're covered by the NDB scheme too.

Here's what triggers it. A breach becomes "eligible" when there's unauthorised access, disclosure, or loss of personal information, and a reasonable person would conclude it's likely to result in serious harm. Serious harm includes financial fraud, identity theft, physical harm, or serious psychological harm.

The 30-day window starts when you have reasonable grounds to suspect a breach has occurred. Not when you've confirmed it. Not when IT has finished investigating. When you suspect.

That distinction matters. If an employee reports a suspicious email on Monday and you wait until the following Monday to look into it, the clock started on Monday. You've already burned a week.

If your assessment concludes serious harm is likely, you must notify the OAIC and affected individuals. If you determine serious harm isn't likely, document why and keep that record. The OAIC can ask to see it later.

What "Reasonable Steps" Looks Like Before a Breach

APP 11 requires you to take "reasonable steps" to protect personal information from misuse, interference, loss, and unauthorised access. What counts as reasonable depends on your size, the sensitivity of the data you hold, and the consequences if something goes wrong.

For a business with 10 to 200 employees, reasonable steps include multi-factor authentication on every system that holds personal information, access controls so staff only see data they need for their role, encryption on laptops and portable devices, regular patching of software and operating systems, and a written breach response plan that your staff have actually seen.

None of this is optional. When the OAIC investigates a breach, one of the first things they look at is what you had in place before it happened. If you can't show you took reasonable steps, the breach itself becomes an APP 11 failure on top of everything else.

The Actual Steps When a Breach Happens

Here's the order. Print this out if you need to.

Contain it. Stop the bleeding. If credentials are compromised, reset them. If a system is exposed, take it offline. If someone emailed a spreadsheet to the wrong person, contact the recipient and ask them to delete it. Do whatever you can to limit further access.

Assess the scope. What information was involved? Names and email addresses are different from tax file numbers and health records. How many people are affected? How did it happen? Was it a phishing email, a misconfigured sharing setting, a lost laptop?

Decide if it's notifiable. Would a reasonable person conclude the breach is likely to result in serious harm to any of the affected individuals? If yes, or if you can't rule it out, treat it as notifiable.

Notify the OAIC. Use the Notifiable Data Breach statement form on the OAIC website. You'll need to describe the breach, what information was involved, and what you've done in response.

Notify affected individuals. Tell them what happened, what information was involved, and what they can do to protect themselves. Be specific. "We experienced a data incident" is not useful. "Your name, email, and date of birth were accessed by an unauthorised party on 15 April" is.

Review and fix. After the immediate response, look at what failed. Was it a process gap, a technology gap, or a people gap? Fix it. Document what you changed.

The Mistakes That Make Breaches Worse

The breach itself is often survivable. What gets businesses into real trouble is the response.

Waiting too long to investigate. Every day you delay is a day subtracted from your 30-day window and a day the OAIC will ask about later.

Notifying people with vague language. If affected individuals can't understand what happened or what they should do, your notification hasn't met the standard.

Not documenting your assessment. If you determine a breach isn't notifiable, you need to be able to explain why. "We didn't think it was serious" isn't a documented assessment. Write down what data was involved, how many people were affected, what the potential harms are, and why you concluded serious harm wasn't likely.

Forgetting about your vendors. If the breach happened through a third-party provider, APP 8 is in play. You need to understand what your vendor did, what data they held, and whether their response was adequate. Your obligations don't transfer to them.

Get Your Plan Written Before You Need It

The worst time to figure out your breach response process is during a breach. Write it down now. Make sure your team knows who to call first, what to contain, and where the OAIC notification form is.

You don't need a 40-page incident response document. A two-page plan that your staff have actually read is worth more than a binder no one can find.