Privacy breach notification: when and how to report under the Privacy Act 2020

One of the most significant changes in the Privacy Act 2020 was the introduction of mandatory privacy breach notification. Under Part 6 of the Act, agencies must notify both the Privacy Commissioner and affected individuals when a privacy breach poses a risk of serious harm.

What counts as a notifiable breach?

A privacy breach is notifiable if it:

• Involves unauthorised access to, or disclosure of, personal information, or loss of personal information in circumstances where unauthorised access or disclosure may occur.

• It is reasonable to believe the breach has caused, or is likely to cause, serious harm to an affected individual.

What is "serious harm"?

The Act does not define a threshold, but the OPC guidance considers factors including:

• The sensitivity of the information
• Whether the information is protected by security measures (like encryption)
• The nature of the harm that could result (financial loss, identity theft, discrimination, damage to reputation)
• Who obtained or could obtain the information

Notification obligations

If a breach is notifiable, you must:

• Notify the Privacy Commissioner as soon as practicable.

• Notify the affected individuals as soon as practicable.

• Provide specific information about the breach, what information was involved, and what steps you are taking.

Penalties

Failing to notify a notifiable breach can result in a compliance notice from the Privacy Commissioner. Failure to comply with a compliance notice is an offence with fines of up to $10,000.

How DEIS helps

DEIS's evidence log creates an immutable record of all data access. If a breach occurs, you can quickly identify exactly which personal information was accessed, when, and by whom — significantly reducing the time to investigate and notify.