When to report a data breach

Under the Notifiable Data Breach (NDB) scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.

An eligible data breach occurs when:

An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.

A data breach that occurred before 22 February 2018 is not an eligible data breach for the purposes of the NDB scheme. However, certain data breaches occur over a period of time. While a system may have been compromised before 22 February 2018, data may have been accessed after that date. While the circumstances will need to be assessed, we suggest that an organisation or agency in this situation should assume the data breach is subject to the NDB scheme.

For how to notify individuals or us about a data breach, see Report a Data Breach

Related pages

About the Notifiable Data Breaches scheme

Who must be notified when an eligible data breach occurs

Data breaches (for individuals)

What to do if you're affected by a data breach