Vector graphic showing text reading data breach floating towards a lock

Delayed Data Breach Notification: When is it okay to delay?

Under Australian law, organisations are required to notify the Office of the Australian Information Commissioner (OAIC) within 30 days wherever a notifiable data breach occurs. However, the latest Notifiable Data Breach Report reveals that 25% of organisations took more than 120 days to do so. That begs the question: When is it okay to submit a delayed data breach notification?  

Data Breach Notification Requirements in Australia 

Australia’s Privacy Act 1988 (Cth) provides that entities must take all reasonable steps to complete their assessment of whether an incident amounts to an eligible data breach within 30 calendar days. It must also notify the OAIC and affected individuals as soon as possible after confirming there are reasonable grounds to believe an eligible data breach has occurred.  

Find more information about the specifics of the existing data breach notification law in Australia. 

We’ve also published information about notifications following a ransomware attack and our thoughts on the changing notification landscape in Australia 

Delayed Data Breach Notifications in Australia 

The 30-day maximum timeline for entities to notify the OAIC and affected individuals was not arbitrarily chosen. It was put in place to counteract the impact that time has on the risk to affected individuals. Generally, the risk of serious harm to individuals increases with time. Early reporting empowers individuals to minimise the risk the breach poses to them.  

When is it okay to take more than 30 days to notify the OAIC and affected individuals? 

The OAIC clarified in its July-December 2021 Notifiable Data Breaches Report that neither of the following steps discharges an entity’s obligation to report to the OAIC and affected individuals within 30 days: 

  • An entity’s election to tailor notifications; or  
  • A preliminary notification to the OAIC. 

In other words, the OAIC considers the 30-day maximum timeline provided by the Privacy Act 1988 (Cth) to be a firm deadline, regardless of the circumstances.  

Partial Notifications: The solution for entities struggling to meet the 30-day timeline  

The Notifiable Data Breach scheme provides 3 options for entities to notify individuals, namely: 

Option 1: Notify each individual whose personal information has been involved in the eligible data breach.  

Option 2: Notify individuals who are at risk of serious harm due to the data breach. 

Option 3: Publish a statement regarding the eligible data breach on the entity’s website and publicise it. This option should only be used where neither option 1 nor 2 are practicable.  

The OAIC goes on to state in their press release accompanying the July-December 2021 report that entities that may not be able to tailor notifications due to the complexities of assessing what data was breached should rely on option 3.  

“The report highlights a scenario in which an organisation experienced a phishing attack and an employee’s email account was compromised. A preliminary review of the incident suggested a significant amount of personal information was at risk, but that it would take 5 months to identify and tailor notifications to everyone at risk of serious harm. 

In this case, best practice was to promptly notify individuals, providing general recommendations that applied to all individuals whose personal information was contained in the email account, rather than attempting to tailor notifications and delay the process.” 

 Partial Data Breach Notifications: Tips for General Recommendations 

Regardless of whether option 1, 2 or 3 (above) is used to notify affected individuals following an eligible data breach, the notifying entity must provide recommendations and steps for individuals to take in response to the breach. These will vary depending on the unique circumstances of the breach but might include:  

  • Changing a password to the impacted website, and potentially other websites if the same email address, username, and/or password is used; 
  • Monitoring financial statements; Businessperson using a tablet to sign into an account and a phone with multi-factor authentication
  • Cancelling certain credit cards; 
  • Add Multi-Factor Authentication (MFA), if possible. Preferably use an authentication app instead of text-based MFA; and 
  • Freeze credit. 

Entities must also include their name and contact details, a description of the data breach, and details regarding the kinds of information involved to satisfy Australia’s data breach notification requirements 

Proactive Data Breach Notification Planning 

Privacy 108 works with organisations that have experienced a data breach and need legal assistance. But we strongly recommend entities opt for a proactive approach to data breach notification planning.  

Data breach notification planning streamlines your organisation’s response to a data breach, which helps to protect your reputation, fulfil your legal obligations, and can positively impact your internal processes and reduce risk, too.  

If you’d like more information about proactively planning your data breach response, reach out:  

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.