Content of an Eligible Data Breach Statement (s 26WK)

When the section 26WK statement is required

Section 26WK applies when an Australian Privacy Principles (APP) entity has reasonable grounds to believe an eligible data breach has occurred (section 26WC). This follows an eligible data breach, which involves unauthorised access to, or unauthorised disclosure of, personal information held by the entity, or loss of information that could lead to such access or disclosure. A key factor is whether a reasonable person would conclude that the breach is likely to result in serious harm. Notifiable Data Breach 30-day rule

Before this point, section 26WH requires an entity to undertake a reasonable and expeditious assessment within 30 days if it suspects a data breach but is not yet certain. This assessment determines whether reasonable grounds to believe an eligible data breach exists. NDB walkthrough step by step

Following the determination of reasonable grounds, the APP entity must prepare and give a section 26WK statement to the Commissioner as soon as practicable. This obligation arises once the entity is certain that an eligible data breach has occurred.

Mandatory statement content

The Eligible Data Breach Statement must contain specific information as outlined in the legislation. Section 26WK(3)(a) mandates the inclusion of the entity’s identity and contact details. This allows affected individuals to readily identify the organisation responsible for the data breach and to contact them directly.

Further requirements are detailed in section 26WK(3). The statement must describe the eligible data breach that the entity has reasonable grounds to believe has occurred (section 26WK(3)(b)). It must also specify the kind, or kinds, of information concerned (section 26WK(3)(c)). Finally, the statement must include recommendations about the steps that individuals should take in response to the eligible data breach (section 26WK(3)(d)).

In circumstances where an eligible data breach involves multiple entities, such as where another APP entity is involved (for example, a joint controller), section 26WK(4) allows for a single, combined statement to cover all entities.

Notifying affected individuals

Section 26WL requires an entity to notify the contents of an eligible data breach statement to individuals at risk of serious harm. The legislation provides flexibility in how this notification occurs. Options include notifying each individual to whom the information relates, notifying only those at likely risk of serious harm, or, where neither of those options is practicable, publishing the statement on the entity’s website and taking reasonable steps to publicise it.

Where reasonable, the entity should use the method it normally uses to communicate with the individual. This ensures consistency and may facilitate understanding of the information provided.

Notification to individuals must occur as soon as practicable after the statement is prepared. The Office of the Australian Information Commissioner (OAIC) expects prompt notification, as delay tends to increase the risk of serious harm.

Exceptions and OAIC expectations

Section 26WM allows for exceptions to the notification obligations. These exceptions apply where providing a statement would be inconsistent with secrecy provisions, prejudice an enforcement related activity, or where the Commissioner has granted an exemption. Reporting obligations relating to ransom payments are subject to specific considerations; see Cyber Security Act ransomware payment reporting for further information.

The Office of the Australian Information Commissioner (OAIC) expects eligible data breach statements to contain enough detail for affected individuals to understand the potential consequences of the breach and take steps to protect themselves.

To ensure clarity for those affected, the OAIC recommends that entities include the name most familiar to individuals, even if it differs from the entity’s registered company name. Failure to comply with these notification obligations may constitute an interference with the privacy of an individual and may attract civil penalty action.