I love working with others - collaborate with me

When must I report a privacy breach?

If personal information you hold is accessed, used or disclosed in any unauthorised way, this may be a breach of privacy.  Some breaches must be reported to the Office of the Australian Information Commissioner (OAIC) and the people affected.  The obligation to report a privacy breach depends on whether you are bound by the Privacy Act.

Are you bound by the Privacy Act?

Small business – not offering certain services

If you have an annual turnover of less than $3million, then you are exempt from complying with the Privacy Act.  This means you will not have to report a breach of privacy, UNLESS you provide certain services. Should we put a link in here to go through to what those services are on the OAIC website?

Small business – provides certain services

If you provide health services or other services that means the Privacy Act applies to you (such as financial services) you will have to comply with the Privacy Act and may have to report any breaches regardless of your annual turnover.  This is because these types of businesses collect sensitive information with requires extra protection under the Privacy Act.

Small business – with certain contracts

Even if your business is exempt from the Privacy Act  but you have contracts with or provide services to certain types of entities, you may still need to comply if the other entity has to comply.  If you are dealing with personal entity in connection with a contract or service you are providing to an entity that has to comply with the Privacy Act, then you also will have to comply.  This is normal set out in the terms or contract between you and that other entity.  This commonly arises if you deal with government departments, educational institutions, health providers or financial services providers.

The type of breach must be reportable

Not all privacy breaches must be reported.  You only have to report “eligible” breaches.  In addition,you may only have to report the breach to the OAIC or put a notice on your website instead of contacting each individual affected. 

Ultimately whether you must report a privacy breach depends on the circumstances involved, so it is best to obtain legal advice to make sure.

As an experienced privacy lawyer, I can help you with this, so don’t hesitate to contact me to discuss your privacy obligations.