Skip to content

My online business website has had a data breach – what can I do?

It is a legal requirement on businesses, agencies and organisations to notify individuals when a breach of security has resulted in the disclosure of personal information. This data breach notification is required by the Privacy Act 1988 (Cth) – agencies and organisations are required to take reasonable steps to maintain the security of the personal information they collect. Any information that is misused, interfered with, or lost from unauthorised access, modification or disclosure must be disclosed. Notification of a data breach supports good privacy practice.

Data Breaches

Data breaches are not limited to malicious actions, such as theft or ‘hacking’, but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure. If a data breach takes place, notification can be an important mitigation strategy. It can also promote transparency and trust in the organisation or agency.

Examples of data breaches:

  • lost or stolen laptops and storage devices
  • hacking of databases
  • employees accessing unauthorised information
  • paper records stolen
  • an individual deceiving an agency or organisation into improperly releasing the personal information of another person

Reasonable Steps to Prevent Breaches of Data

Organisations are required to prepare and implement a data breach policy and response plan. This should include notifying affected individuals and the OAIC (Office of the Australian Information Commissioner) of any breach. If there is a real risk of serious harm as a result of any breach of data, the OAIC should be notified.

Continue reading this article below the form
Loading form

Responding to a Data Breach

There are four key steps to consider when responding to a breach or suspected breach:

  • Step 1: Contain the breach and do a preliminary assessment. This involves taking immediately steps to contain the breach and designate a person or team to coordinate response.
  • Step 2: Evaluate the risks associated with the breach. Consider what personal information is involved.
  • Step 3: Notification. This will involve a risk analysis.
  • Step 4: Prevent future breaches by fully investigating the cause of the breach.

In determining notification, agencies should notify the individuals affected by the breach. However, in some cases it may be appropriate to notify the individual’s guardian or authorised representative on their behalf. The OAIC strongly encourages agencies and organisations to report serious data breaches to the OAIC. The precise wording of the notification notice may have legal implications. Organisations should seek legal advice. The legal implications could include secrecy obligations that apply to agencies.

Preventing Future Data Breaches

In preventing future data breaches, organisations and agencies should implement a breach response plan or a breach response team to handle incidents from occurring again. Enhancing transparency through internal communication and training can also prevent future breaches.

Conclusion

If your business, organisation or agency has been involved in a data breach, our lawyers can assist you with your obligations in complying with the Privacy Act. Please call our office on 1300 544 755 and our Client Care team will happily provide you with an obligation-free consultation and a fixed-fee quote.

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Lachlan McKnight

Lachlan McKnight

CEO | View profile

Lachlan is the CEO of LegalVision. He co-founded LegalVision in 2012 with the goal of providing high quality, cost effective legal services at scale to both SMEs and large corporates.

Qualifications: Lachlan has an MBA from INSEAD and is admitted to the Supreme Court of England and Wales and the Supreme Court of New South Wales.

Read all articles by Lachlan

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards