Home / Checklists / Australian privacy breach response checklist
AU · Firm Management

Australian privacy breach response checklist

Entities covered by the Privacy Act 1988 must notify eligible data breaches under the Notifiable Data Breaches scheme. This checklist is for privacy officers and lawyers responding to a data breach.

In short

This is a 12-step privacy breach response checklist for entities covered by the Australian Privacy Act. It covers assessment, notification, and remediation.

Run this checklist with Quillio — free trial
12-step checklist

The checklist

1

Identify the breach

Identify the unauthorised access, disclosure, or loss of personal information.

Privacy Act 1988 (Cth) s 26WE
2

Contain the breach

Contain the breach to prevent further access or disclosure.

3

Assess the scope

Assess the volume, type, and sensitivity of personal information compromised.

4

Apply NDB threshold

Assess whether the breach is likely to result in serious harm.

Privacy Act 1988 (Cth) s 26WE(2)
5

Assess in 30 days

Complete the NDB assessment within 30 days of becoming aware.

Privacy Act 1988 (Cth) s 26WH
6

Prepare NDB statement

Prepare a statement containing the information required by section 26WK.

Privacy Act 1988 (Cth) s 26WK
7

Notify OAIC

Notify the OAIC using the NDB form as soon as practicable.

8

Notify affected individuals

Notify affected individuals as soon as practicable.

Privacy Act 1988 (Cth) s 26WL
9

Consider media notification

Consider whether general public notification is needed if individuals cannot be contacted.

10

Provide remediation steps

Provide individuals with recommended steps — password reset, credit monitoring.

11

Document the response

Document the incident, assessment, and response actions in the breach register.

12

Review and learn

Conduct a post-incident review and update policies and training.

When to use

When this checklist applies

Use immediately when a suspected privacy breach is identified.

Common pitfalls

  • Missing the 30 day assessment deadline
  • NDB threshold applied incorrectly
  • OAIC statement missing required elements
  • Affected individuals notified too late
  • Breach register not maintained
Use with Quillio

Run this checklist on a real matter

Quillio can help assess NDB obligations and prepare OAIC notification forms. See /practice-areas/firm-management or start a free trial.

General guidance for Australian privacy breach response. Apply specific circumstances and OAIC guidance.

Use this checklist on your matter.

Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no credit card.

Start your free trial