What is a notifiable privacy breach?

A notifiable privacy breach is when:

1. Personal information an agency holds has been accessed, disclosed, altered, lost (including temporary loss of access), or destroyed; without authorisation, AND
2. it’s reasonable to believe an affected individual has suffered serious harm as a result, or is likely to do so.

You must report a notifiable privacy breach to our Office as soon as practicable after anyone in your agency identifies these criteria have been met. You may have other legal responsibilities, too – such as ensuring affected people have the information required by s117(2) of the Privacy Act. Our expectation is that this would be reported within 72 hours of becoming aware that it's a notifiable breach. Serious harm could be physical harm or intimidation, financial fraud, including unauthorised credit card transactions or credit fraud, family violence, psychological or emotional harm. 

OPC’s Notify Us tool can help you assess how serious your breach is and whether you will need to notify the Privacy Commissioner. This tool is a guide only, so if you're not sure, please notify. If you do need to notify OPC, you can also do this using Notify Us.

If a serious privacy breach occurs, it’s important you do everything you can to minimise the harm to both the people affected and your organisation.

Updated November 2025