What is supposed to be included in a data breach notification letter?

If there has been a data breach that could cause serious harm then an agency (business or organisation) is required to notify affected individuals and inform them of their right to complain to our Office.

Because the Privacy Act requires the agency to inform you of your right to make a complaint to our Office you will see information about this in the letter you received from them. However, our complaints process requires that you try to resolve the issue directly with the agency first before we will investigate or act. Read more information about our complaints process and resolving complaints.

There should be information in the letter about how to contact the agency if you have more questions about what has happened or the steps it’s taking to manage the situation. The Privacy Commissioner is not able to answer questions about that; you need to contact the agency directly. There should also be information about how to contact the agency if you feel that the letter you received does not resolve your concerns and you wish to make a complaint.

Read these related AskUs articles:

• I’ve received a letter from an agency informing me of a breach and my right to complain to the Privacy Commissioner. What should I do now?(external link)

Updated November 2025