Please resolve the following issues before proceeding
Click on an issue to go directly to the related section of the form.
errors found:
warnings found:

Submission Received

Thank you, your submission has been received.Submission Enquiries:

To check the progress of your submission and/or confirm it has been received, please contact the OAIC on 1300 363 992 or by email: enquiries@oaic.gov.au

Next steps

You are required to complete these additional forms to finalize your request.
Your Tracking Code is:
Please quote your Tracking Code when enquiring about your submission.

For your records

Would like a copy of this submission for your personal records?
OR

Check your email

We've sent a copy of your submission to your email address ().If you didn't receive it or would like another copy, just select one of the options below.
OR

Form Saved

Your form has been saved and may be re-opened later.
Your Tracking Code is:
Please note that your saved form, if not updated or submitted within a set period of time, will be deleted.Please ‘Send yourself a reminder email’ below. This email details the date and time your form will be deleted, the Tracking Code number, a link to access your saved form and information on how to contact us for further assistance.

Send yourself a reminder email

Enter your email address and we'll send you instructions on how to return to your form.

Check your email

We've sent instructions to your email address () on how to return to the application when you are ready. If you didn't receive it or would like a reminder send to a different email address, just click the link below and follow the instructions.

Notifiable Data Breach Form

Fields marked with * are required

About this form

Notifiable Data Breach statement

This form is used to inform the Australian Information Commissioner of an
‘eligible data breach’ where required by the Privacy Act 1988.

Part one is the 'statement' about a data breach required by section 26WK of the Privacy Act. If you are required to notify individuals of the breach, in your notification to those individuals you must provide them with the information you have entered into part one of the form.

The OAIC encourages entities to voluntarily provide additional information about the eligible data breach in part two of this form. Part two of the form is optional, but the OAIC may need to contact you to seek further information if you do not complete this part of the form.

Before completing this form, we recommend that you read What to include in an eligible data breach statement.

If you are unsure whether your entity has experienced an eligible data breach, you may wish to review Identifying eligible data breaches.

The OAIC will send an acknowledgement of your statement about an eligible data breach on receipt with a reference number.

You can save this form at any point and return to complete it within 3 days. To save your form, click on the Save For Later button on the top right-hand corner of this form. If you do not submit your saved form within 3 days, your saved information will be permanently erased.

Refreshing your browser will clear any information that you have not saved. If you need to refresh your browser while completing this form and wish to keep your changes, please save the form first.

Your personal information

We will handle personal information collected in this form (usually only your name and contact details) in accordance with the Australian Privacy Principles.

We collect this information to consider and respond to your breach notification. We may use it to contact you.

More information about how the OAIC handles personal information is available in our privacy policy.

Part one - Statement about an eligible data breach

Notifiable data breach form
Fields marked with * are required

About part one

The information that you provide to the OAIC in part one of this form must also be included in your notification to individuals (if notification is required).

Organisation/agency details

You must complete this section

Description of the eligible data breach

You must complete this section

Information involved in the data breach

You must complete this section
In addition, please select any categories that apply:

Recommended steps

You must complete this section

Other entities affected

This section is optional
If the data breach described above was also a data breach of another organisation/agency, you may provide their identity and contact details to further assist individuals.
Was another organisation/agency affected?
Please provide contact details for the organisation/agency:

Part two - Additional information

Notifiable data breach form
Fields marked with * are required

About part two

The OAIC encourages entities to provide additional information to assist us in understanding the eligible data breach. Part two of the form is optional, but the OAIC may need to contact you to seek further information if you do not complete this part of the form. The OAIC recommends you complete as many questions as possible, but you may leave a field blank if the answer is not known.

The information that you provide on part two of the form does not need to be included in your notification to individuals, and you may request that it be held in confidence by the OAIC.

Your contact details

Breach details

Date the breach occurred

Primary cause of the data breach

A malicious or criminal attack deliberately crafted to exploit known vulnerabilities for financial or other gain.
A business or technology process error not caused by direct human error.
An unintended action by an individual directly resulting in a data breach, for example inadvertent disclosure caused by sending a document containing personal information to the incorrect recipient.

Please provide more detail by selecting one of the following:

Theft of paperwork or data storage device.
An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations.
An attack by an employee or insider acting against the interests of their employer or other entity.
A cyber incident targets computer information systems, infrastructures, computer networks, or personal computer devices.

Please provide more detail by selecting one of the following:

Software which is specifically designed to disrupt, damage, orgain unauthorised access to a computer system.
Automated software is used to generate a large number ofconsecutive guesses as to the value of the desired data, forexample passwords.
A type of malicious software designed to block access to data or a computer system until a sum of money is paid or other conditions are met.
An attack in which the target is contacted by email or text message by someone posing as a legitimate institution to lure individuals into providing personal information, sensitive information or passwords
Credentials are compromised or stolen by methods unknown.
Exploiting a software or security weakness to gain access to asystem or network, other than by way of phishing, brute-forceattack or malware.

Please provide more detail by selecting one of the following:

Please provide more detail by selecting one of the following:

An unintended action by an individual directly resulting in a data breach, for example inadvertent disclosure caused by sending a document containing personal information to the incorrect recipient.
Personal information sent to the wrong recipient via facsimile machine, for example, as a result of fax number incorrectly entered or wrong fax number on file.
Personal information sent to the wrong recipient via postal mail, for example, as a result of transcribing error or wrong address on files.
Personal information sent to the wrong recipient via channels other than email, fax or mail, for example, delivery by hand or uploading to web portal.
Sending an email to a group by including all recipient emails addresses in the ‘To’ or ‘CC’ field, thereby disclosing all recipient email address to all recipients.
Disposing of personal information in a manner that could lead to its unauthorised disclosure, for example, using a public rubbish bin to dispose of customer records instead of a secure document disposal bin.
Loss of a physical asset(s) containing personal information, for example, leaving a folder or a laptop on a bus.
Failure to effectively remove or de-identify personal information from a record before disclosing it.
Disclosing personal information without authorisation, verbally, for example, calling it out in a waiting room.
Unauthorised disclosure of personal information in a written format, including paper documents or online.

Number of individuals whose personal information is involved in the data breach

Number of individuals in Australia whose personal information is involved in the data breach

You may wish to separately report an incident to the Australian Cyber Security Centre if it raises cyber security concerns.

Notification

Please attach a template copy of your notification to affected individuals.
File:

Additional information

Is there any other information you wish to provide at this stage, or any matters that you wish to draw to the OAIC’s attention?

You can provide additional information below, or attach supporting documents when you submit this form.

If you wish to provide further information or documents after you submit the form, you may email them to enquiries@oaic.gov.au.
Attachments
File:
The OAIC will respect the confidence of commercially or operationally sensitive information provided voluntarily in support of a data breach notification, and will only disclose this information after consulting with you, and with your agreement or where required by law.

Review and submit

Notifiable data breach form
Fields marked with * are required

Submitting your form

Please review the information that you have provided about the data breach. If you would like to change anything, you can return to the relevant section by using the
Go Back button.

Once you are ready to submit your form, click the Submit button below.

Once you submit your form, you will be taken to a confirmation page. This page will provide a receipt number for your submission, and you will be able to download a copy of your completed form or have a copy sent to an email address of your choice.