Protecting your privacy: the top 3 things to do after being notified of a data breach
Published on February 26, 2025 by Yue Lucy Han and Selwyn Black
You’ve found out about a data breach at an organisation holding data on you.
What can do you to protect your privacy and enforce your right to privacy?
Here are the top 3 things to do:
- Secure your information to reduce harm
- Contact the Privacy Officer of the Organisation where there was the data breach
- Consider further action
STEP 1: Secure your information to reduce harm
Take steps to improve your cybersecurity to reduce your risk of harm.
The Office of the Australian Information Commissioner (OAIC), the federal privacy and freedom of information regulator, has the following guide on what you can do to secure your:
- contact information
- financial information
- government-issued identity document
- health information
- tax-related information
You can read more about it here.
Make sure to keep a record of your activities and any losses as it may be helpful if you do experience harm as it may demonstrate your mitigating actions.
STEP 2: Email the Organisation’s Privacy Officer
Please note: This is applicable to organisations or federal government agencies that are subject to the Privacy Act 1988 (Cth).
Why is this important?
You should email the organisation’s privacy officer and keep a record of your communication.
This is an important step to preserve rights and keep in the loop.
OAIC requires individuals to have contacted the organisation and allowed the organisation a reasonable period to respond before taking the matter further with the OAIC.
The OAIC indicated that 30 days is a reasonable period.
How to find the Privacy Officer’s Contact Information?
You can usually find the organisation’s privacy officer (or contact person) by:
- Go to the organisation’s website
- Scroll to the bottom of the website and look for the link to the ‘Privacy Policy’ or ‘Policies’
- Scroll to the bottom of the privacy policy and you should find the postal address or email address of the Privacy Officer
If you cannot find the privacy policy, take a note of this fact as the organisation may have breached their privacy obligations. If you cannot find the privacy officer, then you may wish to look for a general contact information or give the organisation a call.
What to include in your email?
Generally, you can ask the organisation for information about the data breach and whether your personal information, including any sensitive information, was affected.
You can also make a complaint about their handling of your personal information.
The definition of personal information may be broader that you think. The definitions for ‘personal information’ and ‘sensitive information’ are set out at the end of this article.
Information that is otherwise ‘deidentified’ may be considered personal information if a person can take simple steps to cross-reference the information.
For example, if a clinic lost a file note containing the following information ‘Individual A is a patient of the Clinic. Individual A loves cats and Individual A attended a Cat Lovers Festival in Sydney on 23 March 2024 and won the ‘Best Cat Lover Prize’.
At first blush, it may not seem like personal information because the name is de-identified.
However, if the organisers of the Cat Lovers Festival published on their website that Jane Doe was the winner of the ‘Best Cat Lover Prize’ during the Cat Lovers Festival in Sydney on 23 March 2024. Then the file note is likely to contain personal information, even sensitive information, as it reveals that Individual A or rather Jane Doe:
- is a current patient in the clinic;
- may have a health condition that requires treatment;
- loves cats;
You may wish to reflect on your interactions with the organisation in the past to help you define what the information the organisation may have on you. The organisation’s privacy notice or collection notice may set out the categories.
The OAIC has a complaint template that you may wish to use to make your complaint to the organisation. You can find a link to the OAIC’s complaint template here.
STEP 3: Consider further action
Put in a 30-day follow up reminder in your calendar after contacting the organisation.
If you do not receive a response or do not receive a satisfactory response, then you may wish to consider your rights against the organisation to protect your right to privacy.
You can get in contact with our experts to consider your options.
IMPORTANT DISCLAIMER: This article is general legal information and is not intended as legal advice. Please consider your personal circumstances and talk with a lawyer before taking any of the steps mentioned in this article. You should also secure your own devices and systems.
DEFINITIONS
The Privacy Act 1988 (Cth) defines ‘personal information’ as:
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
The Privacy Act 1988 (Cth) defines ‘sensitive information’ as:
sensitive information means:
(a) information or an opinion about an individual’s:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
Please note that this article does not constitute legal advice. If you are seeking professional advice on any legal matters, you can contact Carroll & O’Dea Lawyers on 1800 059 278 or via our Contact Page and one of our lawyers will be able to assist you.
