What Is a Data Breach? A Guide for Australian Business Owners

When most people think of a "data breach," they picture a sophisticated hacker breaking into a large corporation's servers and stealing millions of records. The reality is far more mundane — and far more common. Data breaches happen every day in small businesses across Australia, often due to simple human mistakes rather than technical attacks. Understanding what actually constitutes a data breach under Australian law, and what your obligations are when one occurs, is essential knowledge for any business owner.

What Counts as a Data Breach?

Under the Privacy Act 1988, a data breach occurs when there is:

• Unauthorised access to personal information — someone who shouldn't have access, sees, copies, or uses it
• Unauthorised disclosure of personal information — personal information is shared with someone who shouldn't receive it
• Loss of personal information — personal information is lost in circumstances where unauthorised access or disclosure is likely

Notice that "hacking" doesn't appear in that definition. A data breach can result from a cyberattack — but it can equally result from an employee mistake, a process failure, or a physical event. What matters is that personal information ends up somewhere it shouldn't be, or in the hands of someone who shouldn't have it.

Common Causes of Data Breaches in Small Business

The OAIC's quarterly statistics on notifiable data breaches consistently show that human error is the leading cause of breaches for small businesses, not malicious attacks. Common examples include:

Human Error Breaches

• Sending an email to the wrong recipient (especially with a customer list or sensitive attachment)
• CC-ing instead of BCC-ing multiple customers, exposing everyone's email address to each other
• Misdirecting a letter, fax, or courier package containing personal information
• Accidentally publishing information on a website or shared folder that should have been private
• Disposing of physical documents (like paper records or USB drives) without proper destruction
• Misconfiguring a database or cloud storage bucket to be publicly accessible

Malicious or Criminal Attacks

• Phishing attacks that trick staff into revealing credentials, which are then used to access customer data
• Ransomware attacks that encrypt data and may also involve exfiltration (copying your data before encrypting it)
• Direct hacking of internet-facing systems with known vulnerabilities
• Malicious insiders — current or former staff who inappropriately access or take data
• Theft of devices containing unencrypted personal information

System Faults

• Software bugs that expose data unintentionally
• Hardware failures that result in data loss
• Failure of access controls due to a system misconfiguration

What Personal Information Is Covered?

The Privacy Act defines "personal information" broadly: it's information or an opinion about an identified individual, or an individual who is reasonably identifiable — whether true or not, and whether recorded or not. In practice for a small business, this typically includes:

• Customer names, addresses, phone numbers, and email addresses
• Financial information such as bank account details, credit card numbers, or tax file numbers
• Health information (for businesses that collect it, such as medical practices, gyms, or allied health providers)
• Employee records including pay, leave, and performance information
• Passport, licence, or identity document numbers
• Biometric data

Note that "sensitive information" (health information, biometrics, racial or ethnic origin, political or religious beliefs, etc.) attracts a higher level of protection than ordinary personal information, and breaches involving sensitive information are more likely to trigger mandatory notification obligations.

The Notifiable Data Breaches Scheme: When Must You Report?

Not every data breach needs to be formally reported to the OAIC. Under the Notifiable Data Breaches (NDB) scheme, notification is required only for an eligible data breach — one that is likely to result in serious harm to any individual whose information is involved.

"Serious harm" includes physical, psychological, emotional, financial, or reputational harm. The OAIC looks at factors like:

• How sensitive was the information?
• What could someone actually do with it?
• Is the information already publicly available?
• Was it encrypted?
• Is there any evidence of misuse already?

If a data breach is unlikely to cause serious harm — for example, an email sent to the wrong person containing only non-sensitive information, where the recipient quickly deletes it — it may not be a notifiable breach, though it should still be recorded as an incident internally.

If in doubt, consult a privacy lawyer or contact the OAIC for guidance. The OAIC would rather you contact them to clarify than stay silent.

What to Do When a Breach Occurs: A Step-by-Step Guide

Step 1: Contain the Breach

Act immediately to stop the situation getting worse. This might mean revoking compromised account access, recalling a misdirected email (if your email system allows), taking a compromised system offline, or recovering a misdirected physical document.

Step 2: Assess and Document

Document exactly what happened: when, what information was involved, how many people are affected, and what the likely consequences are. This is both practically important and legally required — the NDB scheme gives you 30 days to assess whether a breach is eligible if you're not immediately certain.

Step 3: Notify (If Required)

If you determine an eligible data breach has occurred, notify the OAIC via the Data Breach Notification Form at oaic.gov.au, and notify the affected individuals (or publish a notice on your website if direct notification isn't reasonably practicable). Do this as quickly as possible — delay compounds harm and can itself become a regulatory issue.

Step 4: Recover and Review

Restore normal operations, and then review what happened. What control failed? Was it a human error (suggesting a training need), a process gap (suggesting a policy update), or a technical failure (suggesting a system change)? Document your findings and implement improvements.

You can also call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371) for guidance on technical incidents.

Record-Keeping for Breaches You Don't Need to Report

Even for incidents that don't meet the threshold for mandatory notification, you should keep an internal record. This serves several purposes: it helps you identify patterns (are the same types of errors recurring?), it demonstrates to regulators that you're taking your obligations seriously, and it provides evidence of your reasonable steps to protect data if a complaint is ever made against you.

Key Takeaways

• A data breach under Australian law is any unauthorised access to, disclosure of, or loss of personal information — not just hacking.
• Human error (wrong email recipient, misdirected documents, misconfigured storage) is the most common cause of breaches for small businesses.
• Not all breaches trigger mandatory notification — only those likely to cause serious harm to individuals are "eligible" breaches under the NDB scheme.
• When a breach occurs: contain it, assess and document it, notify the OAIC and affected individuals if required, and then review and improve your processes.
• Keep internal records of all incidents, including those below the notification threshold.
• Call 1300 CYBER1 for free guidance on cyber incidents.

Preventing data breaches starts with understanding your vulnerabilities. The free assessment at flagged.com.au helps Australian business owners identify the specific gaps in their data handling and security practices that are most likely to lead to a breach — before one happens.