The Office of the Australian Information Commissioner (OAIC) has published a revised guide to handling personal information security breaches.

Although the Privacy Act does not impose a mandatory obligation to notify the Privacy Commissioner (now part of the OAIC) and affected individuals in the event of a data breach that could give rise to a ‘real risk of serious harm’ to the affected individuals, the OAIC’s guide is intended to support and encourage organisations to voluntarily put in place reasonable measures to deal with data breaches (including notification of affected individuals and the OAIC), while legislative change is considered by the Government.

The guide sets out a risk analysis guide to help determining if and when notification is an appropriate response.