You do not have to report all data breaches. The Privacy Act requires organizations to report a data breach to the AP, unless the data breach is unlikely to pose a risk to "the rights and freedoms of data subjects. You only inform those affected if there is a high risk.
You do not need to report the data breach to the AP or data subjects in the following cases.
1. Advance measures
You took appropriate measures before the data breach occurred. As a result, the leaked personal data are unintelligible to unauthorized persons. For example, because the data is properly encrypted or replaced by a hash value.
Note: This exception applies only if:
the data are still fully intact.
you still have full control over the data.
The key used for encryption or hashing has not been compromised in the data breach. And it cannot be found by unauthorized persons even with the available technology
2. The incorrect receiver is reliable
Was the personal data sent to an incorrect but reliable recipient? If so, this may mean that the data breach is no longer likely to pose a risk. So in that case, you do not need to report the data breach to the AP or the affected individuals.
If you do not have to report a data breach to the AP, you also do not have to report it to the affected individuals. Furthermore, you also do not have to report the data breach to the affected persons in the following cases:
1. Subsequent measures
You took measures, immediately after the data breach occurred. As a result, the high risk to the rights and freedoms of data subjects is unlikely to recur. For example, if you immediately identified the person who accessed the personal data and that you took action before that person could do anything with the personal data.
2. Exceptions UAVG
In addition, the General Data Protection Regulation Implementation Act (UAVG) lists a number of cases in which you may omit reporting to data subjects:
When necessary and proportionate to safeguard a compelling interest. Such as national or public security. Or the protection of the privacy of others. For example, when children have made a request for help without their parents' knowledge.
Is your organization a financial enterprise as referred to in the Financial Supervision Act (Wft)? Then the duty to report to the persons concerned does not apply to you. However, the duty to report to the AP does apply.
Would informing data subjects individually require a disproportionate effort? For example, because you lost the data subjects' contact information due to the data breach?
Then you may also inform data subjects with a public notice or similar measure, informing them equally effectively.
