Third party Data Breach 104-19010804

A data breach typically occurs when personal information an organisation or agency holds is lost or subject to unauthorised access or disclosure. For example, when:

• a device with a customer's personal information is lost or stolen
• a data base with personal information is hacked
• personal information is mistakenly given to the wrong person

Data Breaches can be caused by (but are not limited to):

• malicious actions (external or internal party to the organisation)
• human error
• a failure in information handling or security systems

The obligation to report data breaches depends on various factors. For instance, the notifiable data breach scheme applies to organisations covered under the Privacy Act 1988. The scheme does not necessarily apply to state and territory agencies. The Resources page has a link to the scheme.

Although third party data breaches occur external to Services Australia, the information the third party holds can relate to our payments and services, for example, Medicare and Health or Centrelink related information. This, along with other personal information the customer provided to the third party may increase the risk of identity fraud, particularly if the data breach is the result of malicious actions.

Data breaches within Services Australia (not a third party Data Breach) are the responsibility of the Legal Services Division. For more information, see Privacy incidents.

If a customer has become a victim of a third party data breach and their personal information has been stolen/lost, refer the customer to the Scams and Identity Theft helpdesk. Staff can provide the number to customers if they do not wish to be transferred immediately.

The Helpdesk plays an important role in supporting customers whose personal information was subject to a third party data breach and is being misused (or is at risk of misuse) to commit fraud against the agency or in the community.