For the public
If you think an IPP entity has had an information breach you should contact the IPP entity directly.
For IPP entities
Before 1 January 2027
The notifiable information breach provisions of the PRIS Act have not yet commenced. IPP entities are not yet required to report an actual or suspected information breach to the Information Commissioner.
However, the Information Commissioner welcomes IPP entities reporting actual or suspected information breaches prior to the commencement of the provisions.
After 1 January 2027
The notifiable information breach provisions will commence on 1 January 2027.
IPP entities must prepare and maintain an information breach policy.
IPP entities are required to contain, mitigate and assess a notifiable information breach.
If an assessed notifiable information breach has occurred, the IPP entity must inform the Commissioner and affected individuals as soon as practicable.
IPP entities must also create and maintain a register of breaches.
An IPP entity is required to include information in its annual report in relation to each assessed notifiable information breach.
For exemptions to this, please refer to Part 2, Division 6 of the PRIS Act.
Print this page
