Free data breach policy templates (Australia)

Make sure your business complies with data protection law with a data breach policy.

We’re reader-supported and may be paid when you visit links to partner sites. We don’t compare all products in the market, but we’re working on it!

Australian legislation requires that a business notifies the Australian regulator and the individuals whose data is compromised if it suffers a data breach. Here's our guide to composing a policy that complies with the law and protects the data your company holds.

What is a data breach policy?

A data breach notification policy in Australia sets out how a business responds to unauthorised access, distribution or loss of personal information that it holds. If the company is governed by the Privacy Act 1988, it is required under the data breach notification scheme that came into effect in 2018 to report any breach of data security that could result in personal harm to the Office of the Australian Information Commissioner (OAIC) as well as the individuals affected.

According to the OAIC, the policy should outline your company's strategy for containing, assessing and managing the incident from start to finish. The policy applies to all employees, contractors and any third party that collects or manages personal data on behalf of the business.

If your company operates or holds data on customers in the European Union, it has additional reporting obligations under the European General Data Protection Regulation (GDPR) law.

data breach policy template from Lawpath

Download this template at Lawpath

When should I use a data breach policy?

A company that collects and stores personal information, such as addresses and credit card numbers of customers, should have a written policy in place so that if the security of the data is compromised it can investigate and respond immediately, as required by the law.

You should regularly test and review your company's data breach response plan – especially when launching new products or services that involve collecting data – to make sure that the procedures in place are fit for purpose. New employees should be made aware of the policy and all employees that should be involved in a response should have easy access to the document for reference.

Data breach policy vs privacy policy

A privacy policy covers how a company handles the personal information it stores, while a data breach notification policy specifically details the company's plan for how it will respond if the security of the data is compromised.

What does a data breach policy include and not include?

A data breach policy sets out the responsibilities of specific employees in managing a data breach. It details the steps the company will take to respond to a breach and the obligations it has to report the breach.

What is included in a data breach policy?

An effective policy includes a comprehensive plan to reduce the risk of damage to the company's operations and reputation. It should:

  • Clearly define what constitutes a data breach, with relevant examples
  • Designate a response team and explain when a breach should be escalated to upper management
  • Set out how a breach should be assessed
  • Detail the strategy for containing and repairing the breach
  • Set out how the company will meet legislative or contractual requirements
  • Explain how individuals will be notified that their data has been compromised
  • Outline a communications strategy for informing the media, law enforcement and other external parties
  • Detail how the incident should be documented
  • Specify how the company should review the incident to improve its data security plan in future

What is not included in a data breach policy?

The policy document should not include legal jargon or confusing instructions. It should contain detailed information about the company's data security procedures, but it should not include confidential information about the security systems, such as passwords.

How effective is a data breach policy?

A rapid and comprehensive data breach notification policy is effective in making sure that a company complies with its legal obligations. By responding immediately and reducing the impact of the breach, a company can reduce the costs involved and minimise the impact on its reputation.

Do I need a lawyer for a data breach policy?

You can find resources online to help you write a data breach policy. However, given the serious impact a data breach can have on a company's reputation and finances, it is advisable to have a data protection lawyer review your policy document, or have them draft it for you.

Name Product Legal document services available Free legal documents available? Other legal services offered Price Document library size
Customisable document templates
You can view samples for free and you can create your first document for free.
Online document eSignatures, lawyer marketplace, on-demand legal advice, business setup services
$288 per year for unlimited documents
Customise and download up to 300 legal documents for business or personal matters. Plus register a company, business name or ABN.
Customisable document templates
Free one week trial available which gives access to hundreds of documents.
Free legal articles and resources
$59.88 per year for unlimited documents or one-off documents available for $9.50 - $49
Customise and download legal documents in as little as five minutes. Plus, LawDepot offers peace of mind with two service guarantees.
Customisable document templates
Custom legal services available, free law change updates via email, legal packages for various professions
Individual templates start from $59 + GST
Legal123 offers a range of individual templates or document packages for consultants, app developers, personal trainers and more.
Customisable document templates & professionally drafted documents
Legal advice phone consultations, contract reviewing and amendments, trade mark applications, business structure assistance.
From $49 + GST per week for access to 40+ legal templates
Take advantage of unlimited legal advice consultations, free legal templates and fast turnaround times for legal projects with LegalVision membership.

Compare up to 4 providers

How do I write a data breach policy?

A data breach policy should be written in clear language that provides detailed instructions, so employees understand their roles. It should be structured with subheadings, bullet points and numbered lists so it is easy to read and reference quickly in the event that there is a data breach.

  • Lawpath. Lawpath is an online legal resource for small businesses and entrepreneurs. You can find free samples of a range of documents, including a data breach policy, but you need to sign up for an account to download and customise the file.
  • The Fold Legal. The Fold is a law firm that provides a range of document templates that can be purchased for a one-time fee. You can download a data breach policy template for $190.
  • Sentrient. Sentrient is a workplace compliance company that offers a range of policy templates in its online human resource management system. You need to register for a free trial to access the documents.Salinger Privacy.
  • Salinger Privacy provides consulting and training services focused on compliance with Australian and EU privacy law. Its Compliance Kit includes a data breach policy template in its $2,000 comprehensive kit or $2,999 premium kit.

More guides on Finder

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site