Data Breach Register
Keep a record of every breach or suspected breach, even those you decide are not notifiable. Copy the block below for each incident.
Incident record
- Reference: [for example BR-2026-001]
- Date and time discovered: [__________]
- Reported by: [name and role]
- What happened: [short description, for example: laptop lost, email sent to wrong recipient]
- Personal data involved: [categories, for example names, contact details, health data]
- Number of people affected: [estimate]
- Was sensitive data involved? [yes / no]
Assessment
- Risk to the people affected: [low / medium / high, with a sentence why]
- Containment actions taken: [for example access disabled, device recovered]
- Is it notifiable? [yes / no, with reasoning]
- Commissioner notified? [yes / no, date]
- Affected individuals notified? [yes / no, date]
Follow-up
- Root cause: [what allowed this to happen]
- Changes made: [what you fixed to prevent recurrence]
- Closed by: [name] on [date]
Watch out. Start this record as soon as you discover an incident. Do not wait
until it is resolved. Accurate, contemporaneous notes matter.
Legal note. This is a general template, not legal advice. Confirm the notification
threshold and timeframe against the Act and current OIC guidance.
