Templates and checklists

Template · Breach

Data Breach Register Template

A simple register to record every data breach or suspected breach, your assessment, and the action you took.

Editable text
This is a general starting template, not legal advice. Adapt it to your business and have it reviewed before you rely on it. Text in square brackets is for you to complete.

Data Breach Register

Keep a record of every breach or suspected breach, even those you decide are not notifiable. Copy the block below for each incident.

Incident record

  • Reference: [for example BR-2026-001]
  • Date and time discovered: [__________]
  • Reported by: [name and role]
  • What happened: [short description, for example: laptop lost, email sent to wrong recipient]
  • Personal data involved: [categories, for example names, contact details, health data]
  • Number of people affected: [estimate]
  • Was sensitive data involved? [yes / no]

Assessment

  • Risk to the people affected: [low / medium / high, with a sentence why]
  • Containment actions taken: [for example access disabled, device recovered]
  • Is it notifiable? [yes / no, with reasoning]
  • Commissioner notified? [yes / no, date]
  • Affected individuals notified? [yes / no, date]

Follow-up

  • Root cause: [what allowed this to happen]
  • Changes made: [what you fixed to prevent recurrence]
  • Closed by: [name] on [date]
Watch out. Start this record as soon as you discover an incident. Do not wait

until it is resolved. Accurate, contemporaneous notes matter.

Legal note. This is a general template, not legal advice. Confirm the notification

threshold and timeframe against the Act and current OIC guidance.