Data breaches must be reported by companies with at least $3 million in annual turnover under new regulations that took effect last Thursday.

Such businesses must inform affected individuals if a breach is likely to result in serious harm and notify the Office of the Australian Information Commissioner, which oversees the Notifiable Data Breaches scheme.

The scheme also applies to most government agencies and non-profit bodies.

Organisations must carry out “objective assessments” to determine if breaches are likely to result in serious harm.

Eligible breaches arise when there is unauthorised access to or unauthorised disclosure of personal information, a loss of personal information, serious harm to one or more individuals is likely and the entity has not prevented the likely risk of serious harm.

See ANALYSIS.