Skip to content

Breach Notification Summary

Last Updated: 19 May 2026 | Version 2.0

This summary outlines duely's approach to identifying, managing, and notifying affected parties of a data breach, in compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

1. What Constitutes an Eligible Data Breach?

An eligible data breach occurs when:

  1. there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by duely; AND
  2. it is likely to result in serious harm to any of the individuals to whom the information relates; AND
  3. duely has not been able to prevent the likely risk of serious harm with remedial action.

2. Our Incident Response Process

If a potential data breach is detected, duely activates its internal Incident Response Plan:

  • Containment. Step one is to secure the systems and contain the breach to prevent further unauthorised access or loss.
  • Assessment. We conduct a forensic assessment to determine the scope of the breach, the type of data involved, and the root cause. Under the NDB scheme, we must complete this assessment within 30 days, and we aim to do so faster.
  • Remediation. We take immediate remedial action to mitigate vulnerabilities and reduce the likelihood of serious harm to individuals.
  • Incident Response Team. duely maintains an Incident Response Team comprising engineering, security, and legal personnel. The team is activated on detection of a suspected breach.
  • Root cause analysis. Following containment and remediation, duely conducts a root cause analysis to identify the underlying cause and prevent recurrence.
  • Preventive measures. Findings from the root cause analysis are incorporated into updated security controls, processes, and staff training. A post-incident report is prepared and made available to affected Firms on request.

3. Notification to Subscribing Firms (Data Controllers)

duely acts primarily as a Data Processor on behalf of the Firm (the Data Controller). If duely determines that an eligible data breach has occurred affecting a Firm's tenant data:

  • we will notify the designated Administrator / AMLCO of the affected Firm(s) without undue delay, and no later than 72 hours after confirming the breach;
  • our notification to the Firm will include:
    • a description of the data breach;
    • the type of information involved (for example, identity documents, contact details, system logs);
    • recommended steps the Firm should take in response; and
    • duely's contact details for further coordination.

4. Notification to the OAIC and Individuals

Under the NDB scheme, where an eligible data breach involves data jointly held by duely (the processor) and the Firm (the controller), only one entity needs to formally notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals.

  • Primary responsibility. duely expects the Firm, as the Data Controller managing the direct relationship with the end client, to take the lead in notifying the OAIC and the affected individuals.
  • Cooperation. duely will cooperate with the Firm and provide technical data, forensic reports, and assistance to allow the Firm to fulfil its statutory notification obligations.

4A. duely's Independent NDB Obligations

In addition to its obligations as a Data Processor on behalf of Firms, duely independently holds certain personal information (for example, subscriber contact details, billing information, and support correspondence). If an eligible data breach affects this independently held data, duely will directly comply with its own obligations under the NDB scheme, including notifying the OAIC and affected individuals as required by law.

5. Contact

If a Firm suspects a data breach or anomalous activity within their duely tenant, they must immediately report it to security@duely.com.au.