Breach Notification Summary

Last Updated: 11 March 2026 | Version 1.0

This summary outlines Sentine's approach to identifying, managing, and notifying affected parties of a data breach, in compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

1. What Constitutes an Eligible Data Breach?

An eligible data breach occurs when:

  1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by Sentine; AND
  2. This is likely to result in serious harm to any of the individuals to whom the information relates; AND
  3. Sentine has not been able to prevent the likely risk of serious harm with remedial action.

2. Our Incident Response Process

If a potential data breach is detected, Sentine immediately activates its internal Incident Response Plan:

  • Containment: Step one is always to secure the systems and contain the breach to prevent further unauthorised access or loss.
  • Assessment: We undergo a rapid forensic assessment to determine the scope of the breach, the type of data involved, and the root cause. Under the NDB scheme, we must complete this assessment within 30 days, but we aim to do so much faster.
  • Remediation: We take immediate remedial action to mitigate vulnerabilities and reduce the likelihood of serious harm to individuals.
  • Incident Response Team: Sentine maintains a dedicated Incident Response Team comprising senior engineering, security, and legal personnel. The team is activated immediately upon detection of a suspected breach.
  • Root Cause Analysis: Following containment and remediation, Sentine conducts a thorough root cause analysis to identify the underlying cause of the breach and prevent recurrence.
  • Preventive Measures: Findings from the root cause analysis are incorporated into updated security controls, processes, and staff training. A post-incident report is prepared and made available to affected Firms upon request.

3. Notification to Subscribing Firms (Data Controllers)

Sentine acts primarily as a Data Processor on behalf of the Firm (the Data Controller). If Sentine determines that an eligible data breach has occurred affecting a Firm's tenant data:

  • We will notify the designated Administrator/AMLCO of the affected Firm(s) without undue delay, and no later than 72 hours after confirming the breach.
  • Our notification to the Firm will include:
    • A description of the data breach.
    • The type of information involved (e.g., identity documents, contact details, system logs).
    • Recommended steps the Firm should take in response.
    • Sentine's contact details for further coordination.

4. Notification to the OAIC and Individuals

Under the NDB scheme, if an eligible data breach occurs involving data jointly held by Sentine (the processor) and the Firm (the controller), only one entity needs to formally notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals.

  • Primary Responsibility: Sentine expects the Firm, as the Data Controller managing the direct relationship with the end client, to take the lead in notifying the OAIC and the affected individuals to whom the data relates.
  • Cooperation: Sentine will fully cooperate with the Firm, providing all necessary technical data, forensic reports, and assistance required to allow the Firm to fulfil its statutory notification obligations.

4A. Sentine's Independent NDB Obligations

In addition to its obligations as a Data Processor on behalf of Firms, Sentine independently holds certain personal information (e.g., subscriber contact details, billing information, support correspondence). If an eligible data breach affects this independently held data, Sentine will directly comply with its own obligations under the NDB scheme, including notifying the OAIC and affected individuals as required by law.

5. Contact

If a Firm suspects a data breach or anomalous activity within their Sentine tenant, they must immediately report it to security@sentine.com.au.