There have been multiple instances of incomplete notifications of data breaches where entities may not have fully met their obligations with regard to the content of the notification to individuals affected by a data breach.
For example, while entities notified affected individuals that their email addresses were involved in a data breach, on some occasions they did not advise that other personal information was also involved. This included personal information contained as attachments to emails received and sent from the compromised account, or in the cloud storage associated with the account.
Multiple notifications failed to include recommendations about the steps that individuals should take in response to the breach.
In these cases, the OAIC required the entity to re-issue the notification to include all the kinds of personal information that was involved, and provide the practical advice required to help individuals reduce the risk of harm.