The new Notifiable Data Breach laws come into effect on 22 February. Outlined below are some tips to help get you up to speed.

  1. Are you complying with your current obligations as set out in the Australian Privacy Principles (APPs)?

The APPs are:

APP 1 – open and transparent management of personal information
APP 2 – anonymity and pseudonymity
APP 3 – collection of solicited personal information
APP 4 – dealing with unsolicited personal information
APP 5 – notification of the collection of personal information
APP 6 – use or disclosure of personal information
APP 7 – direct marketing
APP 8 – cross-border disclosure of personal information
APP 9 – adoption, use or disclosure of government related identifiers
APP 10 – quality of personal information
APP 11 – security of personal information
APP 12 – access to personal information
APP 13 – correction of personal information
  1. Review your Privacy Policy
  • Do you do what it says?
  • Does it say what you do?
  • Align what is said and done to the APP obligations above.
  1. Assemble your breach team
  • Who in your organisation is responsible for privacy?
  • When a crisis hits does everyone know their role and responsibilities?
  1. Create an incident assessment plan

Create an incident assessment plan to meet the 30-day legal obligation once a "suspected breach" has occurred.

  • How are incidents logged?
  • Who leads investigations?
  • What are reporting times and format?
  • Who makes the assessment?
  • Do you need external input/sign off?

Once the incident is assessed make a decision – is notification required?

  1. Prepare to notify

If the assessment results in finding an eligible breach has occurred then you need to move to notify the regulator and affected individuals:

  • Where is the breach response plan?
  • What pre-planned steps are in place? eg. communication channels, messaging to different stakeholders, microsites and basic FAQs.
  • Assemble the team and execute the plan.

Our data and privacy team can assist you with advice and necessary documentation for all of the above steps.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.