Data breaches in the private and Government sectors are
presently the subject of a great deal of media attention. It is
timely, therefore, that the Government is planning to ramp up its
amendments to the Commonwealth Privacy legislation.
At the end of May 2013, the Privacy Amendment (Privacy
Alerts) Bill 2013 was introduced to Parliament. The Bill, if
passed, will take effect from March 2014 and will impose a
notification obligation on companies where there is a serious data
breach. A serious data breach could arise, for example, where there
is theft of storage devices, laptops or paper records, the hacking
of personal information databases or the incorrect disposal of
personal information in a non-secure waste collection process.
Currently, where there is a 'real risk of serious harm'
from a data breach, companies should notify the Office of
the Australian Information Commissioner (OAIC). Many companies have
been following this procedure for some time now. However, the
reporting has always been voluntary. The proposed legislation will
make notification mandatory, with potentially serious
consequences for failing to do so.
The OAIC has been pushing for these changes for over 6 years
now. It believes that notification has many advantages, including
the regaining of control over personal information (for example, by
changing passwords quickly after a breach) and the rebuilding of
public trust (for example, by showing that the company will work to
assist an individual in the event of a breach).
Notification would be mandatory where:
Personal, credit or tax file information has been subject to
unauthorised access or disclosure, and
It is believed, on reasonable grounds, that the breach is
serious because it will result in a real risk of serious harm to
the individual (a real risk is defined as a risk that is
not remote and harm includes psychological, physical,
reputational, economic or financial).
Failure to notify could result in the entity being required to
apologise, pay compensation or take (or refrain from taking)
certain action. Repeated serious data breaches will attract civil
Certain companies will be able to apply to the OAIC for
exemption from notifying such individuals but only where it is in
the public interest to do so.
As we approach March 2014, companies will need to review their
privacy practices and procedures to minimise the risk of data
breaches. The OAIC will be producing standard documentation to
assist them but companies may require legal assistance to ensure
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Kott Gunning is a proud member of
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).