The Australian Senate this week passed new laws that
will require businesses and government agencies to notify the
Privacy Commissioner and customers if they have experienced a data
breach. A copy of the Bill can be found at the following link:
A data breach arises where there has been unauthorised access
to, or unauthorised disclosure of, personal information about one
or more individuals, or where such information is lost in
circumstances that are likely to give rise to unauthorised access
or unauthorised disclosure.
As to the level of harm that would bring a data breach within
the scope of the new legislation: A data breach is an eligible data
breach where a reasonable person would conclude that there is a
likely risk of serious harm to any of the affected individuals as a
result of the unauthorised access or unauthorised disclosure.
"It would not be appropriate for minor breaches to be
notified, because of the administrative burden that may place on
entities, the risk of 'notification fatigue' on the part of
individuals, and the lack of utility where notification does not
facilitate harm mitigation."
The Memorandum goes on to explore "serious harm":
"Serious harm, in this context, could include serious
physical, psychological, emotional, economic and financial harm, as
well as serious harm to reputation and other forms of serious harm
that a reasonable person in the entity's position would
identify as a possible outcome of the data breach. Though
individuals may be distressed or otherwise upset at an unauthorised
access to or unauthorised disclosure or loss of their personal
information, this would not itself be sufficient to require
notification unless a reasonable person in the entity's
position would consider that the likely consequences for those
individuals would constitute a form of serious harm."
If an organisation has taken remedial action after a breach that
results in a situation where it's unlikely the incident will
result in serious harm to affected individuals, it won't be
required to report the incident.
Organisations may need to get legal advice to assist in making
judgments as to a "likely risk of serious harm" under the
new provisions in circumstances where they have been subject to a
Under the new laws organisations must notify the Privacy
Commissioner and affected customers "as soon as
practicable" after becoming aware that a data breach has
Organisations should seek advice on the content and
communication strategy for notifications to the Privacy
Commissioner and affected customers.
The new laws will commence on a date to be fixed over the next
Small business exception
Australian privacy legislation has a small business exception
– that practically exempts many Australian businesses from
the need to comply with these laws. The laws cover most Australian
Government agencies and all private sector and not-for-profit
organisations with an annual turnover of more than AU$3
Consequences of breach of the new legislation:
Initially the Privacy Commissioner can issue a written direction
requiring an organisation to notify of the breach if they discover
it has occurred.
The Commissioner may otherwise investigate any interference with
the privacy of an individual, whether as a result of a complaint or
on his own initiative. After investigating, the Commissioner may
make a determination requiring the organisation to take certain
steps. The Commissioner may commence court proceedings to enforce
The Privacy Commissioner may apply to the Federal Court or
Federal Circuit Court for a civil penalty order against an
organisation of up to $1.8 million where it finds a serious or
repeated interference with privacy.
Mark Vincent is a Principal of Shelston IP Lawyers and advises
clients on privacy law and data breach responses. Mark is a
Committee Member on the international INTA Data Protection
Committee for 2017 and 2018.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Shelston IP ranked one of Australia's
leading Intellectual Property firms in 2015.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
For the many medium and large sized businesses that the mandatory notification affects, advance preparation will be key.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).