Privacy compliance will become significantly more important for
all companies in Australia as the government enacted its mandatory
data breach notification regime on Monday. This means if you have
compromised someone's personal information, you now have to
tell them. Before the legislation, you did not have to inform
affected people. Given the dramatic rise in data breaches from
hacking or poor systems/processes, companies will need to be
significantly more vigilant about their data management and breach
reporting practices. We have fixed price compliance packages which
can help – see below for more information.
The new obligations
In a relatively swift conclusion to a long-running saga, the
Privacy Amendment (Notifiable Data Breaches) Bill 2016
passed through the Senate on 13 February 2017. The Bill
introduces a requirement for private sector organisations that
suffer a sufficiently serious data breach to notify affected
individuals and the Privacy Commissioner of the occurrence of that
In line with the general provisions of the Privacy Act 1988
(Cth), the mandatory data breach obligations will apply to all
organisations with an annual turnover of A$3,000,000 or more. As
discussed in our previous
legal update, the Bill will mean that these organisations will
need to be prepared to respond to a data breach, including to
assess whether an eligible data breach has occurred and to promptly
comply with their notification obligations if necessary.
What do I have to do and when?
The next step is for the Bill to receive Royal Assent from the
Governor-General. The date that the Bill receives Royal Assent is
important, as amendments set out in the Bill will come into effect
12 months after the date of Royal Assent. The giving of Royal
Assent is typically a formality, so we expect that this will occur
in the near future. This means the clock has begun ticking for
organisations to start preparing to comply with these obligations
and commence the process of putting a plan in place to assess and
respond to any data breach that might occur.
How we can help
We have three fixed-price packages that can assist you to
Mandatory Data Breach Reporting Package ($5000
+ GST). This package includes our Data Breach Reporting Manual,
template Incident Response Plan, Emergency Checklist, template
Notification Letters and one hour of a privacy lawyer's
Vendor Data Management Package ($4000 + GST).
Many data breaches occur because vendors expose your data in some
way. It is critical to have strong contractual data management
provisions in place with any vendors who handle personal
information for you. This package includes a detailed Data Security
Schedule for Vendor Agreements (annotated), Negotiation Playbook,
FAQs and one hour of a privacy lawyer's time.
General Privacy Compliance Manual ($3000 +
GST). This package includes a detailed Privacy Compliance Manual,
of a privacy lawyer's time.
In addition we can do a data breach simulation exercise with
your organisation to stress test how ready you are to comply with
the new laws.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Being able to determine whether information is personal information is a critical threshold issue for privacy compliance.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).