This week the Senate passed the Privacy Amendment
(Notifiable Data Breaches) Bill 2016/17 into law. As a result
Australia will have a mandatory data breach notification
The new scheme creates an obligation to report eligible data
breaches relating to personal information held by businesses which
may result in "serious harm" to any individual whose data
has been disclosed. The notification obligation will apply to
government agencies, businesses and not for profit organisations
governed by the Privacy Act.
A data breach consists of the unauthorised access to, disclosure
of or loss of personal information (information identifying a
specific person). A data breach can occur online (cyber security
incident) or in a physical sense (documents accessed by a third
party without permission).
Where a business subject to the law suspects that there may have
been a data breach, it is required to carry out a reasonable and
expeditious assessment of whether there are reasonable grounds to
believe that the relevant circumstances amount to an eligible data
breach which triggers the new notification requirment.
In the new legislation a data breach triggering the notification
requirement is when there is unauthorised access to, disclosure or
loss of personal information, and which the access, disclosure or
loss is likely to result in serious harm to any of
the individuals to whom the information relates.
Serious harm is not precisely defined in the legislation.
Serious harm will also depend on a number of factors. Guidance in
the Explanatory Memoradum which accompanies the legislation sets
out that serious harm could include physical, psychological,
emotional, economic or financial harm, as well as harm to
The new law will require organisations that determine they have
had an eligible data breach to report the incident to the
Privacy Commissioner and notify affected persons as soon
as practicable after they become aware of a breach.
The notification obligation will require businesses to issue a
notice that the breach occurred, and must include a description of
the data breach, the kind of information involved, and how
individuals should respond to the data breach.
The legislation does not contain an exact definition of what
actions businesses should recommend for individuals to take to
respond to a data breach. Guidance in the Explanatory Memoradum
which accompanies the legislation gives the examples of changing
passwords or cancelling credit cards. We expect further guidance on
these issues over time.
Those that fail to provide the required notifications may be
subject to face penalties including fines.
This will impact many Australian companies and foreign companies in Australia who interact with Australian data subjects.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).