On February 13, 2017, the Australian Senate passed a bill
establishing a mandatory requirement to notify the Privacy
Commissioner and affected individuals of "eligible" data
breaches. The Privacy Amendment (Notifiable Data Breaches)
Act 2016, which was passed by the House of Representatives
the previous week, amends Australia's Privacy Act 1988 and is slated to take effect
on February 22, 2018 if no earlier date is proclaimed.
The new law introduces a data breach notification scheme that
obligates all agencies and businesses that are regulated by the
Privacy Act to provide notice to the Office of the Australian
Information Commissioner (OAIC) and affected individuals of certain
data breaches that are "likely" to result in
An explanatory memorandum accompanying the law
indicates that "serious harm" is "likely" if it
is more probable than not, and lists factors to consider when
making the determination, such as the sensitivity of the
information involved, whether the information was protected, who
may have obtained the information, and the nature of the harm that
could result. Although "serious harm" is not defined, the
explanatory memorandum states that serious physical, psychological,
emotional, economic, reputational or financial harm may qualify, as
well as other types of serious harm that reasonably could result
from the breach.
A failure to notify that is found to constitute a serious
interference with privacy under the Privacy Act may result in a
fine of up to AU$360,000 (about US$274,560) for individuals or
AU$1.8 million (about US$1.37 million) for organizations.
Prior to the passage of this bill, the OAIC had a voluntary
breach notification system in place and had published a best practice guide that will be updated prior
to implementation of the mandatory notification requirement.
According to a statement issued by Australian Privacy and
Information Commissioner Timothy Pilgrim, from 2015 to 2016 the
OAIC received 107 voluntary data breach notifications.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Being able to determine whether information is personal information is a critical threshold issue for privacy compliance.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).