The Privacy Act
1988 regulates how personal information is managed with 13
Australian Privacy Principles, APPs, underpinning how Privacy
Act regulated organisations manage personal information,
including keeping it secure.
Guidelines for these APPs are issued by the Office of the
Australian Information Commissioner1 and set out the
mandatory requirements organisations need to comply with in order
to fulfil their obligations under the Privacy Act.
The APP guidelines set out that reasonable steps are required of
an organisation to ensure the security of personal information with
APP11 requiring organisations to take active measures to protect
personal information from:
interference and loss
Non-compliance with the APPs can lead to action being taken by
the OAIC against organisations for breaches of the Act which can
result in financial penalties being imposed.
Currently the Privacy Act and the APP guidelines do not
provide for the mandatory reporting of a data breach, either to the
Office of Australian Information Commissioner or to the affected
person/s. And while the OAIC encourages notification of a data
breach "as part of good privacy practice," it is not a
Therefore, currently there is no compliance requirement to
notify the OAIC or potentially affected individuals if there is a
breach or suspected data breach.
The Privacy Amendment (Notifiable Data Breaches) Bill
2016 amends the Privacy Act 1988 to introduce mandatory
data breach notification provisions in the event of actual or
possible disclosure or access to an individual's personal
information. The Bill's provisions warrant detailed analysis,
but it is worth noting in short, that an important criterion for
the reporting the requirement is that serious harm is likely to
result from the breach.
There would appear to be potential for a good many complications
to accompany the practical application of this principle and the
passage of the Bill should therefore be on the watch list for many
potentially affected organisations.
The Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Data Breach Bill) on 13 February 2017.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).