If you store personal information of any kind you have strict
obligations under the Privacy Act not to disclosure that
information to third parties. Systems, however, can be
New mandatory data breach notification requirements have been
passed that mean that from the 22nd February 2018 there
is a formal legal requirement to provide notice of any serious
breach to affected individuals and the Privacy Commissioner.
Do All Data Breaches Require Notification?
Not all data breaches will require notifications. In order to
trigger the notification requirement a reasonable person would need
to conclude that there has been unauthorised access to,
unauthorised disclosure of, or loss of, personal information held
by the entity, and this would likely result in serious harm being
caused to any of the individuals to whom the information
Serious harm, in this context, could include serious physical,
psychological, emotional, economic and financial harm, as well as
serious harm to reputation and other forms of serious harm that a
reasonable person in the entity's position would identify as a
possible outcome of the data breach.
In deciding whether a breach 'will likely result in
serious harm', entities are required to have regard to a
list of relevant matters outlined in section 26WA. Such matters
include the kind of information leaked, the sensitivity of the
information, the kind of persons who may have obtained the
information and whether the information has been otherwise
Without limiting the effect of the Act, things like credit card
or account details and medical information are likely to give rise
to the risk of harm.
If you believe there are reasonable grounds to suspect there may
have been an eligible data breach, then you must carry out an
expeditious and reasonable assessment within 30 days. If such a
breach is found to have occurred then, unless an exception applies,
you must as soon as reasonably practicable prepare a statement to
give to the Commissioner, and must take all reasonable steps to
notify each of the individuals whose information has been
What Are The Penalties For Non-Compliance?
Fines for breaches of the Act can be significant. Failure to
comply with the requirement to notify will be deemed to be a
serious interference with the privacy of an individual for the
purposes of section 13G of the Privacy Act. The penalties for
seriously interfering with the privacy of an individual are
Up to $360,000 for an individual
Up to $1.8 million for a body corporate
Parliament has recently proposed that this be increased to
the following from 1 July 2017:
Proposed Penalty from 1 July
Up to $420,000 for an individual
Up to $2.1 million for a body corporate
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
It will soon be mandatory to notify the OAIC and any potentially affected individuals of an "eligible data breach".
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).