The Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed by Federal Parliament on 13 February 2017 and received Royal Assent on 22 February 2017. When the Act takes effect it will amend the Privacy Act 1988 (Cth) (Privacy Act) to require entities (both Government and private sector) covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm. The Privacy Commissioner is also required to be notified of such breaches and will be given the power to direct a relevant entity to notify individuals about a serious data breach. This legislation reflects a recommendation of the Australian Law Reform Commission (ALRC) in its report 'For Your Information: Australian Privacy Law and Practice' and community concerns regarding the harm that individuals may suffer from data breaches. This legislation also reflects a concern that relevant entities may not always disclose data breaches – though the high number of breaches notified under the existing voluntary notification scheme managed by the Office of the Australian Information Commissioner indicates that this second concern may not be entirely justified. The new regime will commence, at the latest, in February 2018, which provides time for entities subject to the regime to make any changes to their existing procedures to ensure compliance.
For more detailed information on the changes, please see our article 'Having another go: Parliament introduces new data breach notification Bill'.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
