Data breaches in the private and Government sectors are presently the subject of a great deal of media attention. It is timely, therefore, that the Government is planning to ramp up its amendments to the Commonwealth Privacy legislation.

At the end of May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 was introduced to Parliament. The Bill, if passed, will take effect from March 2014 and will impose a notification obligation on companies where there is a serious data breach. A serious data breach could arise, for example, where there is theft of storage devices, laptops or paper records, the hacking of personal information databases or the incorrect disposal of personal information in a non-secure waste collection process.

Currently, where there is a 'real risk of serious harm' from a data breach, companies should notify the Office of the Australian Information Commissioner (OAIC). Many companies have been following this procedure for some time now. However, the reporting has always been voluntary. The proposed legislation will make notification mandatory, with potentially serious consequences for failing to do so.

The OAIC has been pushing for these changes for over 6 years now. It believes that notification has many advantages, including the regaining of control over personal information (for example, by changing passwords quickly after a breach) and the rebuilding of public trust (for example, by showing that the company will work to assist an individual in the event of a breach).

Notification would be mandatory where:

  • Personal, credit or tax file information has been subject to unauthorised access or disclosure, and
  • It is believed, on reasonable grounds, that the breach is serious because it will result in a real risk of serious harm to the individual (a real risk is defined as a risk that is not remote and harm includes psychological, physical, reputational, economic or financial).

Failure to notify could result in the entity being required to apologise, pay compensation or take (or refrain from taking) certain action. Repeated serious data breaches will attract civil penalty provisions.

Certain companies will be able to apply to the OAIC for exemption from notifying such individuals but only where it is in the public interest to do so.

As we approach March 2014, companies will need to review their privacy practices and procedures to minimise the risk of data breaches. The OAIC will be producing standard documentation to assist them but companies may require legal assistance to ensure compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Kott Gunning is a proud member of