On Thursday 22 February 2018 the Notifiable Data Breaches Scheme (NDB Scheme) commenced. Businesses subject to the Privacy Act 1988 (Cth) (Privacy Act) are now obligated to report and notify the Office of the Australian Information Commissioner if a data breach occurs.

Entities which are affected by the changes should urgently be reviewing existing cybersecurity arrangements and, if not already in place, implement a cybersecurity policy which deals with the obligations arising under the new law. This should include a method to clearly identify what personal or other information is held and address implementation of risk management policies and procedures in the event of an eligible data breach (as defined in the Act).

The mandatory data breach notification scheme will apply to all entities which currently have obligations under the Privacy Act. This includes Commonwealth Government Agencies, private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million, entities which are holders of tax file information (known as file number recipients under the Privacy Act), certain credit providers and credit reporting bodies and other specified entities.

Eligible data breaches

The new laws apply in the event of an “eligible data breach”. An eligible data breach will have occurred where the information is personal information or other regulated information under the Privacy Act and:

  1. Both of the following conditions are satisfied:
    1. there is unauthorised access to, or unauthorised disclosure of, the information;
    2. a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
  2. the information is lost in circumstances where
    1. unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
    2. assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates"

The intent of the Act is to assist people whose personal information may have been compromised by keeping them informed and enabling them to protect themselves and their personal information, for example by changing their passwords. Although broadly capturing any unauthorised access, disclosure or loss, one limitation with the Act in achieving this goal might be the requirement that there be potential for “serious harm” to occur. The Explanatory Memorandum for the Act notes that this is intended to include serious harm to a person’s reputation, so it is not restricted to monetary harm only. However, the Explanatory Memorandum goes on to envisage that the term refers to more than just distress. It will be interesting to see how this is interpreted in practice.

Statement and notification

If an eligible data breach occurs then the entity must prepare a Statement for the Privacy Commissioner containing relevant information and in the form prescribed under the Act.

Additionally, the entity will be required not only to notify the individuals in relation to whom the eligible data breach is likely to result in serious harm but, if practicable, all individuals to whom the information relates. It is only where it is impracticable to inform all individuals to whom the information relates that the obligation is reduced to only notifying the individual (or individuals) at risk.

Where affected individuals cannot be contacted or located, the entity must publish the contents of the Statement on the entity’s website and take reasonable steps to publicise the contents of the Statement provided to the Commissioner.

The new regime does contain some exceptions. Particularly notable is the case of an entity which is able to remedy a data breach before it results in loss or harm. In such circumstances, if the entity takes action before an individual suffers loss or serious harm then they will not have to comply with the requirements of notification.

The new laws also put a positive obligation on entities to investigate data breaches if there are reasonable grounds to suspect that there may have been an eligible data breach. If the Commissioner becomes aware of reasonable grounds to believe there has been an eligible data breach, he has power to direct an entity to comply with its notification obligations.

Non-compliance by an entity will amount to interference with the privacy of an individual which carries serious civil penalties – up to $360,000 for individuals and $1.8million for organisations - under the Privacy Act.

Therefore it is important for organisations to recognise irregular or unusual activities and ensure that proper investigations of possible data breaches are undertaken and completed within 30 days. As entities will now have to fulfil their positive duty to investigate such occurrences, it is critical for entities to put proper procedures in place and ensure adequate staff training.

Call us for a free ‘no obligation’ discussion where we can talk about how this applies to your business, reporting obligations and the steps needed to prepare a Data Breach Response Plan.

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.

For more information, please contact...

Amy Bishop

View Profile →

Related Articles

View All News
October 08, 2024 Transferring Intellectual Property in a Business Sale
Intellectual Property (IP)
October 08, 2024 The Concepts of Consent for Personal Information
Intellectual Property (IP)
June 19, 2024 When Reputation Assists in Protecting Your Brand
Intellectual Property (IP) Dispute Resolution & Insolvency
April 18, 2024 2025 Edition of Best Lawyers: Celebrating Our Leaders and a Rising Star
Firm News Corporate & Commercial Employment, Workplace Relations & Safety + 6
December 20, 2023 Is a Trade Mark License a Franchise?
Intellectual Property (IP)
December 20, 2023 Trade Mark Use/Copyright and Fair Dealing – AGL v Greenpeace
Intellectual Property (IP)
July 12, 2022 Personal and Confidential Information: Employer Obligations to Employees
Employment, Workplace Relations & Safety Intellectual Property (IP)
May 02, 2022 Privacy Week - Top Tips
Corporate & Commercial Intellectual Property (IP)
March 30, 2022 Domain Names and Cyber Security
Corporate & Commercial Intellectual Property (IP)
August 17, 2021 Music to Artists' Ears: Palmer to Pay Up Big for "Flagrant" Copyright Infringement
Intellectual Property (IP)
June 30, 2021 When are Directors Liable for Misleading or Deceptive Conduct, Passing off, Trade Mark Infringement or Unconscionable Conduct?
Corporate & Commercial Dispute Resolution & Insolvency Intellectual Property (IP)
June 30, 2021 NFT’s Explained: The Intellectual Property Implications of Licencing Digital Assets Through Blockchain
Intellectual Property (IP)
September 21, 2020 Fee Increases for Trade Marks
Intellectual Property (IP)
April 10, 2020 “Confidential” Means Confidential
Intellectual Property (IP)
April 10, 2020 Who Owns Intellectual Property? Employer or Employee
Intellectual Property (IP)
October 25, 2019 EU’s Request for Geographical Indications Protection may Affect your Products or Trade Marks
Intellectual Property (IP) International Business
September 25, 2019 Direct Marketing and Data Sharing: Shahin v BP Australia
Intellectual Property (IP)
September 25, 2019 Top Tips for Creating Your Trade Mark
Intellectual Property (IP)
September 25, 2019 Using the PPSR to Protect Your Deposit
Intellectual Property (IP)
June 21, 2019 Registration of Everything (Commonwealth) Bill
Intellectual Property (IP)