Insights and Publications
  • mdp
  • New Mandatory Data Breach Notification Laws: 3 Things to Do Now

New Mandatory Data Breach Notification Laws: 3 Things to Do Now

Sara-Jane Mok | February 23rd, 2017

The new mandatory data breach notification laws will require organisations to report any ‘eligible data breaches’ to the Australian Privacy and Information Commissioner (the Commissioner) and notify affected customers as soon as possible.

Passed on 13 February 2016 by Federal Parliament, this scheme will bring Australia in line with other overseas jurisdictions such as the United States and the European Union and improve transparency for consumers.

What are the New Data Breach Notification Laws?

An eligible data breach occurs if:

  • There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity; and
  • The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

Your business will have to give notification if:

  • It has reasonable grounds to believe that an eligible data breach has happened; or
  • Is directed to do so by the Commissioner.

These mandatory breach notification requirements apply to organisations that have obligations under the Privacy Act 1988, including:

  • Australian Government agencies;
  • Businesses and not-for-profit organisations with an annual turnover of more than $3 million;
  • Certain businesses with an annual turnover of $3 million or less that:
    • Provide health services that hold individual health information;
    • Sell or purchase personal information, including credit reporting bodies; or
    • Contracted service providers for a Commonwealth contract (for example, child care centres, private schools and private tertiary educational institutions).

Notification must be provided to affected customers as soon as possible and no later than 30 days after the entity becomes aware of the breach, or when the entity ought reasonably have become aware of the breach. Penalties for non-compliance can attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

What Does This Mean for Your Business?

If your business is subject to the Privacy Act, you will need to comply with the new mandatory data breach notification laws. More importantly, to avoid any potential embarrassing publicity, you should do the following:

1. Ensure your business adheres to Australian Privacy Principles (APP)

Take reasonable steps to implement practices, procedures and systems that ensure your business complies with the Australian Privacy Principles and any binding registered APP code. It is also vital that your systems are able to deal with related inquiries and complaints.

For example, make it clear to consumers on how your organisation can be contacted with any complaints, and ensure that you have sufficient control over your data management system to enable you to take immediate action to address complaints (especially where you are relying on third party IT providers to manage that system).

2. Update your business’ privacy policy

Review and update your APP privacy policy about how your business manages personal information. You will also have to ensure that your APP Privacy Policy is available free of charge in an appropriate form and, upon request, in a particular form.

3. Only use data for purposes it was collected for

Use or disclose any personal information for the primary purpose for which it was collected, or for a secondary purpose in specified circumstances.

This is a timely opportunity to review your privacy and data security policies to evaluate whether they comply with the new mandatory data breach notification laws.

Need advice on reviewing and updating your privacy policies, data breach response plans and Terms & Conditions of Use for confidential data? Get in touch with us:

Victoria Konya
Senior Associate
+61 3 9620 9660
 Sara-Jane Mok Sara-Jane Mok
BSc LLB GradDipTax
+61 3 9620 9660

Sara-Jane Mok

Sara-Jane's experience encompasses a range of services such as property, commercial and intellectual property. Prior to joining mdp, Sara-Jane worked in Research & Development Tax at one of the ‘Big Four’ professional services firms assisting companies with preparing their Research & Development Tax Incentive claims.