Here’s How to Be Ready

Businesses across Australia should be preparing for new laws that will affect how they store, transmit, and use data on their computer networks. If you aren’t aware of it, mandatory data breach notification laws go into effect beginning February 22, 2018 and provide rather severe penalties for those who do not adequately report and remedy data breaches on their networks.

The Official Word from OAIC

To support businesses and agencies in getting ready for the Notifiable Data Breaches scheme, the Office of the Australian Information Commissioner (OAIC) is developing guidance and organising events to help organisations understand their obligations and be prepared for commencement in 2018.

The OAIC’s Notifiable Data Breaches webpage provides more details, including how to keep informed of future consultation events.

Statement from Australian Privacy and Information Commissioner, Timothy Pilgrim

“I welcome the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which establishes a mandatory data breach notification scheme in Australia.

I look forward to working with government, business and consumer groups during the transition to this new scheme; which will help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies.

This amendment will require government agencies and businesses covered by the Privacy Actto notify any individuals affected by a data breach that is likely to result in serious harm. My office will be advised of these breaches and can determine if further action is required.  The law also gives me the ability to direct an agency or business to notify individuals about a serious data breach.

The new scheme will strengthen the protections afforded to everyone’s personal information and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted by the OAIC’s Privacy Professionals Network.

In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach.”

The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the mandatory notification scheme. The OAIC also has a comprehensive Guide to securing personal information.

Background on Data Breach Notification Laws

The establishment of a data breach notification requirement was recommended by the Australian Law Reform Commission (ALRC) in its 2008 report titled For Your Information: Australian Privacy Law and Practice (ALRC Report 108 (Aug. 2008)). The Parliament has since enacted amendments to the Privacy Act 1988 (Cth) to implement many of the Commission’s recommendations, but these did not include a mandatory notification system for data breaches. (See Kelly Buchanan, Australia: New Privacy Law Comes into Effect, GLOBAL LEGAL MONITOR (Mar. 21, 2014).) The previous government had introduced legislation on this issue in 2013, but it failed to gain sufficient support prior to the election that year.  (Privacy Amendment (Privacy Alerts) Bill 2013, Parliament of Australia website.)

The current government again took up the issue in 2015, following a report by the Parliamentary Joint Committee on Intelligence and Security, which recommended the “introduction of a mandatory data breach notification scheme.” (Parliamentary Joint Committee on Intelligence and Security, Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, at xxv (Feb. 27, 2015); Press Release, George Brandis & Malcolm Turnbull, The Australian Government has Responded to the Inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Mar. 3, 2015), Attorney-General for Australia website.) In December 2015, the Attorney-General’s Department released a discussion paper and exposure draft of a serious data breach notification bill for public comment. (Serious Data Breach Notification, ATTORNEY-GENERAL’S DEPARTMENT (last visited Feb. 13, 2017).) The resulting bill was introduced in the Parliament in October 2016.

The Explanatory Note for the 2016 bill recognizes international developments since the ALRC’s report, including that “[i]n the United States, 47 states, the District of Columbia and three territories have implemented mandatory data breach notification” and a national standard had been proposed by President Obama in January 2015. In addition, ”the European Union has introduced regulations that mandate data breach notification. In May 2014, New Zealand announced plans to introduce a two-tier mandatory data breach notification scheme. On 16 June 2015, Canada passed legislation to introduce a national mandatory data breach notification scheme.” (Privacy Amendment (Notifiable Data Breaches) Amendment Bill 2016: Explanatory Note 9 (George Brandis) (Oct. 2016).)

Features of the Bill

The 2016 bill amends the Privacy Act 1988 (Cth) (Federal Register of Legislation) “to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Privacy Act.”  (Explanatory Note, supra, at 2. ) Under the amendments, organizations must report an “eligible data breach” to the OAIC and notify affected customers immediately.  An eligible data breach occurs “where personal information held by an entity is subject to unauthorised access or unauthorised disclosure and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the personal information relates.” (Id. at 59; Privacy Amendment (Notifiable Data Breaches) Bill 2017, sch 1 item 3, inserting new section 26WE(2), Parliament of Australia website.)

There is an exception for situations where the entity takes remedial action before the access or disclosure results in serious harm. (Privacy Amendment (Notifiable Data Breaches) Bill 2017, sch 1 item 3, inserting new section 26WF.) Other exceptions relate to law enforcement-related activities and the application of secrecy provisions in other laws. (Id. sch 1 item 3, inserting new sections 26WN & 26WP.)

The bill specifies that the statement to the OAIC must include a description of the data breach, the kinds of information involved, and recommendations for steps that those affected should take in response to the incident. (Id. sch 1 item 3, inserting new section 26WK.) Affected individuals must then be notified of the contents of the statement. (Id. sch 1 item 3, inserting new section 26WL.) The OAIC may also direct an entity to provide notification of an eligible data breach that it believes to have occurred. (Id. sch 1 item 3, inserting new section 26WR.) A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act 1988 (Cth) can be penalized with a fine of up to AU$360,000 for individuals and AU$1.8 million for organizations (about US$274,560 and US$1.37 million, respectively). (Id. sch 1 item 2, inserting new section 13(4A); Privacy Act 1988 (Cth) s 13G; Crimes Act 1914 (Cth) ss 4AA & 4B, Federal Register of Legislation.)

[Source credits: Office of the Australian Information Commissioner, Library of Congress]

How Invotec Can Help You Stay Compliant with Data Breach Notification Laws

We provide Melbourne area businesses total data protection on multiple levels with our on-point security tools, monitoring, and assessment-remedy procedures.

We’ll help you stay in compliance with the forthcoming data breach notification laws, and even help you better understand what constitutes proper reporting and notification to the OAIC – and help you avoid the possibility of significant fines.

Call an Invotec representative at 1300 468 683 or email us at for more information.