Skip to content

  • Home
  • COVID-19 Guide
  • COVID-19 AV library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Insight / Privacy law update – data breaches must now be notified
Insight 22 February 2018

Privacy law update – data breaches must now be notified

It is time to review your cyber security posture

Starting today, the Privacy Act 1988 (Cth) requires agencies and organisations to notify affected individuals of certain data breaches. This fundamentally changes the risk profile around compliance with the Privacy Act.

The amendments require notification where there has been an ‘eligible data breach’. This occurs where there is either unauthorised access to, or disclosure of, personal information (including some deemed forms of personal information), or loss of information that is likely to lead to unauthorised access or disclosure (breach), and that breach would lead a reasonable person to conclude that it is likely to result in serious harm to the affected individuals. Harm can take many forms, including physical, emotional, reputational or financial.

The duty to notify is not absolute, however. There are some exceptions. The first is in the definition of ‘eligible data breach’ itself. While there is a degree of objectivity, there will clearly be the need to make an assessment about the likely seriousness of any breach. There is a non-exhaustive list of matters to consider in this regard, but if there is no likely risk of serious harm, then no notification is required.

If a party suspects there has been a breach but does not yet have grounds to believe it has occurred, it must conduct an assessment rather than immediately notifying. Typically, it is expected this assessment should occur within 30 days.

Further, if there has been a breach, but the party has taken steps to remove the effect of the breach before harm occurs (for instance, because a lost device can be remotely wiped), then the breach need not be notified.

Also, if there are multiple parties involved in a breach – for instance, through an outsourcing or cloud arrangement – only one party needs to make the notification.

Finally, there are some exceptions for law enforcement and government agencies.

If you do have to notify, then there are issues of timing and form that must be addressed. You must prepare a notice that covers specified matters, and provide it to the Australian Information Commissioner (the Commissioner) as soon as reasonably practicable. That is a variable time frame that will depend on the particular circumstances, and it may be that we receive guidance from the Commissioner in due course about what is expected.

The notice must contain:

  • the identity and contact details of your business
  • a description of the breach
  • the type of information that was disclosed, and
  • recommendations about the steps individuals should take in response to the breach.

In addition to providing it to the Commissioner, you must also notify the affected individuals using the usual method of communication between you and the individual, and if you are unable to individually notify, publish the notice on your website and take reasonable steps to publicise the notification.

If you fail to comply with the new notification obligations, then the usual range of remedies under the Privacy Act are available, including investigation by the Commissioner, court-enforceable undertakings, orders for compensation, and penalties of up to $2.1 million.

What to do now

Clearly this new regime involves a significant changing of the privacy landscape. Businesses will be more publicly accountable for data breaches, and must be far more open with individuals in their communications about data breaches.

While to an extent this will inevitably lead to a ‘normalisation’ of breach notifications, this is cold comfort for anyone having to go through the notification process. It will be critical to be ready to deal with notification obligations swiftly and professionally, and so we recommend putting in place a data breach response plan to ensure the procedural aspects of notification and breach response are addressed. More importantly still, we also recommend recognising that prevention is better than cure, and taking the opportunity to review your cyber security posture generally to reduce the risk of a breach happening in the first place.

Our privacy experts can help you at every stage of the process.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Alex Hutchens

    Partner
  • Matthew McMillan

    Partner
  • Paul McLachlan

    Strategic Adviser
  • Belinda Breakspear

    Partner
  • Caroline Law-Walsh

    Special Counsel
  • Jeremy Perier

    Special Counsel
  • William McCullough

    Senior Associate

In other news

FIRB Reforms Article Series – Part 2: Family Arrangements

30 July 2020Insight

Are loan books next on the block for Australia?

29 July 2020Insight

Unlicensed parties beware – Head contractor exemption to be removed from QBCC Act

28 July 2020Insight

FIRB Reforms Article Series – Part 1: National Security Businesses

23 July 2020Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

    Contact form

    We handle your personal information in accordance with our privacy policy.

    sydney

    Level 32, MLC Centre
    19 Martin Place
    Sydney NSW 2000
    GPO Box 462
    Sydney NSW 2001

    Tel +61 2 8241 5600
    Fax +61 2 8241 5699

     

    GET IN TOUCH

      Contact form


      We handle your personal information in accordance with our privacy policy.

      melbourne

      Level 27, 101 Collins Street
      Melbourne VIC 3000
      GPO Box 2924
      Melbourne VIC 3001

      Tel +61 3 9067 3100
      Fax +61 3 9067 3199

       

      GET IN TOUCH

        Contact form

        We handle your personal information in accordance with our privacy policy.

        follow us

        CLIENT LOGIN

        newcastle

        Level 2, 16 Telford Street
        Newcastle NSW 2300
        PO Box 394
        Newcastle NSW 2300

        Tel +61 2 4914 6900
        Fax +61 2 4914 6999

         

        GET IN TOUCH

          Contact form


          We handle your personal information in accordance with our privacy policy.

          canberra

          Level 9, 2 Phillip Law Street
          Canberra ACT 2601

          Tel +61 2 6243 3699
          Fax +61 2 8241 5699

           

          GET IN TOUCH

            Contact form


            We handle your personal information in accordance with our privacy policy.

            © 2017 McCullough Robertson. Site map Disclaimer Privacy Policy Credit Reporting Policy

            X