Insight

New Australian Data Breach Notification Laws

The Privacy Act 1988 (Cth) (Act) has been amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the Amending Act). The Amending Act introduces a mandatory data breach notification regime where an “eligible data breach” occurs. The amendments will commence on February 23, 2018, unless they are proclaimed to commence earlier.

Data Breach Notification Laws
GM

Giovanni Marino

May 30, 2017 12:06 PM

Introduction

The Privacy Act 1988 (Cth) (Act) has been amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the Amending Act). The Amending Act introduces a mandatory data breach notification regime where an “eligible data breach” occurs. The amendments will commence on February 23, 2018, unless they are proclaimed to commence earlier.

Who is required to comply with the new laws?

The new reporting regime will apply to APP entities that hold personal information. In general, private health care organizations, including community health centers and other private health providers will be considered APP entities.

What is an eligible data breach?

An eligible data breach occurs where there is:

  • unauthorized access to or unauthorized disclosure of information; or
  • loss of the information where unauthorized access or disclosure is likely; and

a) a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates.

These individuals to whom the serious harm would likely result are defined as being “at risk.”

Serious harm is not defined in the act, but the explanatory memorandum to the amendments states that serious harm could include “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation, and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.”

What are the notification requirements?

If an organization has reasonable grounds to believe that there has been an eligible data breach, then it must provide a statement to the Australian Information Commissioner (the Commissioner), which sets out a range of mandated matters.

As soon as practicable after preparing the statement for the Commissioner, the organization must also take reasonable steps to notify the statement information to either:

  • each individual to whom the information relates; or
  • if not, all these individuals are deemed to be at risk, only those affected individuals who are deemed to be at risk.

Are there any exceptions to the data breach notification requirements?

There are certain exceptions to the notification regime, including where an organization takes remedial action to address any unauthorized access to or disclosure of information or loss of information, and:

  • in relation to unauthorized access or disclosure, the remedial action occurs before there is any serious harm to any affected individuals to whom the information relates, and a reasonable person would conclude the access or disclosure would not likely result in serious harm to any of those individuals; or in relation to loss of information, the remedial action occurs:

a) before there is any unauthorized access to or disclosure of the information, and as a result of the action there is no unauthorized access or disclosure; or

b) after there is any unauthorized access to or disclosure of the information, but before the access or disclosure results in serious harm to any individuals to whom the information relates and a reasonable person would conclude the access or disclosure would not likely result in serious harm to any of those individuals.

What happens if an organization does not comply with the requirements?

Breach of the data breach notification requirements are taken to be acts that are “an interference with the privacy of an individual.” Section 13G of the act provides that a civil penalty applies to serious or repeated interferences with the privacy of an individual. An individual penalty of $360,000 and a maximum corporate penalty of $1,800,000 currently apply for breach of this provision.

Conclusion

Organizations should review their policies and procedures regarding data breaches and prepare data breach response plans in line with the requirements of the Amending Act (if these are not in place already). The data breach response plans should contemplate potential remedial action to prevent any serious harm from occurring to any affected individuals.

Organizations that hold or share data in collaboration with other entities or service providers may wish to establish processes to enable a coordinated response to any data breach.

------------------------

Giovanni Marino is a senior solicitor with Health Legal, who prior to joining Health Legal, was a physiotherapist. This health background brings practical experience to Giovanni’s work as a lawyer. Giovanni provides a broad range of legal assistance to health care providers across Australia, including advice on their legal obligations (in areas such as medico-legal, privacy, and employment) and assistance with contract drafting and negotiations. More can be found at www.healthlegal.com.au.

Trending Articles

Discover The Best Lawyers in Spain 2025 Edition


by Jennifer Verta

Highlighting Spain’s leading legal professionals and rising talents.

Flags of Spain, representing Best Lawyers country

Unveiling the 2025 Best Lawyers Editions in Brazil, Mexico, Portugal and South Africa


by Jennifer Verta

Best Lawyers celebrates the finest in law, reaffirming its commitment to the global legal community.

Flags of Brazil, Mexico, Portugal and South Africa, representing Best Lawyers countries

Presenting the 2025 Best Lawyers Editions in Chile, Colombia, Peru and Puerto Rico


by Jennifer Verta

Celebrating top legal professionals in South America and the Caribbean.

Flags of Puerto Rico, Chile, Colombia, and Peru, representing countries featured in the Best Lawyers

How to Increase Your Online Visibility With a Legal Directory Profile


by Jennifer Verta

Maximize your firm’s reach with a legal directory profile.

Image of a legal directory profile

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Paramount Hit With NY Class Action Lawsuit Over Mass Layoffs


by Gregory Sirico

Paramount Global faces a class action lawsuit for allegedly violating New York's WARN Act after laying off 300+ employees without proper notice in September.

Animated man in suit being erased with Paramount logo in background

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

The Future of Family Law: 3 Top Trends Driving the Field


by Gregory Sirico

How technology, mental health awareness and alternative dispute resolution are transforming family law to better support evolving family dynamics.

Animated child looking at staircase to beach scene

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipment

The Litigation Finance Mass Tort Gold Rush


by Justin Smulison

Third-party litigation funding is transforming mass torts, propelling the high-risk area into a multi-billion-dollar industry

Gold coins with data chart backdrop

ERISA Reaches Its Turning Point


by Bryan Driscoll

ERISA litigation and the laws surrounding are rapidly changing, with companies fundamentally rewriting their business practices.

Beach chair and hat in front of large magnify glass

Best Lawyers Expands With New Artificial Intelligence Practice Area


by Best Lawyers

Best Lawyers introduces Artificial Intelligence Law to recognize attorneys leading the way in AI-related legal issues and innovation.

AI network expanding in front of bookshelf

How US Immigration Works: Everything You Need to Know


by Jennifer Verta

Explore the pathways, processes and evolving policies shaping U.S. immigration today.

Illustration of Immigrant Family Journey in Front of American Flag

Finding the Right Divorce Attorney


by Best Lawyers

Divorce proceedings are inherently a complex legal undertaking. Hiring the right divorce attorney can make all the difference in the outcome of any case.

Person at a computer holding a phone and pen

New Mass. Child Custody Bills Could Transform US Family Law


by Gregory Sirico

How new shared-parenting child custody bills may reshape family law in the state and set a national precedent.

Two children in a field holding hands with parents

The 2025 Legal Outlook Survey Results Are In


by Jennifer Verta

Discover what Best Lawyers honorees see ahead for the legal industry.

Person standing at a crossroads with multiple intersecting paths and a signpost.