security lock with a hole on computer circuit board - computer security concept

Is Your House in Order? New Data Breach Regime laws take effect on 22 February 2018

Incoming legislation relating to mandatory notification for data breaches comes into effect from 22 February, 2018.  Once in effect, the new regime will require agencies and organisations that are subject to the Privacy Act 1988 to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals in cases where there has been a confirmed ‘eligible data breach’ of personal information.

As it currently stands, organisations holding sensitive information have discretion as to whether they disclose data breaches to affected customers, clients and/or the Privacy Commissioner.

Why is this so important for businesses?  The answer lies in all of the client information necessarily stored as part of the everyday running of a company.  If accessed by an unauthorised third party, this information could very well result in instances of identity theft, or ‘serious harm’.  Accordingly, it is essential that your organisation makes itself familiar with all requirements of the new regime, and that you are ready to respond swiftly and effectively should an eligible data breach occur.

What is an eligible data breach?

An ‘eligible data breach’ occurs when:

  1. There is unauthorised access to, or disclosure of information;
  2. Information is lost under circumstances where unauthorised access or disclosure is likely to occur; or,
  3. A reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates.

The Commissioner has provided the following examples of eligible data breaches:

  • Theft of a device containing a client’s personal information;
  • Hacking of a database that contains a client’s personal information; and,
  • Where a client’s personal information is mistakenly disclosed to the wrong party.

A real world example of this can be seen in Uber‘s recent data breach saga, where it has been alleged that data belonging to 57 million users was hacked.  Instead of addressing the hack, the company paid the hackers $132,000 to delete the information.  Had the pending legislation been in effect at the time of the breach, Uber would most likely have faced serious penalties for not disclosing the breach.

What does serious harm mean?

When considering what actually amounts to ‘serious harm’, the Commissioner has suggested that organisations assess any data breaches based on the type of information that was accessed, the level of sensitivity relating to said information, and what the nature of the harm is likely to be to any individuals whose personal information was accessed.  The Commissioner has advised that factors including physical, psychological, emotional, economic and financial harm – as well as harm to an individual’s reputation, should be taken into consideration throughout the assessment.

When and how must a notification be prepared?

An organisation has 30 days in which to conduct an assessment to confirm whether a breach is eligible, and to comply with the notice obligations (if required).

The legislation provides that where an ‘eligible data breach‘ of personal information has indeed occurred, the organisation must prepare a notification that includes the following details:

  1. The contact details of the organisation;
  2. A description of the data breach that the organisation believes has occurred;
  3. The kind(s) of information that was subjected to the breach; and,
  4. Recommended steps that affected individuals should take in response to the breach.

The notification containing the relevant material must be forwarded to the Commissioner as soon as reasonably practicable after the organisation becomes aware of the breach.  Where possible, organisations must also notify any individuals potentially at risk as a result of the breach.  If it isn’t practicable to do so, the organisation must take reasonable steps to otherwise publicise the notice.  

There are some exceptions that can apply under the regime, such as when an organisation that has experienced a data breach takes remedial action after the breach occurs in order to ensure that affected individuals don’t suffer any serious harm.  Whether or not this is possible is dependent on the circumstances surrounding the breach, although Coleman Greig advises that organisations keep this in mind as part of their response.

It’s also important to note that failure to comply with the notification regime can potentially result in fines of up to $1.8 million.  Accordingly, organisations need to be on alert and well prepared to deal with any and all potential data breaches.

What should you do before 22 February?

  1. Familiarise yourself with the legislation: The legislation provides extensive guides regarding what should be done if an eligible data breach occurs.  
  2. Review your IT contracts: If you’re using a third party to hold your data, you should make sure that they’re obliged to notify you of any data breach as it occurs and that they cooperate with you in investigating the breach.
  3. Create an internal response plan: The legislation requires organisations to prepare a notification to the Commissioner as soon as practicable after becoming aware of the eligible data breach having occurred – so ensure that your organisation has a process in place to both assess and respond when a breach does occur.  
  4. Consider which of your clients may collect personal information: As a trusted advisor to your clients, you should ensure that they are sufficiently informed with regard to the new privacy laws, and how they may affect their business.
  5. Increase security measures/ensure they are up to date: As technology constantly evolves, so do the ways in which your sensitive information can be leaked or disclosed.  Coleman Greig suggests using reputable and effective software to protect such data, as well as undertaking relevant upgrades wherever possible.

What else should you be aware of?

The new mandatory regime in respect of data breaches adds yet another layer of compliance and regulatory responsibility for businesses who collect, handle and store client information.
Organisations will of course be familiar with their obligations under the Privacy Act 1988 (Cth) and the Australia Privacy Principles.  Additionally, for businesses with systems set up to receive payments from Visa and MasterCard credit or debit cards, regulatory standards such as the Payment Card Industry Data Security Standards (PCI DDS) may also apply.

The introduction of this new regime may be an opportune time for organisations to undertake a review of their internal policies and procedures to ensure that they are complying with their obligations under these regulations, as well as having a response plan in place should a breach, (whether it be data or privacy related) occur.

Does a data breach mean that a breach of confidentiality has occurred?

Organisations should also take note of their obligations with regard to any non-disclosure or confidentiality agreements that they have entered into with their clients or other businesses.
Whilst the OAIC’s new regime will indeed require appropriate notification of any eligible data breaches, an organisation should be aware of exactly what type of information is covered by any confidentiality agreements that they may have entered into – as a leak of information not covered by a confidentiality agreement may not always be defined as a breach of confidentiality (even if an eligible data breach has occurred) and similarly vice versa.

It is therefore important for organisations to conduct a proper assessment of exactly what information has been accessed if a data breach does occur, and then determine what its reporting and notification obligations are under both the OAIC’s regime and any relevant confidentiality agreement.

If you are interested in learning more about mandatory data breach legislation, or to speak with somone in our Privacy and Data Protection team, please don’t hesitate to get in touch with:


Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.


More posts

Can i put my home on Airbnb?

Airbnb is a form of short-term rental accommodation. To add your property to Airbnb in NSW, you are required to meet several laws and regulations governing short-term rentals.

When are liquidators required to seek approval to retain legal counsel?

When does a liquidator (or the company he or she is appointed to) need court, creditor, or committee approval to validly retain a solicitor to act in a liquidation matter which is likely to extend for longer than three months?  The answer to this question has only recently been settled.

Proposed changes to building and construction law in NSW

The Building Bill 2022 (the Bill) is the key avenue through which the NSW Government has proposed to reshape the culture of the building and construction industry by eliminating poor performance and improving the quality of building statewide.

Can you dismiss an employee who fails to return to the office?

Slowly but surely, most employers are requiring employees to return to the office for at least a portion of their working week. Some employers continue to struggle with employees resistant to returning to the office or those who have an expectation that they can continue to work from home whenever it suits them.

New powers to combat phoenixing in construction

The rise of phoenixing in the building and construction industry in Australia in recent years has proved a significant challenge to regulators. Mismanagement of time or cashflow can quickly propel businesses into insolvency.

The NSW Building Commission’s extraordinary powers

In late 2023, the NSW Government passed the Building Legislation Amendment Bill 2023 (Amendment Bill). The Amendment Bill established the NSW Building Commission and granted it extraordinary powers to enter construction sites, inspect work and take away information and materials.

© 2024 Coleman Greig Lawyers   |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230