How will the new mandatory data breach notification laws impact your business?


Every business owner has a responsibility to stay on top of –  and comply with –  changes to the law in their business operations. The Australian authorities don’t respond well to pleadings of ignorance, especially when it comes to businesses. So, are you aware of the latest changes to data breach notification laws? Do you know how these changes could affect your business? If not, don’t worry – summarised below are the key points you should know to prepare your business for the changes.

The New Bill

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in Australian Parliament on 13 February 2017. It amends the Privacy Act 1988 by introducing a mandatory data breach notification regime. Until now, the Australian Information Commissioner (AIC) has encouraged businesses to disclose of data breaches, but there has been no legal obligation to do so under the Privacy Act. Once the new Bill takes effect, however, businesses will be under a legal obligation to disclose of all breaches to the Office of the AIC.

‘Eligible Data Breach’

The Bill requires all eligible data breaches to be disclosed to the AIC. So what constitutes an ‘eligible data breach’? Broadly speaking, this occurs where:

  • There has been unauthorised disclosure of, or access to, personal information and a reasonable person would detect a likely risk of serious harm to the affected individual/s; or
  • Personal information is lost in circumstances that are likely to give rise to unauthorised disclosure of, or access to, the information and a reasonable person would detect a likely risk of serious harm to the affected individual/s.

‘Serious harm’ includes physical, psychological, emotional, economic and financial harm.

Obligations for Businesses

The new data breach notification obligations can be broken down into the following duties:

  • Businesses with reasonable grounds to believe that an eligible data breach has occurred must carry out a reasonable and expeditious assessment of the suspected breach. This must be completed within 30 days of the business becoming aware of the breach (where reasonably possible).
  • After making the assessment, businesses must notify the AIC and affected individual/s of the suspected ‘eligible data breach’. This process requires the business to:
    • Prepare a statement which sets out the business’ identity and contact details, a description of the breach, the type of information concerned, and recommendations of actions to be taken in response to the breach;
    • Provide a copy of the statement to the AIC;
    • If practical, notify the contents of the statement to each person to whom the relevant information relates or those at risk from the breach; and
    • If not practical to notify affected persons, publish a copy of the statement on the business’ website and take reasonable steps to publicise the statement.
Does the Bill Apply to my Business?

The Bill applies to businesses to which the Privacy Act applies. So what types of businesses does this include?

  • Australian Government Agencies.
  • Businesses and not-for-profit organisations with an annual turnover above $3 million.
  • Private sector health services (including gyms, weight loss clinics, etc.).
  • Educational and child care institutions (e.g. private schools, child care centres, etc.)
  • Businesses that buy or sell personal information.

Even if the Bill doesn’t apply to your business, it is still strongly recommended you’re your business implements strategies to comply with the new rules. By doing so, you will likely attract a favourable reputation from the AIC, as well as consumers. It will also help to combat the serious issue of data breaches in Australia.

Get your Business Ready!

All businesses should start preparing for the new regime ASAP. Steps you can take to get your business prepared include:

  • Ensure all personnel with privacy and management responsibilities understand the effects of the regime and their responsibilities.
  • Introduce procedures to manage compliance with the regime in case of a breach.
  • Consider the implications of the regime in relation to outsourcing or other arrangements with third parties who hold personal information for your business.

About the author

Katherine HawesWith over 20 years’ legal and business experience, Katherine Hawes is the founder and principle solicitor of Aquarius Lawyers.  She previously wrote How to avoid unenforceable contractsHow your SMEs can safely execute competitions, Identify theft costs businesses $221b per year… what can you do to protect your operation?, Which legal structure best suits my business?, and How to protect your IP when you have an online business for Dynamic Business.