Three significant legal privacy reforms will commence over the course of 2018 in Australia.  The reforms are:

  1. Mandatory notifications of data breaches under the Privacy Act 1988 (Cth);
  2. The General Data Protection Regulation, a European Privacy Law with extraterritorial reach to Australia; and
  3. The Australian Government Agencies’ Privacy Code.

Notifiable data breaches under the Privacy Act will affect almost every organisation in Australia.  This will include all Australian government agencies, almost all businesses and not-for-profit organisations with a turnover of more than $3M per annum together with some smaller businesses such as health service providers and contracted service providers to the Commonwealth.  Also effected are organisations with tax file numbers; credit providers and credit reporting bodies.

The amendments require notification of certain types of data breaches.  Notifiable data breaches are incidents that involve the loss of, or unauthorised access to or disclosure of, personal information that is likely to result in serious harm to one or more individuals.

If the data breach meets this threshold test, notification is required as soon as practicable to the Australian Privacy Commission and the affected individuals.  The legislation sets out the factors that impact whether a data breach is ‘likely to result in serious harm’; the timeframes in which an assessment must be carried out on a suspected breach; and what a notification must contain and how the notification must be made.

Based on an early engagement, William Roberts Lawyers can assist Boards and Management in navigating and complying with their legal obligations.


The General Data Protection Regulation

The general data protection regulation regulates businesses based in the European Union and any organisation around the world that provides goods and services to, or monitors the behaviour of, people in the European Union including the United Kingdom post Brexit. 

One of the new principles in the general data protection regulation is the accountability principle which requires organisations to be proactive in that if an organisation does not have an effective privacy compliance program, the organisation can be found to be in breach of its data protection obligations even if there is no actual data breach.

William Roberts Lawyers can work actively with the assist Boards and Management so as to document and audit an insured’s privacy compliance program.