Hacker-proof? Unpacking the new Privacy Amendments

– what this means for companies

Organisations covered by the Australian Privacy Act 1988 (Cth) will soon need to notify eligible data breaches to the Office of the Australian Information Commissioner (OAIC) as well as to affected individuals as soon as practicable after the organisation becomes aware.

On 22 February 2017, the Privacy Amendment (Notifiable Data Breaches) Act 2017 made its way through both houses of Parliament with bipartisan support and received Royal Asset. The implications of this is that, from 23 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme.

Who must comply with this new law

The new law will apply to organisations (with an annual turnover of more than $3 million), Australian Government Agencies, and other organisation that are already required by the Privacy Act to keep information secure (APP entities)

When does an ‘eligible data breach’ occur

An ‘eligible data breach’ occurs where there has been:

  1. Unauthorised access or disclosure, or loss of information where unauthorised access or disclosure is likely; and
  2. A reasonable person would conclude that the access or disclosure would likely result in serious harm to the individuals to whom the financial information relates.
The requirement to notify

The requirement to notify triggers when an entity is aware that “there are reasonable grounds to believe that, there has been an eligible data breach of the entity”.

If an eligible data breach has occurred, an entity must notify affected individuals and the OAIC as soon as practical, with a notification containing certain prescribed information, including:

  1. The identity of the organisation;
  2. The description of the breach;
  3. The kind of information concerned; and
  4. Recommendations as to the individuals as to the steps to take in response to the breach

If it is impractical to notify all affected individuals, the entity must publish a statement on its website.

Exceptions to Notification

There are a range of exceptions, most notably where the affected entity takes appropriate remedial action in response to the eligible data breach before the breach causes serious harm.

Sanctions for failing to comply

The standard penalty regime under the Privacy Act allows for monetary penalties of up to $1.8 million for companies and $360,000 for individuals for serious or repeated breaches.

The takeaways

To ensure compliance with the new law:

  • Update and certify that you have a complete data breach response plan and a well-trained team.
  • start to implement to meet the various assessment and notification requirements.
  • review how your company manages its information to take stock of its information assets, its data protection measures including response activities, and to ensure it reduces its risk of data breach in the first place.
  • Focus on your organisation’s ability to remediate a breach; and
  • Analyse contracts with service providers to ensure they contain privacy and data breach notification obligations.

Related News

What happens if you, as an insurer, have not yet concluded whether or not to indemnify an insured, and a third party commences Court proceedings against your insured (with the indemnity decision still pending)?

When these types of claims arise, an insurer (and its panel firm) can continue to act for an insured on a “reservation of rights” basis.

Read More

Can you sue if a “registered” company is “in liquidation”, “under administration” or has become “deregistered”? 

It is common to see Court proceedings commenced in the name of an individual or against an individual.   But sometimes, Court proceedings are commenced by

Read More

The Briginshaw-test

Did you know that the Briginshaw-test requires a higher standard of evidence in civil matters where serious allegations are made, such as fraud. This principle

Read More

Get in touch

Contact our team today

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers


Level 22
66 Goulburn Street


Level 21
535 Bourke Street


Level 8
300 Ann Street


Level 19
Singapore Land Tower
50 Raffles Place