Mandatory data breach notifications – are you ready?

Aug 21, 2018

What are the changes?

From 23 February 2018, certain businesses will have mandatory reporting obligations in the event of an ‘eligible data breach’, and will be required to notify the Australian Information Commissioner and any impacted individuals.

Who must comply?

All businesses with an annual turnover of over $3million are required to comply with the Privacy Act generally, including in respect of the new mandatory notification provisions.
Some smaller organisations are also required to comply, for example, if they contract to any Commonwealth government agency or handle health data.

What is an ‘eligible data breach’?

An ‘eligible data breach’ occurs if:

  1. The personal information held by an entity has been lost, accessed or disclosed without authorisation; and
  2. The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

What are the penalties for non-compliance?

In addition to civil penalties of up to $2.1 million (10,000 penalty units) per breach, businesses which fail to properly handle personal data and respond to a data breach could face civil action including in respect of breach of contract, and misleading and deceptive conduct.


1. Do you have a Privacy Policy?

If not please contact us and we can draft one specific to your organisation.

It is also a good time for us to review your Privacy Policy to make sure it is up to date.

2. We will help you assess whether the new provisions apply to your organisation.

Do you have an annual turnover of more than $3m?

Are you a health service provider or do you hold any health information about individuals other than an employee record?

Do you disclose personal information about an individual to anyone else for a benefit service or advantage?

Are you a contracted service provider for a Commonwealth contract?

Are you a credit reporting body?

3. Prepare a data breach response plan.

We can prepare a data breach response plan specific to your organisation.

The data breach response plan will help you identify the types of breaches you must report, and will set out the process for investigating, handling and reporting breaches.

4. Are you compliant?

We can review the way you currently collect, store and destroy personal information to ensure you comply with the Privacy Act.

We can also provide advice and training on your Privacy Act obligations.

5. If there is a breach?

Contact us straight away.

We will advise you on how to report the breach and to whom the breach should be reported, and help you implement your data breach response plan.

Please contact Natalie Lasek.