Mandatory reporting of data breaches

Reading time: 2 min(s)

A new scheme for the mandatory notification of data breaches is set to commence on 23 February 2018 (“the Notifiable Data Breach scheme”) which may affect a significant number of organisations in the not-for-profit sector.

Upon commencement, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) will amend the Privacy Act 1988 (Cth) to introduce new obligations concerning the investigation and notification of data breaches.

The Notifiable Data Breach scheme will apply to all entities that are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APP entities”), including businesses and not-for-profit organisations with an annual turnover of $3 million or more.

What is a data breach?

An ‘eligible data breach’ will occur if there is unauthorised access to, unauthorised disclosure of, or loss of personal information, which a reasonable person would conclude is likely to result in serious harm to the individual to whom the information relates.

Suspected data breach

If an APP entity has reasonable grounds to suspect that an eligible data breach may have occurred, it must investigate the circumstances and assess whether a breach occurred within 30 days.

Eligible data breach

If an APP entity has reasonable grounds to believe an eligible data breach has occurred, the APP entity must notify the Office of the Australian Information Commissioner and, if practical, take reasonable steps to notify the affected individuals.

The notification must include certain prescribed information (for example, it must contain recommendations as to the steps that affected individuals should take in response to the breach).

If an APP entity fails to comply with the new data breach requirements, it will have committed an interference with the privacy of an individual and penalties may apply under the Privacy Act 1988 (Cth).

Remedial action

Importantly, an APP entity will not be required to report a data breach if it takes remedial action in response to the breach, from which a reasonable person would conclude that the data breach would be unlikely to result in serious harm to the affected individuals.

Where to from here?

APP entities should familiarise themselves with the new data breach requirements and review their internal policies and procedures to ensure breaches are handled appropriately.

For further information about the new Notifiable Data Breach scheme, please do not hesitate to contact us.

Matthew Cartwright
Matthew first joined CRH Law as a law clerk in 2014, providing legal, administrative and research assistance to the firm while completing his legal studies. During his time as a law clerk, Matthew has gained experience in the areas of law practised at CRH Law, and has had many opportunities to provide assistance to the clients of the firm.