This important peice of legislation was passed on 14 February 2017, and will start either late this year or early next year.


Entities conducting business in Australia will have 30 days to investigate whether or not a serious data breach has occurred.

The legislation applies if there has been an overseas breach for which the entity is responsible - for example where it has disclosed personal information overseas and the overseas entity has suffered a data breach.

If the investigation reveals there are no reasonable grounds to believe there has been a serious data breach, no additional steps are required.

If there has been a serious data breach, entities must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

The notification statement must set out the identity and contact details of the entity, a description of the serious data breach, the kind or kinds of information concerned, and recommendations about the steps that individuals should take.

If affected individuals can't be notified, then the entity must publish a copy of the notification statement on its website (if any) and take reasonable steps to publicise the contents of the statement (such as social media, online or print ad).

The OAIC can also direct an entity to notify if the OAIC believes there has been a serious data breach, and the entity must comply as soon as practicable.