After years of deliberation, a mandatory data breach notification scheme in the form of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) will come into effect in Australia within the next 12 months, after obtaining royal assent.

Designed to target organisations and government agencies already captured under the Privacy Act 1988 (Cth) (Privacy Act), the provisions of the Bill do not apply to state government organisations, local councils or (generally speaking) businesses with less than a $3 million annual turnover.

We outline the key obligations introduced by the Bill below:

  • Organisations currently subject to the Privacy Act are required to notify the Privacy Commissioner and affected individuals as soon as they become aware of an “eligible data breach”, being:
    • the unauthorised access to, or unauthorised disclosure of, personal information (including identifying information, credit details and tax file number information) that would be likely to result in “serious harm” [1] to the individuals about whom the personal information relates; and
    • a loss of data containing personal information (for example, misplacing an external hard drive containing a list of customer contact details) where unauthorised access to, or disclosure of, the personal information would likely to result in “serious harm” to the relevant individuals.
  • The notification statement to the Privacy Commissioner must set out the identity and contact details of the breached organisation, a description of the eligible data breach, the kind of information concerned, and recommended steps for the affected individuals to take in response to the breach.
  • Depending on the practicability of contacting those affected by the breach, the statement prepared for the Privacy Commissioner must also be:
    • sent to each of the individuals to whom the information subject of the breach relates; or
    • sent to each of the individuals who are at risk from the eligible data breach; or
    • published on the organisation’s website and elsewhere under a general obligation to make reasonable efforts to publicise the statement.
  • Organisations that become aware of a suspected eligible data breach must carry out and complete an assessment to ascertain whether an eligible data breach has in fact occurred, within 30 days of becoming aware of the circumstances that led to that suspicion.

The obligations above also apply to overseas breaches where organisations subject to the Privacy Act have disclosed personal information to foreign recipients. Organisations that fail to comply with the data breach notification provisions could face a fine of $1.8 million. Arguably the biggest risk with these laws, however, is the consequence that notification of a breach can be an admission of liability, giving rise to risks of negligence claims and class actions.

It is important to note that organisations that have been breached can apply on a case by case basis to the Privacy Commissioner for a declaration that effectively exempts the organisation from the requirement to prepare a data breach notification statement. Organisations can also apply for extra time to send out the statement to affected individuals.

Organisations currently governed by the Privacy Act (and those likely to meet the $3 million turnover threshold in the near future) should review their data security practices as soon as possible and ensure that effective systems are in place to notify affected individuals should an eligible data breach occur.