This law (to commence in February 2018) establishes a mandatory data breach notification scheme requiring agencies and organisations regulated by the Privacy Act to provide notice to the Australian Information Commissioner and affected individuals of an ‘eligible data breach’.

An eligible data breach will occur where:

  • there is unauthorised access to or disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates; or
  • information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any of the individuals to whom that information relates.