On February 22, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) ("Amendment Act") came into effect. Under the Amendment Act, entities regulated by the Privacy Act 1988 (Cth) ("Privacy Act") must notify the Office of the Australian Information Commissioner and affected individuals if there has been an eligible data breach.  There are two types of "eligible data breaches": 

  • When there has been unauthorised disclosure or access to personal information that would likely result in serious harm; and
  • When personal information is lost in circumstances where unauthorised disclosure or access to such information is likely to occur, or a reasonable person would conclude that such unauthorised disclosure or access would be likely to result in serious harm.

The Amendment Act imposes additional obligations on businesses (including some employers) regulated by the Privacy Act. These provisions could oblige employers to give notice of eligible data breaches involving the unauthorised access to or disclosure of employee personal information in certain circumstances.

We thank associate Katharine Booth for her assistance in the preparation of this Update.