Mandatory Data Breach Notification

Mandatory Data Breach Notification

On the 13th February 2017, an amendment was made to the Privacy Bill 2016 to establish a mandatory data breach notification scheme in Australia. This change will help to protect the privacy rights of individuals and strengthen community trust in business and agencies. On 23rd February 2018 onwards, the Privacy Act 1988 will include a mandatory data breach notification scheme.

The amendment will place an obligation on government institutions and businesses subjected to the Privacy Act to notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected persons whose personally identifiable information is subject to a data breach, that is likely to result in serious harm. This change aims to ensure that individuals will be able to take the necessary remediation steps in the event there a breach occurs to a person’s personal information.

This amendment, while introduced to protect everyone’s personal information, will also aim to improve transparency in how a response to serious data breaches occurs. The amendment will also provide organisations subjected to the privacy act, an opportunity to minimise damage to the information held and reputation of the organisation by taking measures to implement adequate security controls to information processed, stored and transmitted.

While Australian Government entities will be subject to this breach notification and various other non-government entities including some Not for Profit organisations, small businesses will also be subjected to this breach notification amendment. The criteria for small organisations are as follows:

  • Revenue of three million dollars and above; or
  • Belong to an industry group such as healthcare, finance and other industries where Personally Identifiable Information (PII) is being collected, processed and stored.

In the event, you do not know if this amendment affects your business, assume it does to be safe.

Any breaches after the 23 February 2018 will need to be reported to the Privacy Commissioner and the affected parties of the data breach such as customers and other stakeholders. Failure to report the breaches will result in penalties for the organisation.

An organisation, to ready themselves, can do many things to start preparing for this mandatory reporting legislation. The best place to start with is a Privacy Impact Assessment (PIA). This assessment will allow an organisation to understand the information flows around PII, understand the current controls and governance around protecting this information and will also identify any risks and gaps in the environment that need remediating. A roadmap will accompany the PIA report outlining a timeline of remediation activities required to protect PII.

Should you need more information about this new legislation or would like to discuss further regarding Privacy Impact Assessments, please contact Thomas Jreige, CIO at Accelerate Group on +61 404 092 538 or