Notifiable Data Breaches

New laws about mandatory reporting of serious data breaches commence today. The Notifiable Data Breaches Scheme establishes requirements for entities responding to data breaches. Who does the scheme apply to? Entities subject to the Privacy Act 1988 generally include: most Australian Government agencies; businesses and not for profit organisations with an annual turnover…

New laws about mandatory reporting of serious data breaches commence today. The Notifiable Data Breaches Scheme establishes requirements for entities responding to data breaches.

Who does the scheme apply to?

Entities subject to the Privacy Act 1988 generally include:

  1. most Australian Government agencies;
  2. businesses and not for profit organisations with an annual turnover of more than $3 million;
  3. credit reporting bodies;
  4. health service providers; and
  5. TFN recipients among others.

What breaches require notification?

The key point to understand is that entities have data breach notification obligations when a data breach is likely to result in “serious harm” to any individuals whose personal information is involved in the breach. These are referred to as “eligible data breaches”. There are however a number of exceptions to notification obligations. Data breaches that may increase the risk of serious harm include the release of sensitive information about health/Medicare details, driver’s licences, passport details and financial information.

What are the penalties for non-compliance?

The consequences for non-compliance can be significant with fines of up to $420,000 for individuals and up to $2.1 million for corporations.

How do you notify?

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they must promptly notify individuals at likely risk of serious harm. The Australian Information Commissioner must also be notified.

This notification must include:

  1. The identity and contact details of the organisation;
  2. A description of the data breach;
  3. The kind of information concerned; and
  4. Recommendations about the steps individuals should take in response to the breach.

Where do you get more information?

If this topic is relevant to you and you require further information, follow this link to the Office of the Australian Information Commissioner.

Contact us

If you require advice concerning your obligations under the Notifiable Data Breaches Scheme, you can contact us on 8523 8400 (Gawler) or 8211 6500 (Adelaide) to arrange an appointment for an initial obligation consultation. Alternatively, send an email to legal@rudalls.com.au and we will contact you.