CML Lawyers

Are you a business with an annual turnover of over $3 million AUD or do you provide health, child care or education services or trade in personal information? If you are, then you should get ready now for the new Data Breach Notification Laws that will be effective next year.

You are an APP Entity (Australian Privacy Principles Entity) and must comply with the Privacy Act 1988 and the new Data Breach Notification laws if any of these apply:

  • Annual turnover exceeds $3 million
  • Health Services – including weight loss clinics and gyms
  • Child Care, Schools
  • Personal Information traders, credit reporting agencies, accountants.

What sort of a breach must be notified? 

An ‘Eligible Data Breach’ must be notified, and is defined in two stages:

  • unauthorised access to, disclosure of, or loss of personal information; and
  • a reasonable person would find that the breach is likely to cause serious harm to those affected.

Serious harm includes physical, psychological, emotional, economic, financial and reputational harm.

You must consider the information, whether it is sensitive, how it is protected, who has or might have it and how it might harm people.

You have to move quickly! Assess if you have an Eligible Data Breach within 30 days and notify those affected as soon as practicable. The notification must describe the breach and recommend what the person affected should do about the breach. However, you don't have to notify if you fix the problem before any serious harm is done to someone.

From when must you notify?

The start date is yet to be proclaimed – but will be no later than 22 February 2018. The Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed by the Senate on 13 February 2017. Royal Assent was on 22 February 2017.  

If your organisation has experienced an Eligible Data Breach, then you must send a notice (with breach details, steps to take and your contacts) to:

  • all those affected (and at risk of being affected); and
  • the Privacy Commissioner.

If you don’t comply, then you may be ordered to pay compensation and civil penalties of up to $1.8 million.

What should you do?

  1. Ensure that you haven’t experienced any Eligible Data Breaches;
  2. Check your data protection policies and systems;
  3. Have a robust data protection plan and excellent data breach management plan; and
  4. Have us review your Privacy Policy and prepare a Checklist that will indicate when you should report, how to respond to notification letters from the data breach victim and the Privacy Commissioner. 

Apart from fines, penalties and adverse publicity, a data breach could expose you to breach of contract, negligence or breach of a duty of confidence claims.

Speak to Peter McNamara about your business’ data protection policies today.

Privacy Amendment (Notifiable Data Breaches) Bill 2016

Privacy Amendment (Notifiable Data Breaches) Act 2017

Privacy Act 1988