Best Lawyers logo
 
Insight

New Australian Data Breach Notification Laws

The Privacy Act 1988 (Cth) (Act) has been amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the Amending Act). The Amending Act introduces a mandatory data breach notification regime where an “eligible data breach” occurs. The amendments will commence on February 23, 2018, unless they are proclaimed to commence earlier.

Locked image with a data breach and lock symbol with red exclamation points and binary
GM

Giovanni Marino

May 30, 2017 12:06 PM

Introduction

The Privacy Act 1988 (Cth) (Act) has been amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the Amending Act). The Amending Act introduces a mandatory data breach notification regime where an “eligible data breach” occurs. The amendments will commence on February 23, 2018, unless they are proclaimed to commence earlier.

Who is required to comply with the new laws?

The new reporting regime will apply to APP entities that hold personal information. In general, private health care organizations, including community health centers and other private health providers will be considered APP entities.

What is an eligible data breach?

An eligible data breach occurs where there is:

  • unauthorized access to or unauthorized disclosure of information; or
  • loss of the information where unauthorized access or disclosure is likely; and

a) a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates.

These individuals to whom the serious harm would likely result are defined as being “at risk.”

Serious harm is not defined in the act, but the explanatory memorandum to the amendments states that serious harm could include “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation, and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.”

What are the notification requirements?

If an organization has reasonable grounds to believe that there has been an eligible data breach, then it must provide a statement to the Australian Information Commissioner (the Commissioner), which sets out a range of mandated matters.

As soon as practicable after preparing the statement for the Commissioner, the organization must also take reasonable steps to notify the statement information to either:

  • each individual to whom the information relates; or
  • if not, all these individuals are deemed to be at risk, only those affected individuals who are deemed to be at risk.

Are there any exceptions to the data breach notification requirements?

There are certain exceptions to the notification regime, including where an organization takes remedial action to address any unauthorized access to or disclosure of information or loss of information, and:

  • in relation to unauthorized access or disclosure, the remedial action occurs before there is any serious harm to any affected individuals to whom the information relates, and a reasonable person would conclude the access or disclosure would not likely result in serious harm to any of those individuals; or in relation to loss of information, the remedial action occurs:

a) before there is any unauthorized access to or disclosure of the information, and as a result of the action there is no unauthorized access or disclosure; or

b) after there is any unauthorized access to or disclosure of the information, but before the access or disclosure results in serious harm to any individuals to whom the information relates and a reasonable person would conclude the access or disclosure would not likely result in serious harm to any of those individuals.

What happens if an organization does not comply with the requirements?

Breach of the data breach notification requirements are taken to be acts that are “an interference with the privacy of an individual.” Section 13G of the act provides that a civil penalty applies to serious or repeated interferences with the privacy of an individual. An individual penalty of $360,000 and a maximum corporate penalty of $1,800,000 currently apply for breach of this provision.

Conclusion

Organizations should review their policies and procedures regarding data breaches and prepare data breach response plans in line with the requirements of the Amending Act (if these are not in place already). The data breach response plans should contemplate potential remedial action to prevent any serious harm from occurring to any affected individuals.

Organizations that hold or share data in collaboration with other entities or service providers may wish to establish processes to enable a coordinated response to any data breach.

------------------------

Giovanni Marino is a senior solicitor with Health Legal, who prior to joining Health Legal, was a physiotherapist. This health background brings practical experience to Giovanni’s work as a lawyer. Giovanni provides a broad range of legal assistance to health care providers across Australia, including advice on their legal obligations (in areas such as medico-legal, privacy, and employment) and assistance with contract drafting and negotiations. More can be found at www.healthlegal.com.au.

Trending Articles

The Family Law Loophole That Lets Sex Offenders Parent Kids

by Bryan Driscoll

Is the state's surrogacy framework putting children at risk?

family law surrogacy adoption headline

Unenforceable HOA Rules: What Homeowners Can Do About Illegal HOA Actions

by Bryan Driscoll

Not every HOA rule is legal. Learn how to recognize and fight unenforceable HOA rules that overstep the law.

Wooden model houses connected together representing homeowners associations

Best Lawyers 2026: Discover the Honorees in Brazil, Mexico, Portugal, South Africa and Spain

by Jamilla Tabbara

A growing international network of recognized legal professionals.

Map highlighting the 2026 Best Lawyers honorees across Brazil, Mexico, Portugal, South Africa and Sp

Holiday Pay Explained: Federal Rules and Employer Policies

by Bryan Driscoll

Understand how paid holidays work, when employers must follow their policies and when legal guidance may be necessary.

Stack of money wrapped in a festive bow, symbolizing holiday pay

Can a Green Card Be Revoked?

by Bryan Driscoll

Revocation requires a legal basis, notice and the chance to respond before status can be taken away.

Close-up of a U.S. Permanent Resident Card showing the text 'PERMANENT RESIDENT'

Florida Rewrites the Rules on Housing

by Laurie Villanueva

Whether locals like it or not.

Florida Rewrites the Rules on Housing headline

What Is the Difference Between a Will and a Living Trust?

by Bryan Driscoll

A practical guide to wills, living trusts and how to choose the right plan for your estate.

Organized folders labeled “Wills” and “Trusts” representing estate planning documents

US Tariff Uncertainty Throws Canada Into Legal Purgatory

by Bryan Driscoll

The message is clear: There is no returning to pre-2025 normalcy.

US Tariff Uncertainty Throws Canada Into Legal Purgatory headline

New Texas Family Laws Transform Navigating Divorce, Custody

by Bryan Driscoll

Reforms are sweeping, philosophically distinct and designed to change the way families operate.

definition of family headline

The 2026 Best Lawyers Awards in Chile, Colombia and Puerto Rico

by Jamilla Tabbara

The region’s most highly regarded lawyers.

Map highlighting Chile, Colombia and Puerto Rico for the 2026 Best Lawyers Awards

How Far Back Can the IRS Audit You?

by Bryan Driscoll

Clear answers on IRS statutes of limitations, recordkeeping and what to do if you are under review.

Gloved hand holding a spread of one-hundred-dollar bills near an IRS tax document

Can You File Bankruptcy on Credit Cards

by Bryan Driscoll

Understanding your options for relief from overwhelming debt.

Red credit card on point-of-sale terminal representing credit card debt

Uber’s Staged Accidents Lawsuit a Signal Flare for Future of Fraud Litigation

by Bryan Driscoll

Civil RICO is no longer niche, and corporate defendants are no longer content to play defense.

Uber staged car crash headline

Anthropic Class Action a Warning Shot for AI Industry

by Bryan Driscoll

The signal is clear: Courts, not Congress, are writing the first rules of AI.

authors vs anthropic ai lawsuit headline

How to Get Full Custody of a Child

by Bryan Driscoll

Learn the legal steps, required evidence and common misconceptions about full custody to protect your parental rights.

Child holding hands with two parents, symbolizing custody

Canadian Firms Explore AI, But Few Fully Embrace the Shift

by David L. Brown

BLF survey reveals caution despite momentum.

Canadian Firms Explore AI, But Few Fully Embrace the Shift headline

By using our website, you consent to our use of cookies. We use essential cookies to enhance your browsing experience. You may opt out of non-essential cookies. Read our Cookie Policy to learn more.