Print this page
22 February 2017 Posted by 


Onus is on business to report
By Troy Park

ON February 13, the Australian Senate passed new laws that will require businesses who are covered by the Privacy Act (1988) - APP Entities - to notify the Privacy Commissioner and their customers if they have experienced a data breach.

The Australian Privacy Act will be amended to reflect these new laws.

However, for businesses covered by the requirements of the Privacy Act the most important question is - what does the Privacy Amendment (Notifiable Data Breaches) Bill 2016 mean for me?

In short, the new laws mean businesses that identify or reasonably suspect they have been unlawfully breached or have lost private data are legally required to report the incident to the Office of the Australian Information Commissioner (OAIC).

In addition, the compromised business may be required to formally notify affected customers through a statement (or other communication such as a phone call, email etc) that outlines the description and nature of the data breach, the type of information affected, and how customers should respond to, and remediate, the effects of the breach.

If this notification has not been completed within a reasonable time period, the law also gives the Privacy Commissioner the ability to direct a business to issue such a statement.

What constitutes a data breach?

The passed legislation considers an eligible data breach to have occurred when there is unauthorised access, disclosure or loss of customer information which generates a real risk of serious harm to the individuals concerned.

Serious harm could include physical, psychological, emotional, economic or financial harm, as well as harm to reputation.

This can occur via a malicious online attack (cyber security incident) be human based (documents accessed without permission by a third-party) or through loss or mishandling of private data (lost hard drive or computer, and hard copy documents in the rubbish).

Such information includes personal details, credit reporting information, health information, and tax file numbers.

These amendments have been several years in the making and will be well received by members of the public who are becoming increasingly concerned about their privacy and expect that companies that hold their personal information are taking adequate measures to ensure its security.

Moreover, mandatory notification will now give affected individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information - such as cancelling of credit cards, changing passwords and closer scrutiny of bank statements for fraudulent transactions.

The new laws and associated amendments to the Privacy Act are expected to be fully in-place in 12 months’ time, following official Royal Assent.

In a statement,  the Privacy Commissioner outlined that leading up to this date, his office will provide guidance on the changes through the OAIC website and specially hosted information events around Australia.

In the meantime, the Commissioner recommends that businesses continue to take reasonable steps to protect stored data through guidance provided within the OAIC’s Data breach notification - a guide to handling personal information security and Guide to developing a data breach response plan. These documents can be found on the OAIC’s website:

Troy Park is principal at




Michael Walls
0407 783 413