Skip to content

Legislation Update: Data Breach Notification Laws

The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is set to come into force this year. Australia’s small and large businesses should now review their policies for both data protection and reporting data breaches as they arise. The government is accepting comment on the Bill until the 4th March 2016.

Cybercrime financially impacts Australia’s economy, with estimated self-reported losses totalling $234 million. Although, the rationale for data breach notification laws aren’t simply financial, and include:

  • The ability to access personal information online and commit identity fraud means that this information should be better protected.
  • Individuals are notified about breaches so they can also take action to protect their personal information.  
  • This notification system and penalties for non-reporting aim to incentivise reporting and encourage businesses to reduce breaches.

Do the Data Breach Notification Laws Apply to Everyone?

The new data breach notification laws don’t apply to every Australian business, but they do apply to any business that is required to comply with the Privacy Act 1988 (Cth) (Privacy Act) and the Privacy Principles.

This includes businesses that have a turnover of more than $3 million and business that use personal information for certain purposes. You can read more about whether you are required to comply with the Privacy Principles in our article, ‘Am I legally required to have a privacy policy?’

What Do the Laws Mean for my Business?

The new laws will introduce reporting around a data breach. Currently, businesses required to comply with the Privacy Act must meet certain requirements around storing and protecting data but aren’t obligated to report a breach. Under the new legislation, you are required to report a breach where there is a real risk of serious harm to an individual. This allows him or her to take then the appropriate steps to protect their data, for example, cancelling their credit card. Including the threshold of serious harm should reduce the level of reports and notifications required. Although, businesses will need to ensure that they are equipped to make such assessments.

Continue reading this article below the form
Loading form

What Processes Should I Put in Place?

Businesses that must comply will be required to implement several procedures to notify their customers of each serious breach. The Bill provides a twelve-month grace period so companies have enough time to respond. Some of the changes you may need to consider include:

  • Increasing technical support and investigation teams to identify the individuals affected by a potential breach;
  • Training staff as to the notification procedure and the format required under the Bill;
  • Having a system in place to notify individuals and field complaints or questions if a breach that requires notification occurs; and
  • Reviewing your current systems to ensure that you have identified any weaknesses in your current security and data systems.

Businesses have 30 days to assess whether a breach has occurred which would lead to a serious risk. A serious data breach relates to personal, credit reporting, credit eligibility and tax file number information. The Bill will provide guidance as what factors businesses need to consider in making this decision.

Key Takeaways

Companies, particularly those with a large online presence, or businesses that collect significant amounts of personal data online should review and update their systems now. If you have specific concerns, you should also consider submitting your comments on the Bill.   

***

Questions about the Privacy Act, cyber laws or protecting your business? Ask our IT lawyers on 1300 544 755.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Edith Moss

Edith Moss

Read all articles by Edith

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards