The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is set to come into force this year. Australia’s small and large businesses should now review their policies for both data protection and reporting data breaches as they arise. The government is accepting comment on the Bill until the 4th March 2016.

Cybercrime financially impacts Australia’s economy, with estimated self-reported losses totalling $234 million. Although, the rationale for data breach notification laws aren’t simply financial, and include:

  • The ability to access personal information online and commit identity fraud means that this information should be better protected.
  • Individuals are notified about breaches so they can also take action to protect their personal information.  
  • This notification system and penalties for non-reporting aim to incentivise reporting and encourage businesses to reduce breaches.

Do the Data Breach Notification Laws Apply to Everyone?

The new data breach notification laws don’t apply to every Australian business, but they do apply to any business that is required to comply with the Privacy Act 1988 (Cth) (Privacy Act) and the Privacy Principles.

This includes businesses that have a turnover of more than $3 million and business that use personal information for certain purposes. You can read more about whether you are required to comply with the Privacy Principles in our article, ‘Am I legally required to have a privacy policy?’

What Do the Laws Mean for my Business?

The new laws will introduce reporting around a data breach. Currently, businesses required to comply with the Privacy Act must meet certain requirements around storing and protecting data but aren’t obligated to report a breach. Under the new legislation, you are required to report a breach where there is a real risk of serious harm to an individual. This allows him or her to take then the appropriate steps to protect their data, for example, cancelling their credit card. Including the threshold of serious harm should reduce the level of reports and notifications required. Although, businesses will need to ensure that they are equipped to make such assessments.

What Processes Should I Put in Place?

Businesses that must comply will be required to implement several procedures to notify their customers of each serious breach. The Bill provides a twelve-month grace period so companies have enough time to respond. Some of the changes you may need to consider include:

  • Increasing technical support and investigation teams to identify the individuals affected by a potential breach;
  • Training staff as to the notification procedure and the format required under the Bill;
  • Having a system in place to notify individuals and field complaints or questions if a breach that requires notification occurs; and
  • Reviewing your current systems to ensure that you have identified any weaknesses in your current security and data systems.

Businesses have 30 days to assess whether a breach has occurred which would lead to a serious risk. A serious data breach relates to personal, credit reporting, credit eligibility and tax file number information. The Bill will provide guidance as what factors businesses need to consider in making this decision.

Key Takeaways

Companies, particularly those with a large online presence, or businesses that collect significant amounts of personal data online should review and update their systems now. If you have specific concerns, you should also consider submitting your comments on the Bill.   


Questions about the Privacy Act, cyber laws or protecting your business? Ask our IT lawyers on 1300 544 755.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Edith Moss

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy