Changes to Australian privacy legislation in early 2018 has imposed mandatory reporting requirements on certain entities in relation to notifiable data breaches (NDB). The requirements apply to all entities with a turnover in excess of $3 million, and extends to include credit reporting agencies, health service providers in the public and private sector, and TFN recipients.

What is a notifiable data breach?

A data breach is ‘notifiable’ (or ‘eligible’, as referred in the legislation), when the following circumstances apply:

  • Unauthorised access to / unauthorised disclosure of, or a loss of personal information that an entity holds;
  • Such access, disclosure or loss has resulted / is likely to result in serious harm to the affected individual(s); and
  • The serious harm / risk of serious harm could not be prevented through remedial action (for example, immediately disabling a company smartphone via the central database after it was left on the train)

Examples of notifiable data breaches can include:

  • A company database containing personal client information is hacked
  • Sensitive or confidential information is accidentally sent to the wrong person or outside entity

Breaches should be reported to The Australian Government’s Office of the Australian Information Commissioner (OAIC) as soon as it is identified.

Any data breach relating to an individual’s TFN must also be reported.

Failure to report

A failure to report a notifiable data breach will be considered an interference with the privacy of an individual affected by the breach.

Under the Privacy Act, this means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the OAIC.

Serious or repeated interferences with the privacy of an individual can give rise to civil penalties of up to $2.1 million.

Protecting your business from data breaches

There are a number of ways businesses may mitigate the risk of data breaches:

Strengthen cybersecurity systems. Ensuring digital platforms are adequately protected from theft or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide is an essential practice for organisations of all sizes.

Increase data privacy / protection awareness and training within the organisation. Many large-scale data breaches reported to OAIC or ASIC began with simple human error, which could have been prevented through awareness of cybercrime, including hacking, phishing and email fraud techniques. Being able to identify potential risks and practising high levels of diligence and awareness when handling sensitive information are regarded as the most effective measures of protection against data privacy breaches within organisations.

Need help?

Please click here to submit an online enquiry form or call us on 1300 QUINNS (1300 784 667) or on +61 2 9223 9166 to arrange an appointment.