Australia: Australia's New Mandatory Data Breach Notification Regime: How To Prepare Your Business

Last Updated: 8 November 2017
Article by Dean Carrigan and Ben Di Marco

In February 2017, the Australian Federal Parliament passed legislation to amend Australia's privacy law to introduce a mandatory data breach notification regime. The new regime, once implemented, will require agencies and organisations subject to Australia's Privacy Act 1988 (Cth) to notify data subjects and regulators in the event of an eligible data breach.

Mandatory notification laws have had significant repercussions in other global jurisdictions, introducing previously unheard of costs and consequences for companies when security events occur. With a more open and transparent approach to laws governing the handling of data comes an increased expectation from consumers and stakeholders as to the handling and security of data. In other jurisdictions, mandatory notification has resulted over time in more regulatory investigations, complaints and litigation brought by consumers and stakeholders.

Christina Terplan (Partner, Clyde & Co San Francisco) notes that the passage of the first breach notification law in the United States in 2003 had an immediate impact on a company's exposure after a security event. Suddenly, companies had to formally investigate potential security events under strict deadlines and publicly disclose these events if they impacted personally identifiable information.  As you can imagine, it did not take very long for the plaintiff attorneys to begin filing class action lawsuits against companies after they disclosed a breach event.  In addition, within a few years, regulators began actively investigating breach events.  Interestingly, many of the lawsuits and regulatory investigations focus on how the company responded to the breach event, contending that the company did not have a proper plan in place and/or did not notify the public of the incident quickly enough, rather than on how the breach occurred.

Australia's new regime will take effect from 23 February 2018 (or an earlier date as chosen by the Minister), but smart businesses are preparing now. Mandatory notification laws require organisations to carefully consider the practical issues that arise in responding to a data breach, and the unique crisis management challenges that these events can cause. They require close coordination between an organisation's management, risk and IT teams, as well as the internal and external legal and communications teams, to effectively and efficiently investigate, triage and manage the breach.

This article looks briefly at the new laws, and the key first steps an organisation should take in addressing these new challenges. Over the coming year, we will look more closely at different aspects of the new laws and as to how organisations can work to ensure compliance.

The new laws at a glance

By way of short summary, the key points to note from the new laws are as follows:

  • The notification regime will apply to all organisations which are APP entities under the Privacy Act 1988 (Cth)1 as well as other entities including credit providers, credit reporting bodies and file number recipients.
  • The trigger for notification to the Office of the Australian Information Commissioner (OAIC) is an "eligible data breach" which means a breach where:

    • there is unauthorised access to, or unauthorised disclosure of, information; or
    • information is lost in circumstances where unauthorised access or disclosure is likely to occur; and
    • a reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates.
  • "Harm" can include physical, psychological, emotional, and financial harm.
  • Factors to be considered in determining whether a breach is likely to result in serious harm include the kind and sensitivity of the information, the security measures in place to protect the information and who is likely to have obtained the information.
  • If an entity is unsure whether an eligible data breach has occurred, it must carry out a reasonable and expeditious assessment and take no longer than 30 days to make this determination.
  • Once it has been confirmed that an eligible data breach has occurred, an entity must:

    • prepare a prescribed statement and provide a copy to the OAIC as soon as practicable after becoming aware of the occurence of an eligible data breach; and
    • if it is practicable to do so, take reasonable steps to notify the contents of the statement to individuals to whom the information relates, or to those at risk from the eligible data breach.  If neither option applies, the statement should be published on the organisation's website and reasonable steps taken to publicise the contents of the statement. This must be done as soon as practicable following completion of the statement.
  • There are a number of exceptions to the notification laws, which apply in particular circumstances.  These exceptions include: where remedial action is taken before harm is caused; where a data breach impacts multiple entities; where the breach is notifiable under section 75 of the My Health Records Act 2012 (Cth); where notification may prejudice enforcement related activities; or where notification is inconsistent with Government secrecy provisions.
  • Failure to comply with the notification regime is considered an "interference with the privacy of an individual" under the Privacy Act 1988 (Cth) which can currently result in fines of up to AUD 1.8 million.

This "serious harm" requirement is intended to avoid the problem of excessive notifications which could arguably place an unreasonable compliance burden on regulated entities and contribute to notification fatigue. Assessing whether serious harm is likely to result from a breach will be a key challenge for organisations under the legislation and will require entities to quickly determine the scale and type of records compromised by a security incident, to identify all of the actors who were involved in the incident, and to understand and assess how the personal information that has been compromised could be misused; for example to commit financial fraud, identity fraud, or cause harm to individuals.

Similarly, assessing what a "reasonable person" would conclude, as to whether serious harm is "likely" will be a challenge for businesses, particularly in a breach scenario where time will be of the essence.

The OAIC is expected to release, later this year, guidance for the industry as to the various concepts and trigger tests under the new laws, and we will provide additional guidance on these and other issues later in the year.  

Where to start and how to prepare

1. Know your data

Effective data management requires knowledge as to what data is captured and held within an organisation. In an age where data regularly sits across a number of systems, platforms and mediums, it is an essential first step to consider what data you capture and hold and as to what your legal and regulatory obligations are relating to that data.

So, consider the data you collect and as to who it relates to. Where does the data sit in your organisation, and how it is managed – who is responsible for its collection, storage, security and destruction?  What information might sit on systems? Do you need the data to be held in fully identifiable form or can it be destroyed or deidentified?  Data is no different to any other asset which must be considered, audited and assessed so as to set out an effective management strategy.

2. Incident response plan

Key to the effective management of any incident is an incident response plan. Even before the introduction of the mandatory notification regime, the OAIC expected to see a pre-prepared and considered plan being used in the management of a data breach.

The new regime in Australia requires swift action to be taken to determine if an incident is an eligible data breach and, if so, what notification to regulators and other parties is required. Now, with a 30 day timeframe within which to assess whether an incident is an 'eligible data breach', the need for an efficient plan is all the more apparent.

An effective plan should form part of an organisation's broader data management and governance plan, and should set out how an organisation will respond to a breach including, at a minimum:

  1. How incidents are identified – who has oversight over the coalface, and how are incidents reported internally?
  2. How the response team is determined and called – who plays a part in the response team and do they know their role?
  3. How incidents are to be assessed as 'eligible data breaches' – who takes charge and how do the various internal stakeholders (legal, risk, IT, communications etc) work together to assess and consider the risk of harm?
  4. How cyber insurance will support the organisation's incident response (including the way notifications are to be made under the policy) and the process for providing breach response services included in the cover?
  5. How third party experts are engaged – what external experts are required and are they on call?
  6. How the investigation is documented – who is recording the steps taken and compiling a report, and does it need to be privileged? Click here to view our recent article on preserving privilege.
  7. How the plan is tested – who is responsible for ongoing monitoring, testing and auditing of the plan?

3. Staff awareness and training

Regular staff training is a key strategy organisations have adopted to minimise the risk of data breaches. Training should provide an overview of the risks associated with handling particular data sets, including the damage that may be caused due to any mishandling of that data, and the key steps in an organisation's incident response plan that are relevant to the staff member.

Training will vary dependent on seniority and roles within an organisation – but all levels, from those customer facing staff through to the board of directors, should be aware of the changing regime and the need to be alert to data incidents and data breaches on an ongoing basis.


1 By the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions