Australian Government Passes Privacy Amendment (Notifiable Data Breaches) Bill 2016.

17 February, 2017

Once commenced, the new legislation will require regulated entities to notify affected individuals and the OAIC of data breaches likely to result in serious harm.

The amendments will commence either 12 months after the date of Assent or an earlier date fixed by proclamation. The Bill has not yet been assented to, and no date has yet been fixed.

What you need to know

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed on 13 February 2017 and is now awaiting Royal Assent. The amendments which are set to be enacted by the new legislation are set out in Schedule 1 and will commence either 12 months from the date of Assent or on an earlier date to be fixed by Proclamation.

Once commenced, the new legislation will require entities regulated under the Privacy Act 1998 (Cth)(Privacy Act) to notify affected individuals and the OAIC of data breaches that are likely to result in serious harm.

Organisations should ensure they have appropriate response plans that can be readily applied to comply with these new obligations in the event of an eligible data breach.

What you need to do

Organisations which carry on business in Australia, or which are otherwise bound by the Privacy Act,should take steps promptly to ensure that they are in a position to comply with the Bill when it commences.

This is important in order to minimise the risk of data breach liability more generally. Such liability can arise under the laws of negligence, contract, confidentiality and under existing Privacy laws.

What counts as an eligible data breach?

An eligible data breach will occur where (s 26WE):

there is unauthorised access to or disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates; or
information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any of the individuals to whom that information relates.

Whether a reasonable person would conclude that a person was likely to suffer serious harm as a result of the breach depends upon a broad range of factors including the nature, sensitivity and protection-level of the information (s 26WG).

What are affected entities required to do?

The new legislation places various obligations on entities in response to an eligible breach.

These include:

Assessing whether there are reasonable grounds to believe an eligible data breach has occurred within 30 days of developing a suspicion of such a breach (s 26WH);
Once an entity has reasonable grounds to believe there has been an eligible data breach, preparing a statement setting out the contact details of the entity, the nature of the breach and steps it recommends affected individuals take in response (s 26WK). A copy must also be provided to the OAIC; and
Taking such steps as are reasonable in the circumstances to notify affected and at risk individuals of the contents of the statement as soon as is practicable. If direct notification is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise its contents (s 26WL).

The OAIC may also direct an entity to notify affected individuals if it becomes aware that there are reasonable grounds to believe that the entity has suffered an eligible data breach (s 26WR).

What are the consequences of non-compliance?

If an entity fails to comply with the new legislation the consequences are, in effect, the same as if the entity had failed to comply with the Australian Privacy Principles. In summary, the main consequences are the risk of a determination to pay compensation (and court proceedings by the OAIC for the payment of compensation if the entity does not comply) and also the risk of paying civil penalties of an amount up to $1.8 million in the case of corporations.

For further information, please contact:

Tim Brookes, Partner, Ashurst

tim.brookes@ashurst.com

Australian Government Passes Privacy Amendment (Notifiable Data Breaches) Bill 2016.

Where LegalAI Will Be In 10 years.

Understanding The Ethical Dimensions Of Generative AI In Legal Practice.

7 Legal Tech Trends To Watch In 2025.

US – Commercial-Item Contractors Take Note: Federal Circuit To Rehear Percipient.ai En-Banc.

US – Clean Energy Tax Credits And After the Election – What to Expect?

The EU Methane Regulation How Traders And Operators Can Prepare.

Malaysia – Transfer Of Domicile For A Vessel Registration.

Indonesia – Shifting Tides: The Third Amendment To The Shipping Law And Its Impact On Indonesian Shipping Joint Ventures.

- Stephen Igor Warokka - SSEK,

Gross Split Production Sharing Contracts: Commercial Insights From Indonesia’s MEMR Regulation No. 13 Of 2024.

- Fitriana Mahiddin - SSEK, SSEK

UK – Non-Party Access To Court Documents: Court Of Appeal Interprets Leading Supreme Court Authority.

CONVENTUS LAW

OTHERS

Australian Government Passes Privacy Amendment (Notifiable Data Breaches) Bill 2016.

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

- Sacha Kirk - Lawcadia,

Footer

CONVENTUS LAW

OTHERS