Data Breach Bill Passes the Senate

Table of Contents

Share at:

Early this week the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth). The key amendment is the introduction of a mandatory data breach notification scheme, which will make it a legal requirement for entities regulated under the Privacy Act 1988 (Cth) to provide notice to regulators and customers affected by a data breach.

These laws will come into effect within the next 12 months. This is an opportune time for businesses to update their current security measures and privacy policy.

What is a notifiable breach?

Not every data breach will require notice. A breach will need to be reported by an organisation if it qualifies as an eligible data breach. An eligible data breach will occur when the following conditions are satisfied:

  1. That there is unauthorised access to or disclosure of information, or in circumstances that information is lost (and these actions are likely to occur); and
  2. A reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates.

Only data breaches likely to result in serious harm are required to be reported. Serious harm is not defined, however there is a list of relevant matters that organisations will need to consider when determining whether access or disclosure would be likely or not likely to result in serious harm. These include the sensitivity of the information, how the information is protected and the type of person that has obtained the information.

How will these changes affect businesses?

All entities regulated by the Privacy Act 1988 (Cth) will be legally required to notify the Australian Information Commissioner and those affected by a data breach. Entities subject to this new scheme include Australian Government agencies, not-for-profit organisations and businesses with an annual turnover of over $3 million. The Act also applies to some small businesses with an annual turnover of less than $3 million, such as:

  • Private Sector Health Service Providers (including gyms, weight loss clinics and alternative medicine practices);
  • Business that sell or purchase personal information;
  • Credit Reporting Bodies; and
  • Businesses that have chosen to opt-in to the Privacy Act

If your business is regulated by the Act and an eligible data breach has occurred the Australian Information Commissioner and those affected must be notified.

What happens if a business does not comply?

If an organisation fails to report on an eligible data breach it would be ‘deemed to be an interference with the privacy of an individual’. Serious or repeated interferences may result in a civil penalty of up to $360,000 for individuals and in the case of corporations up to $1,800,000.

Final Thoughts

Privacy and the protection of sensitive information is paramount. This amendment is an opportunity for businesses to evaluate and update their current security practices. To reassure your customers that their privacy will be protected while on your website, create a Privacy Policy for FREE.

Let us know your thoughts on the latest privacy data scare by tagging us #lawpath or @lawpath.

Share at:

Simplify creating legal documents today

Browse through Lawpath's AI tools which can be used to draft, review and refine legal documents today!

Related Articles

What Is An Employment Separation Certificate?

If you want to apply for unemployment benefits, you may need an Employment Separation Certificate. This article explains what they are.

OHS vs WHS: What’s The Difference?

Is there a difference between OHS vs WHS? Read this article to find out the difference and what these terms mean.

How to Transfer a Trademark: Trademark Assignment

Trademark owners may transfer the rights to use their trademark through licensing or full assignment. Find out more in this article.

Understanding Late Payment of Superannuation: A Guide for Employers

Understand your obligations for late superannuation payments. Learn about SGC statements, ATO requirements, penalties, and upcoming Payday Super rules.

Unlocking Small Business Superannuation Tax Deduction Strategies for 2026

Maximise your small business superannuation tax deduction in 2026. Learn how to claim contributions, manage SG compliance, and prepare for Payday Super.

Resigning During Probation: How Much Notice? (2026 Update)

Resigning during probation in Australia? Find out your legal notice period obligations for full-time, part-time, and casual employees to avoid pay issues.