Mandatory data breach notification laws to take effect by 23 February 2018

Dr Irving Hofman

Take notice! You'll soon have to inform the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of a relevant data breach.

There are risks and costs to a program of action, but they are far less than the long range cost of comfortable inaction — John F. Kennedy

The new mandatory data breach laws require organisations to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach". This ensures that affected individuals can take remedial steps in the event that their personal information is compromised.

If you haven't already taken steps to ensure that your IT systems meet the new obligations, then you need to act now!

Sources for information on this blog are the OAIC website and also the Clayton Utz lawyers website.

When does the notification obligation arise?

If you believe that a data breach has occurred, you will need to provide notice as soon as practicable to the OAIC and affected individuals. According to the OAIC:

  • data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure; Personal information can include tax file number information, credit reporting, medical details, eligibility information and personal details;
  • an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorized disclosure;
  • serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
  • serious harm will be likely if such harm is "more probable than not" having regard to a list of relevant matters. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).

If an organisation only has reasonable grounds to suspect that an eligible data breach has occurred, the notification obligation will not arise, However, the organisation will be required by the new legislation to complete a "reasonable and expeditious" assessment into the relevant circumstances within 30 days.

There is quite a legal aspect to all this and I can see the lawyers having a field day with this new legislation. It's much better to take action and have systems in place to prevent a data breach in the first place.

Exceptions to the data breach notification requirement

Notification will not need to be given if the organisation takes remedial action before any serious harm is caused by the breach.

Importantly, the ability of an organisation to detect a data breach at the first available opportunity and take action in respect of it will be a function of the organisation's preparedness for such an occurrence. If you don't have IT systems in place that can detect a breach, then you need to act now.


A failure to comply with the notification obligations will fall under the Privacy Act's existing enforcement and civil penalty framework. Accordingly, organisations may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties. These fines can be up to $2,100,000.

What should you do

You must prepare for the new mandatory data breach notification laws. A suggested course of action is:

  • Audit your current information security systems, processes and procedures to ensure they are adequate. Prevention is much more palatable than the cure.
  • Prepare a data breach response plan (or update your current plan) so as to enable your organisation to respond quickly, efficiently and lawfully to an actual or suspected data breach.
  • Implement a 'shield first, then remediate' approach to mitigate the risk of data breaches occurring in the first place.

In order to be properly prepared, you will need to have in place detailed policies and procedures which outline the steps to take in response to a serious data breach. It doesn't matter whether a breach has occurred as a result of inadvertence on the part of the organisation and its employees (e.g. as a result of personal information being lost) or following a co-ordinated attack by hackers.

For further information refer here:

Contact Exigence to organise your Cyber Security Health Check