Overview
The mandatory data breach notification regime applies to the following bodies (s 26WE, the Act):
- APP entities;
- credit reporting bodies;
- credit provider; and
- file number recipients.
The regime will also apply to the above entities where they have disclosed information to an overseas recipient, or a body or person with no Australian link, as if they themselves held the information.
However, notification of a breach is not required under regime where that breach is required to be notified under the My Health Records Act 2012 (Cth).
A data breach will become notifiable if it is an “eligible data breach”.
An eligible data breach will occur where:
- there is unauthorised access to or disclosure of information; or
- information is lost where
Notification to both the Privacy Commissioner and affected individuals will be required when an entity becomes aware that there are reasonable grounds to believe an eligible data breach has occurred.
However, notification is not required, or only required in a limited manner, even if an entity has experienced an eligible data breach where:
- the eligible data breach is an eligible data breach of another entity who has already fulfilled notification obligations under this regime;
- notification would be inconsistent with a secrecy provision;
- the Privacy Commissioner has given a declaration that no notification is required in regard to the eligible data breach; or
- notification would be likely to prejudice enforcement-related activities.
An entity is required to prepare a statement notifying the Privacy
If the Privacy Commissioner is aware that there are reasonable grounds to believe an entity has experienced an eligible data breach, the Privacy Commissioner may direct the entity to prepare a notification statement. An entity must comply with this direction as soon as practicable.
However, the Privacy Commissioner must first invite the entity to make a submission in relation to the direction. The Privacy Commissioner will consider the contents of this submission, along with other relevant advice given by third parties and any other such relevant matters, before deciding whether to give a direction to notify.
The notification statement required to be produced under the direction will need to be provided to the Privacy Commissioner and affected individuals.
The Privacy Commissioner’s decision to
View all Consequences of failing to comply with the data breach notification regime guidance
When negotiating and drafting contracts with partner organisations or entities, an entity should ensure it adequately negotiates and drafts data breach notification obligations. One important consideration is determining which entity will notify the Privacy Commissioner and affected individuals in the event an eligible data breach occurs to multiple entities.
Entities should ensure that all personnel adequately understand any contractual obligations that may arise from commercial contracts if a data breach occurs.
There are various obligations under corporations law that may arise in the context of cybersecurity and data breaches. Directors and officers have a duty of care and diligence which extends to understanding their company's cybersecurity strategy and obligations under privacy law. In addition, listed
Guidance
Identifying whether the data breach notification regime applies to you
APP entities, credit reporting bodies, credit providers and file number recipients | Where information is disclosed to overseas recipient | Exception under the My Health Records Act 2012 (Cth)
Identifying whether the data breach is notifiable
When is a data breach notifiable? | Eligible data breach | When an eligible data breach is suspected but not confirmed
Taking remedial action to prevent an eligible data breach
Remedial action to prevent an eligible data breach | Remedial action taken only for particular individuals
The types of data breaches being reported
The types of data breaches being reported
Checklists
Data security - Checklist for De-identification of personal information
A. Mitchell, Unisys
Checklist for Complying with both the Privacy Act and the GDPR
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy - Checklist for Privacy policy
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for Overall cybersecurity strategy
P. Fair and S. Lee, Baker McKenzie
Data security - Checklist for Data security audit plan
A. Mitchell, Unisys
Workflow Checklist: Exceptions to notification obligations
D. Kneller, Madgwicks Lawyers
Data Breach Assessment Guideline
P. Fair and S. Lee, Baker McKenzie
Checklist for Ensuring data protection compliance
P. Fair and S. Lee, Baker McKenzie
Privacy - Internal privacy guidelines for staff
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for remote working
LexisNexis Legal Writer Team
EU General Data Protection Regulation (GDPR) - Compliance checklist
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for computer and device use
P. Fair and S. Lee, Baker McKenzie
Checklist for Transfers of personal data outside the European Economic Area
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for Data breach response guideline
P. Fair and S. Lee, Baker McKenzie
Privacy - Checklist for direct marketing
S. Sharma and E. Lau, Maddocks
Workflow Checklist: Identifying when a data breach is notifiable
D. Kneller, Madgwicks Lawyers
Data security - Checklist for Disaster recovery planning
A. Mitchell, Unisys
Workflow Checklist: Assessing a suspected data breach
D. Kneller, Madgwicks Lawyers
Checklist for Staff training on data protection compliance
P. Fair and S. Lee, Baker McKenzie
EU general data protection regulation (GDPR) - Checklist for controller versus processor
S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks
Threshold compliance checklist - GDPR and the Privacy Act
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy by design - practical checklist
S. Sharma, Maddocks
Workflow Checklist: Content of notification
D. Kneller, Madgwicks Lawyers

Legislation

- Identifying whether the data breach notification regime applies to you
- Identifying whether the data breach is notifiable
- Identifying when notification is required
- Notifying other persons
- Receiving a direction to notify from the Privacy Commissioner
- Enforcement and penalties under the Privacy Act 1988 (Cth)
- Obligations under corporations’ law