Overview

The mandatory data breach notification regime applies to the following bodies (s 26WE, the Act):

  • APP entities;
  • credit reporting bodies;
  • credit provider; and
  • file number recipients.

The regime will also apply to the above entities where they have disclosed information to an overseas recipient, or a body or person with no Australian link, as if they themselves held the information.

However, notification of a breach is not required under regime where that breach is required to be notified under the My Health Records Act 2012 (Cth).

A data breach will become notifiable if it is an “eligible data breach”.

An eligible data breach will occur where:

Notification to both the Privacy Commissioner and affected individuals will be required when an entity becomes aware that there are reasonable grounds to believe an eligible data breach has occurred.

However, notification is not required, or only required in a limited manner, even if an entity has experienced an eligible data breach where:

  • the eligible data breach is an eligible data breach of another entity who has already fulfilled notification obligations under this regime;
  • notification would be inconsistent with a secrecy provision;
  • the Privacy Commissioner has given a declaration that no notification is required in regard to the eligible data breach; or
  • notification would be likely to prejudice enforcement-related activities.

An entity is required to prepare a statement notifying the Privacy

View all Notifying of an eligible data breach guidance

If the Privacy Commissioner is aware that there are reasonable grounds to believe an entity has experienced an eligible data breach, the Privacy Commissioner may direct the entity to prepare a notification statement. An entity must comply with this direction as soon as practicable.

However, the Privacy Commissioner must first invite the entity to make a submission in relation to the direction. The Privacy Commissioner will consider the contents of this submission, along with other relevant advice given by third parties and any other such relevant matters, before deciding whether to give a direction to notify.

The notification statement required to be produced under the direction will need to be provided to the Privacy Commissioner and affected individuals.

The Privacy Commissioner’s decision to

View all Consequences of failing to comply with the data breach notification regime guidance

When negotiating and drafting contracts with partner organisations or entities, an entity should ensure it adequately negotiates and drafts data breach notification obligations. One important consideration is determining which entity will notify the Privacy Commissioner and affected individuals in the event an eligible data breach occurs to multiple entities.

Entities should ensure that all personnel adequately understand any contractual obligations that may arise from commercial contracts if a data breach occurs.

There are various obligations under corporations law that may arise in the context of cybersecurity and data breaches. Directors and officers have a duty of care and diligence which extends to understanding their company's cybersecurity strategy and obligations under privacy law. In addition, listed

View all Commercial considerations guidance

Guidance

Identifying whether the data breach notification regime applies to you

APP entities, credit reporting bodies, credit providers and file number recipients | Where information is disclosed to overseas recipient | Exception under the My Health Records Act 2012 (Cth)

Identifying whether the data breach is notifiable

When is a data breach notifiable? | Eligible data breach | When an eligible data breach is suspected but not confirmed

Taking remedial action to prevent an eligible data breach

Remedial action to prevent an eligible data breach | Remedial action taken only for particular individuals

The types of data breaches being reported

The types of data breaches being reported

Show all guidance

Checklists

Checklist for Complying with both the Privacy Act and the GDPR

S. Sharma, S. Field and B. Tomlinson, Maddocks

Privacy - Checklist for Privacy policy

S. Sharma, Special Counsel, Maddocks

Data Breach Assessment Guideline

P. Fair and S. Lee, Baker McKenzie

Privacy - Internal privacy guidelines for staff

S. Sharma, Special Counsel, Maddocks

Checklist for Ensuring data protection compliance

P. Fair and S. Lee, Baker McKenzie

EU General Data Protection Regulation (GDPR) - Compliance checklist

S. Sharma, S. Field and B. Tomlinson, Maddocks

Checklist for computer and device use

P. Fair and S. Lee, Baker McKenzie

Checklist for Data breach response guideline

P. Fair and S. Lee, Baker McKenzie

Privacy - Checklist for direct marketing

S. Sharma and E. Lau, Maddocks

EU general data protection regulation (GDPR) - Checklist for controller versus processor

S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks

Threshold compliance checklist - GDPR and the Privacy Act

S. Sharma, S. Field and B. Tomlinson, Maddocks

Workflow Checklist: Content of notification

D. Kneller, Madgwicks Lawyers

Legislation

Forms and Precedents