LexisNexis Practical Guidance®

The mandatory data breach notification regime applies to the following bodies (s 26WE, the Act):

• APP entities;
• credit reporting bodies;
• credit provider; and
• file number recipients.

The regime will also apply to the above entities where they have disclosed information to an overseas recipient, or a body or person with no Australian link, as if they themselves held the information.

However, notification of a breach is not required under regime where that breach is required to be notified under the My Health Records Act 2012 (Cth).

A data breach will become notifiable if it is an “eligible data breach”.

An eligible data breach will occur where:

• there is unauthorised access to or disclosure of information; or
• information is lost where

  View all The data breach notification regime guidance

Notification to both the Privacy Commissioner and affected individuals will be required when an entity becomes aware that there are reasonable grounds to believe an eligible data breach has occurred.

However, notification is not required, or only required in a limited manner, even if an entity has experienced an eligible data breach where:

• the eligible data breach is an eligible data breach of another entity who has already fulfilled notification obligations under this regime;
• notification would be inconsistent with a secrecy provision;
• the Privacy Commissioner has given a declaration that no notification is required in regard to the eligible data breach; or
• notification would be likely to prejudice enforcement-related activities.

An entity is required to prepare a statement notifying the Privacy

View all Notifying of an eligible data breach guidance

If the Privacy Commissioner is aware that there are reasonable grounds to believe an entity has experienced an eligible data breach, the Privacy Commissioner may direct the entity to prepare a notification statement. An entity must comply with this direction as soon as practicable.

However, the Privacy Commissioner must first invite the entity to make a submission in relation to the direction. The Privacy Commissioner will consider the contents of this submission, along with other relevant advice given by third parties and any other such relevant matters, before deciding whether to give a direction to notify.

The notification statement required to be produced under the direction will need to be provided to the Privacy Commissioner and affected individuals.

The Privacy Commissioner’s decision to

View all Consequences of failing to comply with the data breach notification regime guidance

When negotiating and drafting contracts with partner organisations or entities, an entity should ensure it adequately negotiates and drafts data breach notification obligations. One important consideration is determining which entity will notify the Privacy Commissioner and affected individuals in the event an eligible data breach occurs to multiple entities.

Entities should ensure that all personnel adequately understand any contractual obligations that may arise from commercial contracts if a data breach occurs.

There are various obligations under corporations law that may arise in the context of cybersecurity and data breaches. Directors and officers have a duty of care and diligence which extends to understanding their company's cybersecurity strategy and obligations under privacy law. In addition, listed

View all Commercial considerations guidance