An introduction to Australia's new mandatory data breach law

Australia's Data Breach Law

Australia has moved to further strengthen its existing privacy laws after legislation was passed through federal parliament that establishes a scheme for the mandatory notification of data breaches.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed through the upper house of federal parliament on February 13, 2017 and is waiting to receive royal assent - a formality of the Australian political system, in order to officially commence.

What does the new law mean?

The new legislation makes amendments to the existing Privacy Act and mandates that certain organisations must notify the Australian Information Commissioner in addition to the affected individuals when an eligible data breach has occurred.

When the new scheme is officially signed into law by Australia’s Governor General it will replace the existing system that allows organisations to voluntarily notify and report on data breaches without legally obliging them to do so.

Who must comply with the new law?

The new mandatory data breach law applies to organisations that are subject to the Privacy Act 1988. Therefore, it does not apply to registered political parties, local councils, state and territory governments or organisations with an annual turnover of less than $3milllion.

In addition, any organisation that provides a health service, holds health information, trades in personal information or provides contracted services to the Commonwealth Government of Australia is subject to the new data breach regulations, regardless of their annual turnover.

Analysis from the Australian Bureau of Statistics indicates that only around 6% of Australian organisations (based on their annual turnover) are subject to the Privacy Act and subsequently to the new data breach amendments (Australian Parliamentary Library Bills Digest No.52 2016-17).

What is an "eligible" data breach?

An eligible data breach can be classified as the unauthorised access, unauthorised disclosure or loss of any personal, credit reporting, credit eligibility or tax file number information held by an organisation. The breach must also result in serious harm to any of the individuals with whom the information relates for it to be considered eligible.

The new amendments also provide an avenue for an organisation to take remedial action that prevents any serious harm to the affected individuals of a breach. In such cases, subject to a reasonable person test, the organisation may become exempt from their breach notification obligations.

What are the notification requirements for an eligible breach?

Should an organisation have reasonable grounds to believe an eligible data breach has occurred, it must carry out a reasonable and expeditious assessment within 30 days. Should access, disclosure or loss constitute an eligible data breach the organisation must prepare a statement describing the breach in detail including recommendations that affected individuals should take in response.

A copy of the statement needs to be provided to the Australian Information Commissioner and to every individual who is at risk from the breach as soon as practicably possible.

Penalties for non-compliance

Where organisations fail to adhere to their notification obligations relating to an eligible data breach they will be deemed to be interfering with the privacy of an individual and consequently subject to civil penalties. These include a maximum penalty of $360,000 for individuals and $1.8million for bodies corporate.

Further Information

This article provides general information for individuals and organisations relating to Australia's new mandatory data breach law. For more specific information or to discuss how the new law will affect your business please contact us or email us directly at