Notifiable Data Breaches: Consequences for Data Security

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (2016 Bill) was introduced in the Australian parliament on the 19 October 2016.

This Bill represents parliament’s third attempt at introducing mandatory breach notification law (MBNL), with both the Privacy Amendment (Privacy Alerts) Bill 2013 and the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (2015 Bill) failing to achieve this. Whilst the 2016 Bill is largely the same as the 2015 Bill, there are some notable changes.

What follows in an outline of the 2016 Bill, including who will be affected and how it may affect those falling under its coverage.

Who is affected by the 2016 Bill?

Firstly, for the 2016 Bill to apply, the affected entity must be considered an Australian Privacy Principle entity, that is, most Australian Government agencies and private sector organisations with an annual turnover of $3 million or above will be APP entities.

Secondly, the APP entity must be holding personal information, credit reporting information, credit eligibility information, or tax file number information, and be under the obligation to keep such information secure under the Privacy Act 1988 (Cth).

What duties arise for APP entities?

The key obligation arising for APP entities under the 2016 Bill is that an entity that is aware that there are reasonable grounds to believe that there has been an “eligible data breach”, the entity must, as soon as practically possible after becoming aware, prepare a statement setting out a number of matters, provide a copy of that statement to the Privacy Commissioner and:

  • If practicable, provide a copy to each individual who is at risk from the “eligible data breach”; or
  • If neither of those are practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the content of the statement.

Failure to comply with this obligation constitutes an interference with the privacy of an individual. The statement must contain the following:

  • The identity or contact details of the entity;
  • A description of the “eligible data breach”;
  • The kind of information concerned; and
  • Recommendations about the steps affected individuals should take in response to the breach.

What will be considered an “eligible data breach?”

The 2016 Bill determines that an “eligible data breach” will have occurred if there is either:

  • unauthorised access to, or disclosure of, the relevant information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
  • the relevant information is lost in circumstances where unauthorised access to or unauthorised disclosure of that information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates.

Therefore, a notification for an “eligible data breach” will be required where the data breach would “likely” result in serious harm. The explanatory memorandum of the 2016 Bill clarifies that the term “likely” in this context means more probable than not.

What if an APP entity is unsure of whether a breach is an “eligible data breach”?

Where an entity is aware that there are reasonable grounds to suspect that a data breach has occurred, but the entity is not sure yet as to whether such a breach amounts to an “eligible data breach”, the entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances of the suspected breach amount to an “eligible data breach”. The entity must complete this assessment within 30 days of becoming reasonably aware of the suspected data breach.

Required Actions

The introduction of the 2016 Bill will require that any suspected data breach be investigated to determine whether a data breach has in fact occurred and, if a reasonable person would consider that the security of personal information has been compromised, obliges the body that held the information to notify the Privacy Commissioner, all relevant data subjects or, if possible, only those likely to suffer serious harm, as soon as practicable.

MDBN links the real quality of data security with the customer’s assessment of the brand potentially impacting perceptions of reliability and trustworthiness. Whilst many organisations see data security as a cost to be minimised, the introduction of the MBNL significantly increases the importance of data security.


The 2016 Bill is expected to pass by the end of 2016, given MBNL has bipartisan support. However, the impact of the introduction of MBNL is yet to be seen. Some critics believe that the introduction of MBNL will encourage class action litigation against companies that suffer eligible data breaches. However, its operation in the European Union and 47 American states suggests that only a small number of notified data security breaches has led to class actions.

Corporate Lawyers Sydney at Pavuk Legal can assist you with understanding your obligations under the MBNL, ensuring your entities compliance with the legislation, and providing advice in relation to disputes that may arise as a result of an “eligible data breach”.

Many other essential hot topics for business owners is all found in the book Nobody Else’s Business. Nobody Else’s Business is about helping business owners live the life they want to live, now and in the future. It is the ultimate guidebook for succession planning of modern Australian businesses.

To purchase your own copy of Nobody Else’s Business please follow the link

For the full range of Legal Services that Pavuk Legal offers please go to:

Book now