Data breaches and mandatory reporting laws - are you ready?

It’s Monday morning and you’ve just booted your computer to begin scrolling through all the emails that have arrived over the weekend. It’s then, with the caffeine from your second long black yet to kick in, that you open a rather concerning email; subject: Urgent – Potential Data Breach. Enter: *sinking gut feeling.

One of your employees has discovered that their personal information, including their name, email address, next of kin, tax file number and superannuation account number, has been automatically forwarded to an external email account without their consent. The worst thing is, it doesn’t look like this is an isolated incident – multiple employee email accounts appear to have been hacked. In fact, over half of your staff have been affected. Evidently, you need to respond, and quickly. Are you ready to do so?

Let’s set the scene

If your business or not-for-profit organisation has an annual turnover of more than AU$3 million you’re already required to secure the personal information of your employees under the Privacy Act 1988 (Cth) (Privacy Act).[1]

As of 22 February this year you now have an additional, mandatory obligation to notify affected individuals and the Privacy Commissioner of eligible data breaches in accordance with Australia’s new Notifiable Data Breach (NDB) scheme.

Firstly, what’s an eligible data breach, and why do you have a duty to report them?

Not all data breaches trigger reporting obligations. However, when you know there has been:

  • unauthorised access to, disclosure or loss of personal information you hold in your business; and
  • a ‘reasonable person’ would assess that as being likely to cause serious harm to those whom the information relates; and
  • you’ve been unable to prevent the risk of harm,

you must promptly notify the Privacy Commissioner and all affected individuals.

If it’s not clear whether the breach meets the above criteria, but you suspect an eligible data breach has occurred, you have 30 days to investigate. If, during or after your investigation, you confirm an eligible data breach has occurred, you must comply with the notification requirements. 

What’s the purpose of the NDB?

The scheme exists to ensure that affected individuals can take practical steps to reduce their risk of harm. This may involve simple measures such as changing their login or password details, or being alert to scams or identity fraud.

The NDB scheme also enhances businesses’ accountability for privacy protection. You should already have an up-to-date privacy policy and collection statement outlining the management of your employees’ personal information. You should also ensure that all personal information is stored securely and that your employees understand their obligations in relation to the collection, use, storage and disclosure of personal information.

Are you ready?

What you also need to consider, if you haven’t already, is a data breach response plan.

In order to effectively and efficiently respond to an eligible data breach, you need a plan that:

  • explains what a data breach is;
  • outlines your business’ plan for containing, assessing and managing the breach;
  • sets out the roles and responsibilities of staff members when there’s a breach;
  • describes the actions your response team should take; and
  • clarifies your record-keeping and incident review plan.

Having this plan in place will enable you to respond quickly to an actual (or suspected) eligible data breach. This will substantially decrease its potential impact on the individuals involved, reduce the costs associated with addressing the breach, and limit any reputational damage that may occur as a result.

For more information about what to include in your data breach response plan, we suggest checking out the Office of the Australian Information Commissioner’s (OAIC) handy checklist here.

Need help?

Don’t rest on your laurels. If you manage lots of personal information and don’t have a data breach response plan in place, or it’s not up-to-date, it’s worth considering making it a priority. We can assist you draft, develop and implement a plan to ensure it meets your obligations under the Privacy Act, and addresses all of the relevant information. Simply call Martin on M: 0459 849 629 or email me at E: and we’ll be in touch.


[1] Private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number recipients are also subject to the Privacy Act.