You are here

Mandatory Data Breach Notification Scheme

On 22 February 2017 the Privacy Amendment (Notifiable Data Breaches) Bill 2016 received Royal Assent, establishing a Mandatory Data Breach Notification Scheme in Australia.

Once the scheme takes effect in 2018 (no later than 23 February 2018), organisations covered by the Privacy Act 1988 will be required to notify the Office of the Australian Information Commissioner, and any individuals affected, of a data breach that is likely to result in serious harm – and ‘eligible data breach’.

See https://www.legislation.gov.au/Details/C2017A00012 for the new Act (this includes and http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r5747 for details re the process through Parliament.

CAUDIT recommends you liaise with your university’s legal counsel to confirm applicability to your institution.

Note: The date of effect is: a date to be fixed by Proclamation.  If the provisions do not commence within the period of 12 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.

The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 3 which inserts a new Part IIIC, titled ‘Notification of eligible data breaches’. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.

The new Part IIIC is divided into three Divisions. Broadly, the first Division sets out preliminary general matters including relevant definitions and application provisions, the second Division sets out when an ‘eligible data breach’ will have occurred and the third Division contains obligations for entities to notify that such a data breach has occurred, subject to certain exceptions.

The Privacy Act 1988 is available at https://www.legislation.gov.au/Details/C2016C00979

Links previously supplied to CAUDIT readers:

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed the Australian Parliament on 13 February 2017. This update sets out the key provisions of the Bill and the new mandatory data breach notification requirements.  Read http://www.hallandwilcox.com.au/new-mandatory-data-breach-notification-legislation/