February 2, 2018


Upcoming Changes to Australian Privacy Laws – Is your business ready?

· · ·

22 February 2018 will see the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The legislation introduces a new mandatory reporting scheme for organisations who are effected by a data breach.

In today’s hi-tech environment, the storage and management of private information about customers and employees is often overlooked by busy owners and managers. Entering data into software programs or up into the cloud is standard business practice, but have you considered your legal obligations relating to access to that data?

Data breaches occur in a number of ways and the Office of the Australian Information Commissioner (OIC) has provided some examples of a data breach, these include:

  • lost or stolen laptops, removable storage devices, or paper records containing personal information;
  • hard disk drives and other digital storage media (integrated in other devices, for example, multi-function printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased;
  • databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation;
  • employees accessing or disclosing personal information outside the requirements or authorisation of their employment;
  • paper records stolen from insecure recycling or garbage bins;
  • an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address; and
  • an individual deceiving an agency or organisation into improperly releasing the personal information of another person.

If your business information is accessed by professionals in eastern Europe or pizza eating teenagers for a laugh, then you may be required to disclose that event, even if it impacts on your business reputation.

If organisations fail to comply with notification requirements under the new scheme, this will be a breach of the Privacy Act. If the failure to comply is ‘serious or repeated’, penalties of up to $2.1 million ($420,000 for individuals) may apply.

Australian Privacy Principal No. 11 requires organisations to take “reasonable steps” to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Reasonable steps in these circumstances would include developing a data breach response plan.

If you are not sure if your business is effected by the Privacy Act, then work through the checklist on the OIC’s website https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-10 or call your lawyer for more information.

If you would like any more information about how these changes may affect you, please do not hesitate to contact Mbt Lawyers. 

You’re in expert hands!

02 6648 7600