Australia’s Data Breach Law: Privacy Amendment (Notifiable Data Breaches) Bill 2016

I haven’t read the legislation but I believe that the OAIC should have the powers to investigate data breaches when these issues are raised.  I had the experience of this not occurring last year.  I definitely know there is something going on with my blog as a black post opened.  I have posted a blog as I caught the box opening, act of god, it actually froze so I could screen shot it.  I know people are viewing my emails and I am well aware that intelligence agencies do this with impunity.  If you do not have the funds for cyber surveillance you are a sitting duck so to speak.  There is criteria with this legislation of organisations earning $3 million and over.

At this point as I learn more about surveillance I have lost trust in government, institutions and intelligence agencies to protect the privacy of people.  Anyone can stipulate POI Person Of Interest, not because of a crime but because they are becoming aware about corruption.  Those who are corrupt will feel a threat, so what happens to the whistleblowers, who risk their lives for the public interest as they care about what happens to the public?   I don’t think our privacy can be protected with cameras in lights out the front of houses, smart meters recording activity inside houses, smart TV’s, internet surveillance when you are online, our identity linked to everything now.  There is no privacy and as a citizen I am not in agreement with these intrusions without public consultations.  I can understand a CCTV camera monitoring a factory but not in every public space.  I am a peace educator, all you have to do is spend money and build a culture of peace.  This appears to be something that no-one considers as they do not believe peace is security, when that is why they spend lots of money, to gain peace of mind.  What about peace of heart?  Peace as a way of life.  When peace is the predominant way of being, there will never be a privacy breach as people respect another’s privacy.  They would speak directly to people if there is a problem and learn to work together.  What I see is escalating fear, escalating costs, escalating paranoia because fundamental questions are not asked and the same mind set keeps believing the world is unsafe, when it can be rendered safe by educating in fearlessness, values, courage, truth telling, integrity and compassion.  I can say these words but I am sure many who read them do not understand the unifying principles in truth.  They would see peace nik, idealist, dreamer when I am a practical person who has researched peace for over 20 years.  I am an economist and familiar with markets and profit incentives.  I am a market analyst I understand why people are breaching privacy for advantage over another rather than fair competition.  It is for many about winning as the only option.  I put to them what if winning is losing?  What if fairness and honesty is the only roundtable worth sitting at?

Here is the legislation:

Mandatory data breach notification

13 February 2017

Statement from Australian Privacy and Information Commissioner, Timothy Pilgrim

I welcome the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which establishes a mandatory data breach notification scheme in Australia.

I look forward to working with government, business and consumer groups during transition to this new scheme; which will help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies.

This amendment will require government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm. My office will be advised of these breaches, and can determine if further action is required.  The law also gives me the ability to direct an agency or business to notify individuals about a serious data breach.

The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.

In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach.

The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the mandatory notification scheme. The OAIC also has a comprehensive Guide to securing personal information.

Timothy Pilgrim PSM
Australian Privacy and Information Commissioner


In 2015–16, the Office of the Australian Information Commissioner received 107 voluntary data breach notifications. The top five sectors during the year were:

  1. Australian Government
  2. finance (including superannuation)
  3. health service providers
  4. retail
  5. online services.

New Australian mandatory data breach laws


Published on February 16, 2018 by Mathisha Panagod

Data breaches are commonplace in an increasingly digital world. New laws are set to come into effect this month that will require thousands of Australian companies to notify individuals and the Government if they believe a data breach has occurred within their IT systems causing personal information to be compromised.

Recent high profile data breaches include Uber’s debacle with the personal information of reportedly 57 million Uber customers and drivers stolen along with Uber’s failure to disclose this massive breach for over a year, and the 2016 admission by the Red Cross that the personal data of over half a million Australian blood donors may have been compromised. These new laws are overdue and much needed to equip individuals with greater certainty in relation to the security of their personal information.

What is it?

Australia’s new mandatory data breach reporting laws come into effect on 22 February 2018. Known as the Notifiable Data Breaches (NDB) scheme, the new legislation will be contained within Part IIIC of the Privacy Act 1988 and largely mirror similar laws introduced in other countries including the USA.

Who does it apply to?

Any agency or organisation already subject to the Privacy Act (known as an APP entity). This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of at least $3 million, health service providers and more. Generally small business operators (including sole traders and unincorporated associations) with an annual turnover under $3 million will not be subject to the NDB scheme’s obligations. For more information click here.

What are the new obligations?

If the organisation incurs an “eligible data breach”, within 30 days  it must notify individuals whose personal information is likely to result in serious harm due to the breach. The notification must include recommendations about the steps individuals should take in response to the breach. The organisation must also alert the Australian Information Commissioner of an eligible data breach. This can be done through an online form, the Notifiable Data Breach statement, and here you will find what to include in the statement.

An eligible data breach is one in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is “likely to result in serious harm to any of the individuals to whom the information relates”. Examples may include the hacking of a database containing personal information or personal information that is mistakenly provided to the wrong person. The scheme is not retrospective so if the breach occurred prior to 22 February 2018, even if it is discovered after this date, then it is not considered an eligible data breach for the purposes of this scheme.

The legislation distinguishes between notifiable and non-notifiable breaches. If an organisation can show that it has taken appropriate steps to mitigate the breach, then notification is not required.

What if I fail to report?

The consequences are potentially significant with a business that fails to report an eligible breach facing penalties of up to $360,000 for individuals and $1.8 million for organisations. For those affected, the release of personal names, email addresses and phone numbers may leave them susceptible to phishing attacks. Information such as driver’s licence numbers and bank account details could lead to fraud, identity theft and money laundering.

How often do data breaches occur?

Data breaches are frequent and have in the past often been covered up with those most effected having little to no knowledge that their personal information has been compromised.

In 2017 it was reported that more than 1 in 10 Australians potentially had personal information stolen in a security breach that ride-sharing company Uber allegedly covered up for over a year. It was revealed by Uber that the personal information of a staggering 57 million customers and drivers (including names, email addresses and mobile phone numbers) had been compromised in a data theft and the company paid US$100,000 to the perpetrators to delete the stolen data. It was not until November 2017 that Uber notified the Privacy Commissioner. There was a distinct failure to notify affected individuals and regulators.

Had Australia’s new mandatory data breach reporting laws been in effect, Uber would have been penalised for their failure to contact victims and report the breach to the Australian Information Commissioner.

How can I prepare?

  1. Firstly, determine whether your agency or organisation is subject to the NDB scheme.
  2. Check out the Information Commissioner’s Guide to securing personal information. Be aware of how personal information is stored and managed.
  3. Have in place a data breach response plan. The Information Commissioner has an excellent guide to help prepare such a plan.
  4. Seek legal advice at any step along the way to ensure that you are fully aware of your obligations, ensuring the safety of staff and customers, and have in place procedures and protocols should a data breach occur.

Useful Links

Legislation: Privacy Amendment (Notifiable Data Breaches) Act 2017

Australian Information Commissioner’s website about the Notifiable Data Breaches Scheme

Uber CEO Dara Khosrowshahi’s blog post 21 November 2017

Red Cross Blood Service admits to personal data breach affecting half a million donors – ABC News 28 October 2016

Mohandas Gandhi

“An eye for an eye only ends up making the whole world blind.”