Legislative Changes - Mandatory Data Breach Notification Laws Passed by Australian Government

02 Mar 2017, MOQdigital Marketing


image.jpegThe Australian Government has recently passed The Privacy Amendment (Notifiable Data Breaches) Bill 2016. Over the next 12 months as the bill comes into effect, companies are legally required to provide notice to affected individuals and the Australian Privacy and Information Commissioner when certain types of security incidents compromise information of a specific type.

 This means companies need to put Data and Cyber Security at the top of their priority list to avoid facing the consequences of unintentional security breaches. To help you understand the bill and the impact on you we have detailed the most important elements below.


Organisations who have responsibilities under the Privacy Act will need to comply with these new laws. In addition, some types of businesses with less than $3million turnover are affected. If you’re wondering if and how your business is affected by this change, see the list below of the businesses who must comply:

  • Australian Government agencies 
  • Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
  • Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
  • Child care centres, private schools and private tertiary educational institutions.
  • Businesses that sell or purchase personal information along with credit reporting bodies


Once the scheme is enacted over the next 12 months your business will be required to report any eligible data breaches to the Australian Privacy and Information Commissioner and notify customers who may have been affected as soon as possible. Below are the key points that you need to be aware of and understand if your business is affected by these new laws:

  • Instances of unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure 
  • An eligible data breach is when individuals affected are at “risk of serious harm” because of their exposed information
  • When reporting data breaches to the Australian Privacy and Information Commissioner businesses must include a description of the breach, the kind of information that has been compromised and the steps those affected can take to respond to the incident, e.g. informing customers they are able to update and change their passwords for affected online accounts


According to the bill there will be consequences for failure to comply:

"A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate."


While your business may not be directly impacted by the new legislation, it’s a timely reminder that all businesses need to make Data and Cyber Security a priority. MOQdigital offers a full range of services that can instil security practices to ensure your business is adequately protected from evolving Cyber Security threats. Our services include:

  • Cyber Security Policies and Strategy
  • Information Security Risk Assessments
  • Penetration Testing and Vulnerability Assessments
  • Cyber Security Solution Design and Implementation
  • Managed Security Services – including SIEM as a Service, SOC as a Service

If you’re ready to reassess your security practices and prepare for the new legislative changes to come into effect, contact MOQdigital today.