On the 13th February 2017, the Privacy Amendment (Notifiable Data Breaches) Act was passed in the Australian Parliament, introducing a mandatory notification regime. This bill commences on the 23rd February 2018 and will require organisations to notify data subjects and regulators in the event of an “eligible” data breach.
An “eligible data breach” will occur where:
? There is unauthorised access to, or unauthorised disclosure of, the information; and
? A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates
The amended legislation provides greater clarity to Australian citizens about the privacy of their personal information and will affect Australian companies as well as international organisations with Australian operations.
It also means that businesses must carefully think about the practical issues related to data breach responses and the disruptive consequences of any unexpected events. Close coordination between the organisation’s management, risk, IT security teams, legal and PR teams, will be needed to efficiently investigate, assess severity and manage the situation.