Mandatory data breach notification laws apply in 2018

Mandatory data breach notification laws apply in 2018

I have had a number of queries recently about data breaches and mandatory reporting.  Currently, there is no law requiring that a company notify compromised parties if there has been a data breach involving their information (it may assist to mitigate loss and can be advised). However, a new law is coming into force which will require mandatory reporting in the event of a data breach.

We have previously written about the introduction of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (The Bill).  The Bill has now passed both houses of parliament, meaning that entities must provide mandatory notifications within 30 days of becoming aware that data breach has occurred.

The Act will apply to those entities covered by the Privacy Act, including those businesses with an annual turnover of 3 million dollars or more and those businesses which collect sensitive information and other specific personal information.

Whilst it is not mandatory for small businesses with annual turnover under than 3 million dollars to comply (provided they do not collect certain personal information), it is highly encouraged that all businesses have a Privacy Policy and clear plan in place to deal with any data breaches that may occur to encourage customer trust and goodwill.

Be ready – the Act commences on the 22nd February 2018.

If you need assistance in determining whether the mandatory data breach notification laws will apply to you or if you are considering having a tailored privacy policy for your business, contact me at  or call me at 1300 033 934 for a no-obligation quote.

Source: OAIC