Stop me if you've heard this one: Mandatory Data Breach Notification laws


Advisers often complain that Compliance is often too focused on anticipated changes, so we’d like to shatter that misconception by focusing on some significant changes that commenced last month.

You’re probably aware that, since 22 February 2018, entities subject to the Privacy Act[1], like many of our clients, have had a legal obligation to record, manage and report ‘eligible data breaches’.

If you weren't sure if these changes applied to you, understand that if you’re currently subject to the Australian Privacy Principles, you’re now required to report data breaches.

The Notifiable Data Breaches Scheme

The fundamentals

We’ll explore the poetically named Notifiable Data Breaches Scheme and the excellent resources provided by the Office of the Australian Information Commissioner (OAIC) but first, we’ll start with the fundamentals.

To understand what you need to report, you need to understand that an eligible data breach occurs if:

(a)    there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by you; and

(b)    the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and

(c)     you haven’t been able to prevent the likely risk of serious harm with remedial action.

It’s critically important to appreciate that all ‘eligible data breaches’ – likely to result in serious harm - need to be reported as soon as practicable to both to the OAIC and to those individuals (potentially) affected by a data breach. 

Unauthorised access, disclosure or loss

It’s tempting to focus on hacking but the vast majority of breaches are caused by the acts, errors or omissions of the entity that held the information. Sometimes it’s caused by poor infrastructure design, other times by inadequate security and sometimes just the result of carelessness or common administrative errors.

Data breaches can occur when:

  • An unencrypted laptop is left in a cab;

  • a USB containing customers’ personal information (such as Statements of Advice or Fact Finds) is lost or stolen;

  • your client database is hacked; or

  • you mistakenly provide a client’s personal information to the wrong person.



Likely to result in serious harm

The Privacy Act doesn't define serious harm, so you’re left to determine both your own measure of significance and your own definition of harm.

In practice, any definition you adopt needs to be reasonable (and consistent with standard industry practices).

Your approach should not consider the possible damage too narrowly.

In our opinion, your objective assessment should include, but not be limited to, a consideration of probable harm including damage that is:

  • physical,

  • psychological,

  • emotional,

  • financial and

  • reputational.

When you are assessing the likelihood of serious harm think carefully about 

  • the type and content of the information accessed, disclosed or lost;

  • whether the information was adequately secured and password protected (encryption);

  • whether the information is anonymised, unintelligible or meaningless to anyone without the specialist knowledge or information required to overcome the protections in place;

  • who could have obtained, or could obtain, the information; and

  • the consequences and implications of the disclosure or loss.

So what data losses are likely to result in serious harm?

Advisers, and advice businesses, routinely collect, retain and use personal information from their clients. So it’s not hard to identify the information that, if lost or released, could cause serious harm. For simplicity consider

  • taxation information such as returns or TFN;

  • Credit reporting data;

  • Personally identifiable information.

  • sensitive information’, such as information about an individual’s health

  • documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)

  • financial information

  • a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about.

Exceptions to reporting

This is a threshold condition for mandatory breach reporting but there are two important qualifications to note:

1.    An assessment of serious harm requires an objective and reasonable assessment made from your perspective. It does not require you to make a subjective assessment of the likely harm based on the affected individual’s relevant personal circumstances. Act reasonably and prudently but appreciate the broader implications of the breach and your reaction.

2.    You don’t need to report data breaches that you’ve quickly remediated or have started to remediate. We’ve addressed effective remediation previously and we remind you that effective remediation needs to be reasonable, prompt, effective and appropriate.  Your remediation and consequence management policy should provide you with the framework and guidance you need to satisfy this requirement but contact us if you need assistance.

Our recommendations

Act on suspicions

You have a general obligation to report known data breaches, but what if you only suspect that an eligible data breach has occurred?

You have no immediate obligation to report your suspicions, but you are expected to undertake a ”reasonable and expeditious assessment” to determine whether your suspicions are reasonable.

Where your suspicions prove to be justified, and where an eligible data breach is identified, you’ll need to report the data breach to the OAIC.

Given the potential sensitivity of the breaches, speed is of the essence.

You are expected to complete your assessment within 30 days after you suspect an eligible data breach.

We’d recommend that you aim to resolve matters far earlier.

In fact, we'd recommend that you adopt a similar timeframe to that used for your ASIC Breach reporting.

Given the significance of the potential impact, your investigation should be given high priority.

You might also consider whether a significant data breach needs to be reported to ASIC as a contravention of the financial services laws. We recommend that you do.

Update your “measures, processes and procedures”

If you haven’t already updated your Remediation and Consequence Management Policy, and refined your Incident/Breach Management Policy, you should do so now. 

You should also prepare a data breach response plan.

Computerworld noted that an appropriate breach response plan should have an aggressive timeline and should explain how you:

1.    identify and close security holes,

2.    notify government agencies and impacted individuals, and

3.    train staff to prevent recurrences.

In addition, we recommend that you review your Complaints Policy to ensure you’ve addressed the additional reporting requirements.

We’d also recommend that undertake a data audit – investigate what data you hold, who can access it and consider whether your existing data privacy and security policies are adequate. Review your IT infrastructure.

Look at your outsourcing contracts to confirm that these third-parties understand what is expected of them.

Include all third-party service providers that have access to your data in this process. One of the weakest points in most security systems in when the data is transferred to another group. You can mitigate some of the inherent risks this creates by making certain everyone is on board with the stated plan.
— Sergio Ferreira, 15 November 2017

If you need additional documents, rather than our help, start by reviewing the OAIC’s Data breach notification — A guide to handling personal information security breaches and their Guide to developing a data breach response plan.

Don’t forget to train your staff about these obligations because significant or recurring failures can attract civil penalties of up to $2.1 million.

That's a significant penalty but in our view, the damage to your reputation may be far greater than any financial penalties imposed.


[1] This includes private sector organisations, including not-for-profits, with annual (group) turnover of more than $3 million. It also includes small businesses that may be earning $3 million or less where they are health service providers involved in trading in personal information, contractors that provide services under a Commonwealth contract or credit reporting bodies, amongst others.