Preparing for the Worst: Privacy, Data Breaches and Your Business


6 June 2017
Posted by Suzy Wood

Most (if not all) businesses handle personal information to some degree. It may be trite to say that in the digital age, the chances of that data falling into the wrong hands are exponentially higher than they used to be. We need look no further than 2015’s Ashley Madison scandal to be reminded that the ramifications of mishandling data can be severe and irreversible for individuals and businesses alike.

Amendments to the Commonwealth Privacy Act will impose new obligations on certain businesses to notify the Australian Privacy Commissioner and affected individuals in the case of an “eligible data breach”.

Here is what your business needs to do to prepare before the Bill takes effect on 22 February 2018.

Will this law affect my business?

Generally speaking, private sector organisations with an annual turnover of more than $3 million must comply with the Commonwealth Privacy Act. Certain organisations, including businesses which provide a health service (whether for physical or mental health), are required to comply regardless of their annual turnover. If you think you might be covered but you’re not sure, speak to us! It can get a little bit complicated, particularly for start-ups.

Remember that if one company in a corporate group has an annual turnover of more than $3 million, then all of the companies in that corporate group are required to comply with the Privacy Act and will become subject to mandatory data breach notification obligations.

When do I need to notify the Commissioner and the affected individual?

The reporting obligations arise when an “eligible data breach” occurs.

This is where there is unauthorised access to, or disclosure of, personal information. It also includes situations where the information is lost, if it is likely to then be accessed by an unauthorised person.

A data breach will only be an “eligible data breach” if a reasonable person would conclude that the unauthorised access or disclosure would be likely to result in serious harm to the relevant individuals.

The amendments set down a number of factors to be considered in determining whether there is a risk of “serious harm”. These include:

(a) the type of information

(b) the sensitivity of the information

(c) whether the data was encrypted; and

(d) any potential harm that could be caused to individuals.

What are my obligations if an eligible data breach occurs?

If there are reasonable grounds to suspect that there has been an “eligible data breach”, you must carry out a “reasonable and expeditious” assessment of whether a breach has in fact occurred. If it has, you must then notify each individual to whom the affected information relates (or alternatively, publish a statement on their website). The organisation also needs to prepare a statement disclosing certain details of the breach for the Australian Privacy Commissioner to assess. See the OAIC’S guide to handling security breaches for more info.

What do I need to do to get ready?

The amendments will come into effect on 22 February 2018. The amendments will essentially make it a lot harder to prevent your customers, your business associates and the general public from knowing about data breaches when they occur. This level of transparency is a definite win for your clients and business associates but it puts more pressure on you to make sure you are doing everything you can to prevent breaches from happening. No business wants the bad publicity of having to advertise the fact that their data has been exposed!

We recommend all businesses take the following simple steps:

(a) Review your processes for handling and storing personal information and your current level of technological protection against hacks and other security breaches.

(b) Consider providing your staff with training about cyber risks and smart IT system practices.

(c) Check to see if you are covered by the Privacy Act (talk to us if you’re not sure).

(d) If you are covered, ensure you have a compliant privacy policy in place which is adhered to by all staff, then develop and implement a data breach response plan (check out the OAIC’s guide. In other words, prepare for the worst!

(e) You should also make sure your existing agreements with other businesses contain obligations on them to report to you in the event that they suffer a data breach relating to your business’s personal information, so that you can comply with your obligations.

Studio Legal is experienced in preparing privacy policies and advising on privacy issues for our clients. Call us on (03) 9521 2128 or email for assistance preparing for the new laws.


The information in this article is of a general nature. It does not constitute formal legal advice, and should not be relied on as such. Please see the full disclaimer in our website terms. Please contact Studio Legal if you are seeking advice about a specific legal matter.