Express law No. 266

22 February 2018

Mandatory data breach notification scheme commences today

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 was established with the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 with a commencement date of 22 February 2018.

The NDB scheme requires agencies and organisations to notify individuals and the Australian Information Commissioner where there has been an 'eligible data breach'. An eligible data breach will occur where a data breach (unauthorised access or disclosure, or loss of the information) is likely to result in serious harm to any individual affected.

The notification to affected individuals and the Commissioner must include the following information:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned
  • recommendations about the steps individuals should take in response to the data breach.

Implications for clients

Agencies and organisations should have in place a data breach response plan to assist with identifying and assessing when a data breach is likely to result in serious harm and require notification.

Agencies and organisations should also think about how to manage their obligations under the NDB scheme when entering into contractual arrangements involving personal information.

AGS can assist you to develop data breach response plans and template notification letters and with your contract arrangements.

For further information please contact:

Elena Arduca
Senior Executive Lawyer
T 03 9242 1473

Tara McNeilly
Senior General Counsel
T 02 6253 7374

Justin Hyland
Senior Executive Lawyer
T 02 6253 7417

Melissa Gangemi
Senior Lawyer
T 03 9242 1329

Justin Davidson
Senior Executive Lawyer
T 02 6253 7240

For assistance with contractual arrangements:

Kenneth Eagle
National Manager Commercial
T 03 9242 1290

Important: The material in Express law is provided to clients as an early, interim view for general information only, and further analysis on the matter may be prepared by AGS. The material should not be relied upon for the purpose of a particular matter. Please contact AGS before any action or decision is taken on the basis of any of the material in this message.