Is there a data breach on your hands?

[ how to combat the leak of personal information ]
by Carrie Payne Published

Recent changes to the Privacy Legislation in Australia have implications for those that deal in personal information. Knowing your responsibilities is key to ensuring compliance with the changes.

What are the changes?

The Privacy Act requires particular entities to notify relevant parties when a data breach is likely to result in serious harm to any individual whose personal information is involved in the breach. This is called an eligible data breach.

Does this apply to me?

The new rules only apply to specific individuals.

While the process for determining whether the rules apply to you should be done with specific advice, broadly speaking, if you hold personal information, credit reporting or eligibility information or tax file numbers, the rules are likely to apply to you.

Let’s step through the elements

A data breach is where personal information that an entity holds is lost or subject to unauthorised access or disclosure. The below table summarises the conditions in relation to breach:

Type of BreachRequirement 1Requirement 2
Access/disclosure of personal informationthere is unauthorised access to, or unauthorised disclosure of, the personal informationa reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates
Loss of personal informationunauthorised access to, or unauthorised disclosure of, the personal information is likely to occurassuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates

Personal information is information about an identified individual, or an individual who is reasonably identifiable.

The term serious harm is not defined in the Privacy Act. The Office of the Australian Information Commissioner (OAIC) has suggested that in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

However, in determining whether a reasonable person would conclude that a breach would be likely to result in serious harm to an individual, there is a series of information that the Privacy Act deems relevant:

(a) the kind or kinds of information;

(b) the sensitivity of the information;

(c) whether the information is protected by one or more security measures and the likelihood that any of those security measures could be overcome;

(d) the persons, or the kinds of persons, who have obtained, or who could obtain, the information;

(e) if a security technology or methodology was used the potential for a third party to have the intention of causing harm to any of the individuals to whom the information relates;

(f) the nature of the harm;

(g) any other relevant matters.

What if an entity thinks there is a data breach?

The first step for an entity is to contain the breach and make attempts to mitigate the potential for serious harm.

The entity should also carry out an assessment within 30 days of the entity becoming aware of the issue.

If an eligible data breach has occurred and immediate remedial action is not possible, the entity is required to notify certain parties. There are requirements around the content and recipients of that notification, including the manner of communication of the notice.

So, what do I need to do now?

Unsurprisingly, there is very little preventative guidance in Privacy legislation. However, the OAIC recommends that entities prepare a Data Breach Response Plan (DBRP). In particular, the OAIC:

(a) describes a DBRP as a framework that sets out the roles and responsibilities involved in managing a data breach. It also describes the steps an entity will take if a data breach occurs.

(b) suggests that a DBRP should be in writing and that staff should be aware where they can access the DBRP on short notice.

(c) recommends that entities regularly review and test the plan. How regularly you test your plan will depend on your circumstances.

(a)Considers the following items are required in any DBRP:

(i) a clear explanation (including examples) of what constitutes a data breach;

(ii) astrategy for containing, assessing and managing data breaches;

(iii) the roles and responsibilities of staff in relation to data breaches;

(iv) how your entity will document any breaches;

(v) a process of post-breach review to improve the effectiveness of data management by your entity.

The form and content of any DBRP would depend on your circumstances and should be made in consultation with your advisers.


Due to how new the legislation is and the relative discretion that appears to be afforded by the legislation in the way that entities can adopt the data breach rules, advisers can only currently rely on publications made by the Commissioner’s office in relation to how they will interpret the law.

In this regard, as there is no judicial interpretation as yet to rely upon, care must be taken to regularly review the documents in light of the developing law.

Entities should also consider whether the following apply to them:

(a) whether the entity’s current policy complies with national or international privacy laws;

(b) if the entity should review their other internal processes relating to privacy to include reference to data breaches and any new and complimentary policies in relation to data breaches;

(c) should the entity consider updating their employment contracts to ensure they reflect employees’ responsibilities to report data or suspected data breaches;

Entities should also obviously confirm that they continue to comply with other relevant reporting schemes.

As always, parties should obtain advice specific to their circumstances. 

What are the take outs?

Parties should consider and obtain advice regarding whether:

(a ) they need to comply with the new rules; and

(b) their internal systems and processes should be updated in accordance with that advice to ensure any risk of breach is minimised or damage mitigated. 

If you would like to discuss your requirements under the new rules or would like assistance with perparing a data breach response plan, please contact us.

General Advice Disclaimer

Information provided on this website is general in nature and does not constitute financial or legal advice. Every effort has been made to ensure that the information provided is accurate, but information may become outdated as legislation and new government announcements are made. Individuals must not rely on this information to make a financial, investment or legal decision as it does not take into account their personal circumstance. Before making any decision, we recommend you consult a licensed adviser or legal practitioner to take into account your particular objectives, circumstances and individual needs.

Carrie Payne
read more by Carrie Payne
[ Never miss a Tool, Tip, Resource or Event ]

Join the businessDEPOT community and get the latest advice
and insight directly to your inbox.


Get All Zen With Your Tax

Get In Touch


[ We help businesses and individuals of all shapes and sizes, and provide insight based on our extensive experience. ]

[ About ]

[ businessDEPOT is driven by a team of plain-talking, energetic and proactive people, and we believe in a fresh approach to providing advice and accounting services. ]