What do the new privacy laws mean for you?

Posted on February 23rd, 2018

Share on LinkedInTweet about this on TwitterEmail this to someoneShare on Google+Print this page

As of yesterday, 22 February 2018, new mandatory data breach legislation has taken effect. This means that certain types of data breaches, known as eligible data breaches, under the Australian Privacy Principles (“APPs”) have mandatory reporting obligations.

The APPs have now been in effect for almost four years. When they first came into effect, many organisations were caught off guard in terms of new requirements, including the need to have a privacy policy in place. The obligations under the APPs have now been extended even further.

The APPs contain certain obligations in relation to personal information and its use, disclosure and protection. These principles apply to a significant number of organisations, known as APP entities, including government bodies and private organisations with a turnover of more than $3 million.

Up until yesterday, discretion existed in terms of deciding whether or not to notify certain persons, including affected individuals and the Office of the Information Commissioner (“the Commissioner”), in the event of a privacy breach. Now, there are mandatory reporting obligations imposed on APP entities.

The mandatory data breach notification regime essentially imposes an obligation on APP entities to notify affected individuals and the Commissioner where personal information has been disclosed in breach of the APPs. This is what is known as an “eligible data breach” under the legislation.

If there is unauthorised access to, or disclosure of, personal information which is likely to result in a serious risk of harm, organisations are required to notify the affected individual and Commissioner.

There are many factors to consider when looking at compliance with this new legislation, including:

  • what is personal information,?
  • what is an eligible data breach?
  • what is disclosure?
  • what is unauthorised access?
  • what is serious harm?
  • what are reasonable grounds?
  • who is an affected person?


It is now mandatory that where a potential eligible data breach occurs, assessment of the data breach must be conducted within 30 days of becoming aware of the breach. This assessment needs to address certain criteria dictated by the legislation. If the assessment determines there are reasonable grounds for suspecting serious harm could result from the breach, there are mandatory reporting obligations imposed upon the organisation.

If organisations fail to comply with the requirements under this new regime, the organisation could be liable for a fine of up to $1.8 million.

It is essential that organisations who are subject to the requirements of the APPs implement policies and procedures to identify potential data breaches, rectify them as soon as possible, conduct assessments in relation to same and determine their obligations in relation to notification.

With the changing nature of the commercial world, privacy compliance is becoming stricter and stricter. Collection, use and disclosure of personal information is a hot topic and can be an area where businesses expose themselves to great risk. Organisations need to take their privacy obligations seriously and ensure that they have the necessary practices and procedures in place to prevent exposure to liability under this regime.

Lana Black is the Privacy Officer at Mullane & Lindsay and is responsible for assessment of possible breaches and compliance with the requirements of the APPs. If you require advice in relation to how the APPs apply to you, or your obligations under the principles, you should contact Lana.


Lana Black, Solicitor at Mullane & Lindsay Solicitors, NewcastleLana Black is a Solicitor at Mullane & Lindsay Solicitors and practices extensively in estate planning and administration. If you require any assistance in this area please contact Lana Black to arrange a consultation or contact our Newcastle office.

Share on LinkedInTweet about this on TwitterEmail this to someoneShare on Google+Print this page