Two days to mandatory data breach notification laws comes into effect and the advisory articles (sort of) come out

February 20, 2018 |

In two days the Privacy Amendment (Notifiable Data Breaches) Act 2017 becomes law.  Organisations and agencies covered by the Privacy Act will have obligations to notify those impacted by a data breach as well as notifying the Information Commissioner.  What was once good practice is now mandatory.  How mandatory it becomes in practice depends on the regulator.  That is a live question in this area.

It is interesting to see how these changes are being written up.  In today’s Australian under It’s D-Day for privacy breaches the VP of Cisco and chief data privacy officer, Michelle Dennedy, has written a sprightly piece ostensibly about the data protection laws but more a generalised discussion on good privacy practices, sprinkled with the word “Cisco”.  It offers next to no insight on how the legislation will operate.  It is a complex piece Act which requires balancing and some careful decision making.  If one was to use this article as a guide over the nearest cliff is where one will end up. As an introduction to quite basic privacy practices it is not too bad.

The Australian article provides:

For the average Australian, February 22, 2018, is just another work day. However, it’s much more than just another day; it’s D-Day for data privacy breaches in Australia. With the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 coming into force, data breaches will now be treated as crimes.

With passage of the Australian Privacy Amendment, Australian business are legally obligated to notify their customers or clients, and the Australian Information Commissioner, about major data breaches.

They must describe how they occurred and how individuals should respond, and they must also notify individuals when their data has been obtained by unauthorised parties.

As vice president and chief data privacy officer at Cisco, I work to raise awareness and create tools that promote privacy, quality and integrity for data. My advice for adhering and complying with the new rules includes the following tips for organisations:

1 Be transparent and accountable. Let customers and partners know your commitment. For example, Cisco is committed to helping our customers and partners by protecting and respecting personal data, no matter where it comes from or where it flows. We have established security, data protection, and privacy programs and are committed to comply with regulations, customers’ needs, and our own corporate code of conduct. Since 2016, we have been a certified participant in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. We are also certified under the EU/Swiss-US Privacy Shield framework and EU Binding Corporate Rules to provide a consistent baseline of privacy protection when data processing crosses borders.

2 Invest in a comprehensive data protection program. Make sure your data protection program covers data throughout its life cycle. It begins with security and privacy by design and includes privacy engineering methodology and privacy-enhancing technologies; managing collection, use, processing, and storage; addressing operational needs such as reporting and oversight; and secure disposition or destruction at end of life.

3 Be vigilant about global regulatory requirements. Addressing personal data handling requirements across different jurisdictions around the world requires a mature data privacy practice that aligns with industry best practices, customer demands, and regulatory requirements. Being a global data citizen includes awareness and structured flexibility across cultural divides.

However, while the legislation seeks to protect consumers and customers, responsibility for your privacy governance remains in your hands, too:

1 When shopping for a new connected device, determine what data will be gathered and from whom. How will it be used, shared, and retained? Does the service you are using need that data to function?

2 Manage information wisely that your device uses. Research how the product manufacturer protects and controls data. Does the value of the services gained from sharing your data outweigh the value of the data you surrendered? Is the company or organisation capable and interested in governing it the way you would treat your own valuable data?

3. Beware of online surveys or cold calls intended to steal personal information for possible identity theft or to set you up as a target for scammers. Don’t be afraid to ask hard questions before you answer any yourself.

4 Bogus offers for freebies often require your credit card, claiming the information is necessary to cover shipping costs or a deposit. That often results in unnecessary charges on your bill or a recurring charge you cannot kill. Before taking the bait, check the manufacturer’s or provider’s website. If the offer isn’t stated there, you could be vulnerable to theft. Your credit information is regulated by data protection rules and regulations, even after you share it “publicly” with merchants. They do not have the right to use it how they please if they are not pleasing you.

5 Think twice before downloading free entertainment, screen savers, or mobile apps. Some are specifically created to hack personal information, passwords, and files. Others leave a backdoor open so the crooks can use your information or equipment, or just exploit your private images later.

The Privacy and Information Commissioner has provided a stolid and bland assessment of the scheme.  Curiously and concerningly he talks about working with the government etc during the transition to the new scheme and providing guidance over the next 12 months.  That belies an unfortunate, but consistent, softly softly approach to regulation in an area where enforcement has been lacking.  The last 12 months, from passage of the legislation and it coming into effect has been the transition period surely.

The statement provides:

Statement from Australian Privacy and Information Commissioner, Timothy Pilgrim

I welcome the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which establishes a mandatory data breach notification scheme in Australia.

I look forward to working with government, business and consumer groups during transition to this new scheme; which will help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies.

This amendment will require government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm. My office will be advised of these breaches, and can determine if further action is required.  The law also gives me the ability to direct an agency or business to notify individuals about a serious data breach.

The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.

In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach.

The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the mandatory notification scheme. The OAIC also has a comprehensive Guide to securing personal information.

Timothy Pilgrim PSM
Australian Privacy and Information Commissioner


In 2015–16, the Office of the Australian Information Commissioner received 107 voluntary data breach notifications. The top five sectors during the year were:

  1. Australian Government
  2. finance (including superannuation)
  3. health service providers
  4. retail
  5. online services.

One Response to “Two days to mandatory data breach notification laws comes into effect and the advisory articles (sort of) come out”

  1. Two days to mandatory data breach notification laws comes into effect and the advisory articles (sort of) come out | Australian Law Blogs

    […] Two days to mandatory data breach notification laws comes into effect and the advisory articles (sor… […]

Leave a Reply