Photo: Unsplash/crew.

Australia’s new Data Breach Notification Law comes into effect on February 27 and will require businesses to report all instances of personal data breaches.

The new law will require businesses that comply with the Privacy Act 1988 (Cth) to notify the Australian Information Commissioner if they experience an ‘eligible data breach.’

What is an eligible data breach?

  • Unauthorised access to personal information
  • Unauthorised disclosure of personal information
  • Loss of personal information

The changes of legislation will affect:

  • Businesses with a turnover of more than $3 million; and
  • Other businesses that operate by holding personal information.

Examples of an eligible data breach could include:

  • A database containing personal information is accessed by hackers
  • A laptop or phone that contains customers’ personal information is lost or stolen
  • An employee browses sensitive customer information without any legitimate purpose
  • A contractor working on a database containing customer information takes their own copy on a USB

Generally speaking, most small businesses will not have to comply, however there are exceptions. A small business with an annual turnover of $3 million or less will have to comply with the Data Breach Notification laws if it is:

  • A health service provider
  • Trading in personal information (e.g. buying or selling a mailing list)
  • A contractor that provides services under a Commonwealth contract
  • A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
  • An operator of a residential tenancy database
  • A credit reporting body
  • Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • Businesses that conduct protection action ballots
  • Businesses that are related to a business that is covered by the Privacy Act
  • Businesses prescribed by the Privacy Regulation 2013 or
  • Businesses that have opted in to be covered by the Privacy Act.

A real estate agent with a property management portfolio and businesses prescribed by the Privacy Regulation 2013 are the most common ‘Other’ businesses picked up by the legislation.

Note: To see the full list of business types affected, you can visit the Data Breach information page

Currently, many businesses are unprepared for the legislation changes and may find themselves facing fines of $360,000 for individuals and $1.8 million for businesses.