Mandatory Data Breach Reporting

Do you keep a database of personal information of your clients?

If so, the new Mandatory Data Breach Reporting rules may apply to you.  These new rules became effective on 22 February 2018.

What does this mean?

Entities who are covered by the Privacy Act 1988 will now need to report details of any breaches to their data security that are likely to result in serious harm to any individuals whose personal information is involved in the breach.


Organisations that are covered by the new rules include businesses and not-for-profit organisations with a turnover of $3 million or more as well as all businesses and organisations with lower turnovers which are operating in key areas such as credit reporting bodies and health service providers.


Businesses which fit the above criteria are advised to review their data security and to have a plan in place to cover the steps to be taken should a data breach be discovered.


It’s easy to think that data breaches will only happen to big organisations whose computer systems are hacked, but they can occur to any organisation at any time.


Some examples of data breaches are when mail containing client personal information is posted to an incorrect address or when a USB containing client information is lost or stolen.  Laptop theft is very common too.   So it is a good idea to review your business security systems, including passwords, to minimise the risk.


More information:

More information, including the Form to advise of a Notifiable Data Breach, can be found on the Australian Government website here or on the Australian Government Business website here