The Privacy Amendment (Notifiable Data Breaches) Bill 2016 applies to largely private sector enterprises with an annual turnover of at least AUD $3 Million; the same entities who must already comply with the Australian Privacy Act.
The law requires organisations to notify of an “eligible data breach” within 30 days of them becoming aware of it.
A eligible data breach is when
- there is unauthorised access to, or unauthorised disclosure of, the information;
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
These laws raise the information security governance stakes even higher, and places upon enterprises an expectation they must do everything they can to protect customer and private data. In the event an organisation is compromised with an “eligible data breach” they’ll have no choice but to disclose it, or face hefty fines up to AUD $360,000 (for individuals) and up to AUD $1.8 Million (for organisations).