Clifford Gouldson Lawyers

Only 10 day until major privacy law changes - are you ready and compliant?

Print Version


On Thursday, 22 February 2018, new provisions of the Privacy Act 1988 (Cth) will come into effect across Australia. The new sections of the Act will legally compel many businesses to notify customers, clients, users and other third parties of certain data breaches. These changes are referred to as the Notifiable Data Breaches (NDB) scheme.
Are you a:

  • private sector business with an annual turnover exceeding $3m*;
  • private sector business that provides any health services; or
  • private sector business that trades in personal information; or
  • credit reporting body; or
  • employee association; or
  • Australian government department or corporation; or
  • small business that has “opted-in” to the Act?

If you answered “yes” to any of the above you must: 

1.  notify a person if:

  • you hold that person’s private information; and 
  • there is an unauthorised access, disclosure or loss of that information (a “data breach”); and
  • the data breach is likely to result in serious harm to the person; and

2.  provide the person with advice on the steps they should take (e.g. changing passwords, cancelling credit cards, etc.); and 

3.  notify the Australian Information Commissioner.

The Commissioner may provide advice and guidance, and in some circumstances may take regulatory action if the breach is serious enough.
What happens if my business doesn’t comply?
A failure to comply with the scheme will be considered an “interference with the privacy of any individual”. Accordingly, the Commissioner may take such action as:

  • seeking, accepting and enforcing undertakings;
  • making and enforcing determinations;
  • seeking injunctions; and
  • applying to a court for the application of a civil penalty, up to $420,000.00.

What should you do now?

  • review and update your current privacy policies and procedures to ensure that information is collected and handled responsibly and safely;
  • implement data breach policy procedures, in order to assess, remedy and notify data breaches if they occur; and
  • review your current IT and data security policies, procedures and systems, in tandem with your IT provider to ensure the chance of a data breach is kept to a minimum.
Need more information?
The Office of the Australian Information Commissioner provides general information on the scheme, which can be accessed here.
If you are not sure if the legislation applies to you, or you need help becoming compliant before 22 February, Clifford Gouldson Lawyers can provide advice, training and audits in relation to such policies and procedures.

Certain small businesses with a turnover under $3m may also need to comply with elements of Act, such as those providing services to the Commonwealth (click here for a detailed list).


‘Reining in staff behavior at your office Christmas party’ - 14/12/2018

With Christmas only weeks away, it’s common for businesses to celebrate the end of the year through work functions and Christmas parties. Because the celebrations occur outside the usual work environment, it can be difficult to find the balance between setting the standard of what’s expected of employees and allowing everyone to have fun.... read on

Cybersecurity – Is this business’ current greatest threat? - 7/11/2018

Cybersecurity is the protection of internet-connected systems, including hardware, software and data, from digital attack. In a computing context, security comprises cybersecurity and physical security – both are used by enterprises to protect against unauthorized access to data centres, computerized systems, and computing devices over the internet of things (IoT).... read on

When “claim denied” is not the final word - 18/10/2018

Unfortunately for those of us who dutifully pay our insurance premiums (insurance companies call us “insureds”), we do not always receive a payment when we make a claim against our insurance policies.... read on

Read all news/events

Site Developed by FAQ Interactive