• Menu
  • Skip to right header navigation
  • Skip to primary navigation
  • Skip to secondary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Before Header

Call us now  07 4688 2188

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Clifford Gouldson Lawyers

  • About
    • Our Origin Story
    • Our Future
    • Toowoomba
    • Brisbane
    • Sunshine Coast
    • What our clients say!
  • Careers
  • Supporting our Community
    • Bringing art to the business world
  • Contact Us
  • Search
  • About
    • Our Origin Story
    • Our Future
    • Toowoomba
    • Brisbane
    • Sunshine Coast
    • What our clients say!
  • Careers
  • Supporting our Community
    • Bringing art to the business world
  • Contact Us
  • Search

Mobile Menu

  • Our Team
  • Practice Areas
  • Knowledge
  • Events
  • Industries
  • For Individuals
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
  • Our Team
  • Practice Areas
  • Knowledge
  • Events
  • Industries
  • For Individuals

Data Breaches – Your Legal Reporting Obligations

You are here: Home / News / Data Breaches – Your Legal Reporting Obligations

Australian privacy and information security laws are complex. In particular, we find many of our clients struggle with understanding when the Notifiable Data Breach (NDB) scheme under the Australian Privacy Act applies to their business. It is essential to learn not only when the NDB scheme applies but also how to prevent and mitigate data breaches in the event they occur.

What is the Privacy Act?

The Privacy Act[1] (the Act) regulates the way organisations handle, disclose, use and market individual’s personal information. The Act primarily regulates Australian Government agencies and organisations with an annual turnover greater than $3 million, but some small businesses such as those who opt into the scheme, or deal with health data and credit reporting are also covered.

What is the NDB Scheme?

Any organisation regulated by the Privacy Act must notify their affected individuals and the Office of the Australian Information Commissioner (OAIC) when an information data breach is likely to result in serious harm to an individual.

A data breach occurs when personal information held by an organisation is lost or subjected to access or disclosure. Most commonly, this regulates data information hacking and accidental disclosure (such as releasing personal information to the wrong person).
An organisation that suspects an eligible data breach may have occurred must act quickly to assess the incident.

We recommend you have a legal expert assess whether or not a data breach falls within the NDB scheme, thereby mandating its reporting to the OAIC and affected individuals. If you get this wrong the implications can be significant.

What happens if I have an NDB incident?

In the event that a notifiable data breach incident occurs, you should complete an Eligible Data Breach Statement within thirty (30) calendar days of the data breach. This statement is available online on the OAIC website. Then, using the Eligible Data Breach Statement content, you should prepare and send out a notification separately to those affected by the breach. We recommend having a legal professional draft this notification, and on occasion a public relations or brand reputation expert involved in the communications. Finally, you should consider whether you are required to notify your insurer under any policies of insurance (cyber insurance or otherwise).  Early notification can offer significant assistance, particularly in funding legal or cyber advice, and in the preparation of the Eligible Data Breach Statement and subsequent communications.

What happens if I fail to notify the OAIC?

The Australian Information Commissioner has broad powers to enforce penalties against businesses that interfere with an individual’s privacy. The maximum penalty for the successful prosecution of this interference may include a civil penalty of up to $402,000 for individuals and $2,100,000 for corporations.

How does my organisation stay protected?

While it is impossible to guarantee that personal information is entirely secure and safe, there are several preventative and response measures your organisation should implement to protect and lessen the impact of a data breach.

To prevent data breaches, there are organisational and personnel prevention methods to deploy within your organisation. To protect the organisation broadly, ensure physical records are stored securely and only accessible to those personnel who require access, that you use up to date adequate security software, conduct regular cybersecurity risk assessment audits and encrypt and back up sensitive data. To protect individual personnel, conduct staff training to raise and awareness and implement data security organisational policies such as a password policy to force personnel to have robust, secure and unique passwords which are changed often.

We also highly recommend preparing a comprehensive data breach response plan. This should outline your organisation’s strategy for identifying, containing, assessing and managing a data breach incident. These plans help limit the consequences of a data breach and support the confidence customers or client’s will have in your ability to manage their information.

This plan should cover what constitutes a data breach so that identification is timely, a strategy for containing, assessing and managing data breaches, the roles and responsibilities of key personnel within the organisation, how to document the data breach and the review evaluation of how to prevent a similar breach in the future.  

Our team has extensive knowledge in the privacy and data handling legal sector. If you or your business needs advice on a potential notifiable data breach that may have occurred or would like us to prepare a comprehensive data breach response plan for your organisation, please don’t hesitate to contact a member of our Intellectual Property team.


[1]1988 (Cth).


This article was written by Ben Gouldson, Director. For further information please contact Ben Gouldson, Director.

The assistance of Harry Bligh, Law Clerk in researching this article is gratefully acknowledged.

Previous Post: « Time periods for development approvals extended
Next Post: Federal COVID vaccine compensation up to $20,000 »

Primary Sidebar

We can help

Ben Gouldson

Managing Director and Trade Marks Attorney*

Melanie Sharpe

Lawyer

Nicola Hayden

Lawyer and Trade Marks Attorney*

Brooke Giblin

Legal Secretary & Personal Assistant

Related Alerts

April 9, 2025
Yes, crypto currency is personal property!

The legal system has taken some time to come to grips with crypto currency,...

Privacy & AI: How much does your AI know?

There have been a number of changes to Australia’s privacy laws recently and businesses...

March 5, 2025
Recent Decision on Copyright Infringement: a Puff Piece

In December 2024, the Federal Court of Australia handed down a judgment on a...

View other alerts

Footer

Clifford Gouldson Lawyers

CLIFFORD GOULDSON LAWYERS
P: 07 4688 2188
F: 07 4688 2199
mail@cglaw.com.au
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Locations

TOOWOOMBA (Head Office)
259 Ruthven Street,
Toowoomba Q 4350

PO Box 8208,
Toowoomba South Q 4350

Toowoomba Office

BRISBANE
Level 5, 231 George Street,
Brisbane Q 4000

PO Box 12802 George Street,
Brisbane Q 4003

Brisbane Office

 

SUNSHINE COAST
Regatta Corporate Building, Office 3,
Ground Floor, Innovation Parkway,
Birtinya Q 4575

Locked Bag 5010
Caloundra DC Q 4551

Sunshine Coast Office

Practice Areas

  • Property + Business Transactions
  • Workplace
  • Litigation + Dispute Resolution
  • Intellectual Property + Technology
  • Wills, Estates, Planning + Structuring
  • Business + Corporate Advisory
  • Construction
  • Privacy & Disclaimer
  • Terms of Use

Site Footer

CG Law (Trading) Pty Ltd ACN 143 426 028 t/a Clifford Gouldson Lawyers ABN 89 143 426 028 Liability limited by a scheme approved under professional standards legislation.

The contents of this website are provided solely for general information purposes and do not constitute legal or other professional advice. Clifford Gouldson Lawyers expressly disclaims any liability arising from the use or reliance on the information provided. If you require legal or other expert advice or assistance, then you should seek our help or the services of a qualified professional.

Copyright © 2025 Clifford Gouldson Lawyers · Privacy & Disclaimer · Terms of Use · Marketing by John Gray Marketing · Site by Kingfisher