LexisNexis Practical Guidance®

Notification to both the Privacy Commissioner and affected individuals will be required when an entity becomes aware that there are reasonable grounds to believe an eligible data breach has occurred.

However, notification is not required, or only required in a limited manner, even if an entity has experienced an eligible data breach where:

• •the eligible data breach is an eligible data breach of another entity who has already fulfilled notification obligations under this regime;
• •notification would be inconsistent with a secrecy provision;
• •the Privacy Commissioner has given a declaration that no notification is required in regard to the eligible data breach; or
• •notification would be likely to prejudice enforcement-related activities.

See Identifying when notification is required.

An entity is required to prepare a statement notifying the Privacy Commissioner of an eligible data breach and to send it the Privacy Commissioner as soon as practicable.

This statement should contain:

• •the entity’s identity and contact details;
• •a description of the eligible data breach that the entity has reasonable grounds to believe has happened;
• •the kind or kinds of information concerned; or
• •recommendations about the steps that individuals should take in response to the eligible data breach.

See Notifying the Privacy Commissioner.

After providing a copy of the statement to the Privacy Commissioner, an entity is also required to notify individuals affected by the eligible data breach by one of the following options:

• •if practicable, by notifying each individual to whom the relevant information relates;
• •if practicable, by notifying each individual who is at risk from the eligible data breach; or
• •if neither of the above apply, by publishing a copy of the statement on the entity's website and taking reasonable steps to publicise the contents of the statement.

An entity can notify individuals by whichever communication method it normally uses with those particular individuals.

See Notifying the affected individuals.

If a data breach occurs, an entity should also consider the extent to which it is required to, or should, notify the data breach to other persons, such as regulators, insurers or the market.

See Notifying other persons.

For more information, see Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) on the reporting a data breach to the Office of the Australian Information Commissioner website.

If the Privacy Commissioner is aware that there are reasonable grounds to believe an entity has experienced an eligible data breach, the Privacy Commissioner may direct the entity to prepare a notification statement. An entity must comply with this direction as soon as practicable.

However, the Privacy Commissioner must first invite the entity to make a submission in relation to the direction. The Privacy Commissioner will consider the contents of this submission, along with other relevant advice given by third parties and any other such relevant matters, before deciding whether to give a direction to notify.

The notification statement required to be produced under the direction will need to be provided to the Privacy Commissioner and affected individuals.

The Privacy Commissioner’s decision to give a direction may be reviewed by application to the Administrative Appeals Tribunal.

See Receiving a direction to notify from the Privacy Commissioner.

Failure to comply with obligations under the mandatory data breach notification regime will be deemed to be an interference with the privacy of an individual and a breach of the Privacy Act 1988 (Cth) (the Act). This will engage the Privacy Commissioner’s enforcement powers under the Act, as well as relevant penalties under the Act.

See Enforcement and penalties under the Privacy Act.

See Consequences for breach of obligations.

When negotiating and drafting contracts with partner organisations or entities, an entity should ensure it adequately negotiates and drafts data breach notification obligations. One important consideration is determining which entity will notify the Privacy Commissioner and affected individuals in the event an eligible data breach occurs to multiple entities.

Entities should ensure that all personnel adequately understand any contractual obligations that may arise from commercial contracts if a data breach occurs.

See Data breach notification obligations in commercial contracts.

There are various obligations under corporations law that may arise in the context of cybersecurity and data breaches. Directors and officers have a duty of care and diligence which extends to understanding their company's cybersecurity strategy and obligations under privacy law. In addition, listed entities have a continuous disclosure obligation to inform the market if a data breach may have a material effect on the price or value of their shares. Obligations will vary depending on the type of entity involved in a data breach.

See Obligations under corporations law.

Entities which have cybersecurity insurance should adequately document evidence surrounding data breaches so that they can disclose it to an insurer when making a claim. In addition, it is important to retain evidence of cybersecurity incidents as it may be required in an audit or due diligence.

See Other commercial considerations.