New data breach laws

22 February 2018

There are new rules on responding to data breaches affecting organisations that earn at least $3 million per year.

Entities will now need to adhere to the Notifiable Data Breaches scheme, which builds on their existing privacy obligations under the Australian Privacy Act 1988.

Critical infrastructure and systems of national interest organisations will be affected, as well as Australian Government agencies.

Eligible entities will be obliged to notify the Office of the Australian Information Commissioner if a data breach has occurred that is likely to result in serious harm to individuals whose personal information is involved. 

Agencies and organisations that suspect there has been an eligible data breach must undertake a reasonable and expeditious assessment to determine whether the breach is likely to result in serious harm to anyone affected.

CERT Australia will continue to support our partners in responding to cyber incidents, including data breaches, but all organisations are solely responsible for ensuring they meet their regulatory requirements.

Further information on the Notifiable Data Breaches scheme, including advice on how organisations can prepare, is available on the Office of the Australian Information Commissioner website.