New data breach laws

8 January 2018

New rules on responding to data breaches come into play in February 2018, affecting organisations that earn at least $3 million per year.

From 22 February, entities will need to adhere to the Notifiable Data Breaches scheme, which builds on their existing privacy obligations under the Australian Privacy Act 1988.

Critical infrastructure and systems of national interest organisations will be affected, as well as Australian Government agencies.

Eligible entities will be obliged to notify the Office of the Australian Information Commissioner if a data breach has occurred that is likely to result in serious harm to individuals whose personal information is involved. 

Agencies and organisations that suspect there has been an eligible data breach must undertake a reasonable and expeditious assessment to determine whether the breach is likely to result in serious harm to anyone affected.

CERT Australia will continue to support our partners in responding to cyber incidents, including data breaches, but all organisations are solely responsible for ensuring they meet their regulatory requirements.

Further information on the Notifiable Data Breaches scheme, including advice on how organisations can prepare, is available on the Australian Information Commissioner website.