Back to top

Changes to Privacy Reporting Laws

6 June 2018

On 22 February 2018 the Federal Data Breach Notification Law comes into force. The law makes it mandatory for businesses who are bound by the Privacy Act to self-report certain types of data breaches including website breaches.

It is important for you to determine whether or not you must comply to this law – in brief the law covers businesses and not-for-profits who have an annual turnover of $3 million or more, health services providers, credit providers, credit reporting bodies AND businesses who trade in personal information.

Certain data breaches must be notified
Where there is unauthorised access, unauthorised disclosure or loss of personal information that is likely to result in serious harm to a person, a business must notify the affected person/s and the Australian Information Commissioner. The new law makes notification mandatory.

Suspected data breaches must be investigated
If a business suspects a data breach has occurred, it must investigate to determine if the data breach needs to be notified. The new law says that businesses can’t ignore suspected data breaches or turn a blind eye.

The relevant legislation can be viewed at:

First you need to determine whether your website is impacted by this change. If you store personal information online including peoples addresses, phone numbers, email addresses then this law may apply to you.

If you believe you are affected and need help or support services to comply with this Law please feel free to contact us to discuss your options.