Robert Gregory
Rob is an experienced commercial lawyer who advises Australian and international public, private and for‑purpose clients across education, technology, media, telecommunications and consumer law.
View profileAll potentially affected entities should amend its existing privacy policy and have in place a data breach response plan
The new Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018.
The NDB scheme is contained in Part IIIC of the Commonwealth Privacy Act 1988 (Cth) (Privacy Act). The Privacy Act also contains the Australian Privacy Principles (APPs).
The NDB scheme applies to developers who have existing personal information security obligations under the Privacy Act. If in doubt, seek legal advice as to whether the NDB scheme applies to you.
If an entity is aware that there are reasonable grounds to believe that there has been an 'eligible data breach', it must notify the Office of the Australian Information Commissioner (Commissioner) and affected individuals.
An eligible data breach occurs when there is loss of, unauthorised access to, or unauthorised disclosure of, personal information, which is likely to result in serious harm, and remedial action has not been taken to prevent such risk of harm.
This statement must also form the basis of the notification to individuals.
The NDB scheme provides flexibility for notifying individuals at risk of serious harm and its depends on what is practicable for the entity.
Accordingly, developers must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification. Timing is critical in responding to a data breach. Delays in notification can expose developers to significant financial penalties, as well as brand damage and loss of customer confidence.
We strongly recommend that, among other things, all potentially affected entities amend its existing privacy policy and have in place a data breach response plan. If you are caught by the NDB scheme and do not yet have a data breach response plan in place, this should be a key priority for your organisation.
Contact the Cyber & Data Resilience team.
Rob is an experienced commercial lawyer who advises Australian and international public, private and for‑purpose clients across education, technology, media, telecommunications and consumer law.
View profileViviane has extensive experience advising government and major organisations across technology, telecommunications, pharmaceutical, professional services and education sectors on IP and all aspects of technology.
View profileKeep up to date with our legal insights and events
Sign upOAIC determinations clarify privacy obligations for organisations using tracking pixels.
Participation requires much more than a legal response.
When does a local distributor of goods who has no knowledge of any product defects breach its duty of care to consumers?
Partner
Sector Leader - Education
Melbourne