About Us

We work collaboratively with our clients to build strong, sustainable relationships. Our team is committed to delivering consistent high standards of service, and we understand the importance of accessibility. Working with us, you'll enjoy open communication, meaning well scoped, properly resourced and effectively managed matters.

Learn More

Latest Case

Providing strategic advice on expansion structures November 16, 2018

Founded in Bondi Beach in 2012, Bailey Nelson has rapidly grown into a global eyewear retailer and service provider with boutiques in Australia, London, Canada and New Zealand. The strong demand for their products and … Continued

Latest News

Maddocks appoints restructuring and insolvency partner in Sydney January 14, 2019

Monday 14 January  Maddocks has appointed its second new partner in a month with the appointment of Danielle Funston. Danielle is a restructuring and insolvency lawyer who advises clients on recoveries, liquidations, corporate restructuring and … Continued

Latest Article

Made in Australia: Tightened restrictions on the use of country of origin labels January 14, 2019

The recent decision of Nature’s Care Manufacture Pty Ltd v Australian Made Campaign Limited by the Federal Court of Australia has provided much needed guidance on the requirements for ‘Made in Australia’ and other country … Continued

Australia’s Mandatory Data Breach Notification Laws

The new Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018.

The NDB scheme is contained in Part IIIC of the Commonwealth Privacy Act 1988 (Cth) (Privacy Act).  The Privacy Act also contains the Australian Privacy Principles (APPs).

The NDB scheme applies to developers who have existing personal information security obligations under the Privacy Act. If in doubt, seek legal advice as to whether the NDB scheme applies to you.

If an entity is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’, it must notify the Office of the Australian Information Commissioner (Commissioner) and affected individuals.

An eligible data breach occurs when there is loss of, unauthorised access to, or unauthorised disclosure of, personal information, which is likely to result in serious harm, and remedial action has not been taken to prevent such risk of harm.

The statement to be provided to the Commissioner must include the following information:

  • the identity and contact details of the entity
  • a description of the eligible data breach that the entity has reasonable grounds to believe has happened
  • the kind or kinds of information concerned
  • recommendations about the steps that individuals should take in response to the eligible data breach

This statement must also form the basis of the notification to individuals.

The NDB scheme provides flexibility for notifying individuals at risk of serious harm and its depends on what is practicable for the entity.

There are three main alternatives:

  • notify all individuals to whom the relevant information relates – this method will apply if it is not practicable to separately identify persons who may specifically be affected by the breach
  • notify affected individuals – where you are able to separate out particular individuals who are at risk from the breach
  • if neither of the above are practicable, you must communicate the breach by publishing a statement on your website (if you have one) and otherwise by taking reasonable steps to publicise it.

Accordingly, developers must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification. Timing is critical in responding to a data breach. Delays in notification can expose developers to significant financial penalties, as well as brand damage and loss of customer confidence.

We strongly recommend that, among other things, all potentially affected entities amend its existing privacy policy and have in place a data breach response plan. If you are caught by the NDB scheme and do not yet have a data breach response plan in place, this should be a key priority for your organisation.

Authors
Robert Gregory | Partner
T +61 3 9258 3770
E robert.gregory@maddocks.com.au
Viviane Karoumbalis | Senior Associate
T
+61 3 9258 3521
E
viviane.karoumbalis@maddocks.com.au

The new Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018.

The NDB scheme is contained in Part IIIC of the Commonwealth Privacy Act 1988 (Cth) (Privacy Act).  The Privacy Act also contains the Australian Privacy Principles (APPs).

The NDB scheme applies to developers who have existing personal information security obligations under the Privacy Act. If in doubt, seek legal advice as to whether the NDB scheme applies to you.

If an entity is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’, it must notify the Office of the Australian Information Commissioner (Commissioner) and affected individuals.

An eligible data breach occurs when there is loss of, unauthorised access to, or unauthorised disclosure of, personal information, which is likely to result in serious harm, and remedial action has not been taken to prevent such risk of harm.

The statement to be provided to the Commissioner must include the following information:

  • the identity and contact details of the entity
  • a description of the eligible data breach that the entity has reasonable grounds to believe has happened
  • the kind or kinds of information concerned
  • recommendations about the steps that individuals should take in response to the eligible data breach

This statement must also form the basis of the notification to individuals.

The NDB scheme provides flexibility for notifying individuals at risk of serious harm and its depends on what is practicable for the entity.

There are three main alternatives:

  • notify all individuals to whom the relevant information relates – this method will apply if it is not practicable to separately identify persons who may specifically be affected by the breach
  • notify affected individuals – where you are able to separate out particular individuals who are at risk from the breach
  • if neither of the above are practicable, you must communicate the breach by publishing a statement on your website (if you have one) and otherwise by taking reasonable steps to publicise it.

Accordingly, developers must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification. Timing is critical in responding to a data breach. Delays in notification can expose developers to significant financial penalties, as well as brand damage and loss of customer confidence.

We strongly recommend that, among other things, all potentially affected entities amend its existing privacy policy and have in place a data breach response plan. If you are caught by the NDB scheme and do not yet have a data breach response plan in place, this should be a key priority for your organisation.

Authors
Robert Gregory | Partner
T +61 3 9258 3770
E robert.gregory@maddocks.com.au
Viviane Karoumbalis | Senior Associate
T
+61 3 9258 3521
E
viviane.karoumbalis@maddocks.com.au