About Us

We work collaboratively with our clients to build strong, sustainable relationships. Our team is committed to delivering consistent high standards of service, and we understand the importance of accessibility. Working with us, you'll enjoy open communication, meaning well scoped, properly resourced and effectively managed matters.

Learn More

Latest Case

Providing strategic advice on expansion structures November 16, 2018

Founded in Bondi Beach in 2012, Bailey Nelson has rapidly grown into a global eyewear retailer and service provider with boutiques in Australia, London, Canada and New Zealand. The strong demand for their products and … Continued

Latest News

Maddocks appoints leading energy and resources partner November 19, 2019

Tuesday 19 November 2019 Maddocks has appointed one of Australia’s leading energy and resources lawyers. Peter Limbers will be joining Maddocks as a partner in Sydney in early 2020. Peter is widely recognised as one … Continued

Latest Article

Is your franchise network now liable to pay payroll tax? December 6, 2019

If, as part of your franchise network, you are a franchisor that performs the administrative function of collecting fees directly from customers that are mutual to you and your franchisees and you remit the balance … Continued

Explaining Australia’s Mandatory Data Breach Notification Laws

Wednesday 15 February 2017

All businesses and organisations should review their privacy and data security policies to ensure, when handling sensitive information, that they will be able to comply with the new Mandatory Data Breach Notification Laws when they come into force.

On 13 February 2017, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016.

The objective of the Mandatory Data Breach Notification Laws is to ensure that an ‘eligible data breach’ which is defined as ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity’ where ‘the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates’ is reported to the Office of the Australian Information Commissioner. This information would include personal details, credit reporting information, credit eligibility information and tax file number information.

Under the amendments, an affected organisation will be required to report the incident to the Office of the Australian Information Commissioner and to notify an affected party within 30 days as soon as the organisation becomes aware of any such data breach.

The notification to the affected party must disclose the type of data breach, the particular information affected and how the affected party should respond to the data breach.

Who does this law affect?

The new laws apply only to government agencies and organisations which are governed by the Privacy Act 1988. This means that state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.

Of course the Privacy Act also applies to some types of businesses with an annual turnover of $3 million or less, including health service providers, businesses that sell or purchase personal information and credit reporting bodies. The Data Breach Notification laws will apply to these entities also.

Consequences for failure to notify a data breach

The bill states that a civil penalty can be applied for serious or repeated interferences with the privacy of an individual, which can attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

When is the law due to take effect?

The legislation allows 12 months for the government to choose a start date. If no date is chosen, the law will come into effect 12 months from the date of royal assent. This is expected soon.

Affected organisations need to start preparing for compliance now.

UPDATE: On 22 February 2017, the Bill received Royal Assent. The Mandatory Data Breach Notification Laws will take effect from 22 February 2018 unless an earlier date is proclaimed.

Wednesday 15 February 2017

All businesses and organisations should review their privacy and data security policies to ensure, when handling sensitive information, that they will be able to comply with the new Mandatory Data Breach Notification Laws when they come into force.

On 13 February 2017, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016.

The objective of the Mandatory Data Breach Notification Laws is to ensure that an ‘eligible data breach’ which is defined as ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity’ where ‘the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates’ is reported to the Office of the Australian Information Commissioner. This information would include personal details, credit reporting information, credit eligibility information and tax file number information.

Under the amendments, an affected organisation will be required to report the incident to the Office of the Australian Information Commissioner and to notify an affected party within 30 days as soon as the organisation becomes aware of any such data breach.

The notification to the affected party must disclose the type of data breach, the particular information affected and how the affected party should respond to the data breach.

Who does this law affect?

The new laws apply only to government agencies and organisations which are governed by the Privacy Act 1988. This means that state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.

Of course the Privacy Act also applies to some types of businesses with an annual turnover of $3 million or less, including health service providers, businesses that sell or purchase personal information and credit reporting bodies. The Data Breach Notification laws will apply to these entities also.

Consequences for failure to notify a data breach

The bill states that a civil penalty can be applied for serious or repeated interferences with the privacy of an individual, which can attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

When is the law due to take effect?

The legislation allows 12 months for the government to choose a start date. If no date is chosen, the law will come into effect 12 months from the date of royal assent. This is expected soon.

Affected organisations need to start preparing for compliance now.

UPDATE: On 22 February 2017, the Bill received Royal Assent. The Mandatory Data Breach Notification Laws will take effect from 22 February 2018 unless an earlier date is proclaimed.