Notification of data breaches
Do data breach notification laws apply to councils?
You’ve no doubt heard about the new Notifiable Data Breaches (NDB) scheme, which commenced on 22 February 2018. But have you wondered – does it apply to Victorian Councils?
The NDB scheme is contained in Part IIIC of the Commonwealth Privacy Act 1988. This Act also contains the Australian Privacy Principles (APPs).
While the APPs do not apply to local councils (see s 6C), councils may be subject to the NDB scheme where they are tax file number (TFN) recipients (see s 26WB).
A TFN recipient is anyone who is (whether lawfully or unlawfully) in possession or control of a record that contains TFN information. Where that record is held in the course of a person’s employment, the recipient is taken to be the person’s employer.
Under the NDB scheme, entities are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any eligible data breaches. An eligible data breach occurs when there is loss of, unauthorised access to, or unauthorised disclosure of, personal information, which is likely to result in serious harm, and remedial action has not been taken to prevent such risk of harm.
The OAIC has published a range of guidance on the NDB scheme.
Maddocks has also published a number of articles on the NDB scheme - for example, this recent blog post.
So, to the extent that your council is a TFN recipient, it will need to prepare for the NDB scheme, including reviewing its systems containing TFN and personal information (such as payroll systems) and its data breach response plans.
Need advice on data breach notification laws?
Contact the Cyber & Date Resilience team.
Recent articles
Amendments to the ACT's Building and Construction Industry (Security of Payment) Act 2009
By Pria O'Sullivan, and Susan Guo
Recent updates to the Australian Capital Territory’s Building and Construction Industry (Security of Payment) Act 2009.
Reform to Australia’s merger clearance regime
By Ron Smooker, Shaun Temby, Jacqueline Picone, and Oliver Wahlstrom
A new mandatory, suspensory merger review system conducted by the ACCC comes into effect in Australia on 1 January 2026.
What all Victorian Government personnel need to know about OVIC’s recent statement on ChatGPT
By Robert Gregory, Georgia Hunt, and Jack Curran
Generative AI, including ChatGPT is becoming common in all facets of personal, professional and public life.
Important changes to the Workplace Injury Rehabilitation and Compensation Act 2013 concerning workers’ compensation in Victoria
By Catherine Dunlop, Jessica Mourney
From 31 March 2024, amendments to the Victorian workers’ compensation scheme took effect
Partner
Melbourne