Close this search box.

Data Breach Notification Becomes Mandatory in Australia: What You Need To Know


With the passing of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, both private and public Australian organisations will now be obliged to notify the Office of the Australian Information Commissioner (OAIC) in the event of a data breach. The requirement to report will commence on 13 February 2018, 12 months after being approved by both Houses of Parliament.

Previously, Australian companies were free to withhold that information, safeguarding them, albeit temporarily, from potential reputational damage as they scramble to understand the extent of the cyber breach.

Whether it’s a data leak, malicious or accidental, the change in legislation will now require companies to report those breaches within 24 hours to the OAIC and the affected individuals who may have been subject to the breach.

The aim of these laws is to incentivise the holders of data to adequately secure that information. We’ve assessed the recent changes and summarised the key points for you below:

Who exactly will be affected?

The change in legislation will apply to any organisation that stores personal information of employees, clients or customers, credit reports and financial information, and any other information required to be kept secure under the Privacy Act 1988 (Cth). It also affects not-for-profict organisation with an annual turnover more than $3 million.

If you have employee, client or customer information stored locally in your organisation, it is likely you will be captured as an entity required to report.

What exactly constitutes a data breach?

The obligation to report is for an entity that becomes aware on reasonable grounds that there has been an eligible data breach.

An eligible data breach, as described by the Bill, is whether either:

  • there is unauthorised access to, or disclosure of, the relevant information, and a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates
  • the relevant information is lost in circumstances where unauthorised access to or unauthorised disclosure of that information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates.

Serious harm can be interpreted in a few ways, but many will agree, that the release of personal information to an unauthorised source, including name, email, address, or contact details, constitutes serious harm. Whereas, unauthorised access to information that is publicly available would likely not fall under that banner. We suggest it best to take a stricter approach to the meaning when in doubt.

What exactly will I have to do?

In addition to taking steps to contain the breach, your organisation must as soon as practicable after becoming aware of a data breach, prepare a statement that includes a general description of the type of information that was exposed, what individuals can do to mitigate the harm caused by the breach (ie. change passwords), and who they can call to get further information or assistance.

You are also required to provide a copy of the statement to each individual whom the compromised information affected or is at risk of being affected. If providing such a statement to the individuals is not practical, you will be required to publish a copy of the statement on your website and take reasonable steps to publicise the content of the statement.

You should also engage a third party advisor to conduct a preliminary assessment of the breach and evaluate the risk associated with the incident and advise on measures to prevent future occurrences.

What if we only suspect a breach may have occurred?

The Bill also speaks about the potential for breach, and requires your organisation, should it not be sure whether an actual eligible data breach had occurred, to immediately carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe a data breach occurred. Such assessment is required to be finalised within 30 days of becoming aware of grounds for suspicion.

This is generally best done by a third party advisor who can work with your internal team to review the logs and determine the extent of the suspicion.

Where to from here?

Your best course of action would be to consider begin focusing on an updated and compressive risk assessment of your cyber defences, work on policy development and increase staff training. It is also crucial to developing a monitoring compliance program that will ensure logs and other important information is regularly reviewed.

It is important to take each situation seriously and move quickly to contain and assess the suspected breach.

Breaches that may initially seem immaterial may have a significant impact to your organisation when their full implications are realised.

Your company should make a decision about how to respond to various case scenarios. Successful planning will likely mitigate the disastrous affects as seen in some well published large scale data breaches.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →