Cyber Security: Data Breach Notification Bill 2016

A new dawn has arrived in Australia in relation to data security breaches.


Government organisations, businesses and consumer groups are required to work together in transitioning to the Privacy Amendment (Notifiable Data Breaches) Bill 2016 which establishes a mandatory data breach notification scheme in Australia and aims to strengthen community trust in businesses and agencies.

Is it applicable to my organisation?

This bill is applicable if your organisation meets any of the following criteria:

  • Australian Government agencies (governed by Office of the Australian Information Commissioner)

  • Businesses and not-for-profit organisations with an annual turnover of more than $3 million.

For Business with annual turnover less than 3 million but involved as:

  • Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)

  • Child care centres, private schools and private tertiary educational institutions.

  • Businesses that sell or purchase personal information along with credit reporting bodies.

Irrespective of applicability this is an opportunity to review how your organisation manages and protects its data, and better prepare yourself for managing a data breach when it occurs.

How much time do I have?

The Bill will now be presented to the Governor-General and its key provisions will come into operation on a date fixed by proclamation or 12 months after assent.

Are there any penalties?

A civil penalty for serious or repeated interferences with the privacy of an individual will be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate. 

So, what should I do?

Step 1: Before collecting Private Information consider

  • What personal information is necessary to collect?

  • How long does the personal information need to be kept?

Step 2: Put reasonable controls to secure above information

  • Risk assessment – Identify the security risks to personal information held by the organisation and the consequences of a breach of security.

  • Policy development – Develop a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security.

  • Staff training – Train staff and managers in security and fraud awareness, practices and procedures and codes of conduct.

  • Technology – Implement privacy enhancing technologies such as access control, copy protection, intrusion detection, and robust encryption.

  • Monitoring and review – Monitor compliance with the organisation’s security policy

  • Define appropriate contract management processes with external IT Vendors

A data breach occurs. Now what?

1. Contain the breach and make a preliminary assessment

  • Take immediate steps to contain breach

  • Designate person/team to coordinate response 

2. Consider breach notification

  • Risk analysis on a case-by-case basis

  • Not all breaches necessarily warrant notification

3. Evaluate the risks for individuals associated with the breach

  • Consider what personal information is involved

  • Determine whether the context of the information is important

  • Establish the cause and extent of the breach

  • Identify what is the risk of harm

4. Review the incident and take action to prevent future breaches

  • Fully investigate the cause of the breach

  • Consider developing a prevention plan

  • Option of audit to ensure plan implemented

  • Update security/ response plan

  • Make appropriate changes to policies and procedures

If you would like to find out more on cyber security and ways in which you can protect your data, please contact you ShineWing Australia relationship partner on the details below.

Jonathan Thomas
Partner, Assurance and IT Advisory Services
ShineWing Australia
T +61 3 8635 1800