Publications / Privacy

12 Jul 13
Proposed mandatory data breach notifications off the agenda, for now

Download PDF

Still plenty to do before the APPs come into force in March 2014

The proposed mandatory data breach notification legislation did not pass the Senate in this parliamentary sitting session, so this issue falls away until after the election at least.

The Australian Privacy Principles and other fundamental privacy reforms still take effect in March 2014, and time is running out to prepare for these changes.


The Privacy Amendment (Privacy Alerts) Bill 2013 sought to introduce a mandatory notification requirement for data breaches that pose a ‘real risk of serious harm’ to affected individuals.  This would have been a radical change to the current regime, under which organisations are encouraged to report breaches voluntarily, but are not required to do so.

As it turned out, the Senate did not have time to debate the Bill before Parliament rose, and so the issue falls away until at least after the election.  However, there is still much work to be done before 12 March 2014.  On that date, major privacy reforms come into effect, including:

  • the replacement of the existing National Privacy Principles (NPPs) for the private sector, and Information Privacy Principles (IPPs) for the public sector with a harmonised set of Australian Privacy Principles (APPs)
  • new enforcement and investigative powers for the Information Commissioner
  • the implementation of a new civil penalties regime, and
  • fundamental reform to the credit reporting regime.


The new APPs do much more than introduce a name change, they require organisations to ‘design for privacy’ when setting up their business processes and introduce significant new obligations. 

For example, there are new mandatory matters that must be dealt with in Privacy Policies and Privacy Collection Statements, new obligations about how to deal with unsolicited personal information, new rules regarding direct marketing – including a mandatory opt out notice in some cases, new rules about overseas disclosures of personal information (not to mention increased liability for disclosures by your third party service providers) and increased rights of individuals to access and correct their personal information.

These obligations mean businesses need to make sure they’ve reviewed their contracts with third parties to make sure their liability is covered, and they have the power to ensure their privacy processes are enforceable throughout their supply chain.

Information Commissioner

The Information Commissioner has a more defined role in the promotion of privacy, education and most significantly, enforcement.  The Commissioner can commence own-motion investigations, make declarations and orders, and apply to the Court to enforce those orders.

Civil penalties regime

To complement the Commissioner’s new powers, there will also be a new civil penalties regime.  Penalties of up to $340,000 for individuals, and $1.7m for corporations, can be imposed for breaches of the credit reporting regime, and for anyone who commits a ‘serious or repeated interference with privacy’.

Credit reporting regime

The credit reporting scheme has long been criticised for capturing only negative information.  This will change, with the capture of positive credit information (like regular payment histories) as well.  To address the increased volume of credit information held by credit reporting agencies, strict new rules will be introduced regarding the handling of credit information, and the civil penalties regime will apply to any breaches.

Next Steps

Relying on existing policies, processes and contracts will not be enough to comply with the revised Privacy Act.  The new provisions will require a review of your policy documents and privacy statements, the implementation of internal policies to deal with direct marketing opt outs and information requests, and the updating of contracts with customers and suppliers to ensure your liability for the actions of third parties is appropriately addressed, and you have the ability to enforce your privacy policies and procedures.

There are many issues to deal with, and they will be different for each business.  But your business needs to consider these issues now and allow time to implement all the necessary changes.  We can help you navigate the process. 

Focus covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. Focus is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

Download PDF