Compulsory data breach notification for Australia

Highlights

Entities conducting business in Australia will have 30 days to investigate whether or not a serious data breach has occurred. 

The legislation applies if there has been an overseas breach for which the entity is responsible - for example where it has disclosed personal information overseas and the overseas entity has suffered a data breach. 

If the investigation reveals there are no reasonable grounds to believe there has been a serious data breach, no additional steps are required. 

If there has been a serious data breach, entities must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. 

The notification statement must set out the identity and contact details of the entity, a description of the serious data breach, the kind or kinds of information concerned, and recommendations about the steps that individuals should take. 

If affected individuals can't be notified, then the entity must publish a copy of the notification statement on its website (if any) and take reasonable steps to publicise the contents of the statement (such as social media, online or print ad). 

The OAIC can also direct an entity to notify if the OAIC believes there has been a serious data breach, and the entity must comply as soon as practicable.

The assessment of whether or not a data breach is serious is complex: Bird & Bird has developed a flow chart to help entities make this assessment. 

Please contact Lisa Vanderwal (details below) if you would like a copy, or would like any further information in relation to the data breach notification regime.