Latest Products

What you need to Know about Mandatory Breach Reporting

Monday 29 May 2017

With the Privacy Amendment (Notifiable Data Breaches) Bill 2016 on mandatory breach reporting being approved, organisations must now ensure they are ready for the privacy legislation amendments to go live early next year.

GRC Professional talks to Madgwicks Partner, Dudley Kneller, about what this means for organisations and their compliance programs—particularly when it comes to technological developments.

What is Mandatory Breach Reporting?
“New legislation is being proposed and has finally been approved by the senate,” Kneller said. “However, it has taken a couple of different attempts at it, over a couple of years. The concept was first introduced back in 2007, by the then Democrats leader, Natasha Stott Despoja.”

Due to come into effect on 18 February 2018, the amendment will apply to all organisations subject to the existing Privacy Act; thus, it is really a bolster to those existing obligations.

“It is an additional set of obligations that will strengthen existing Australian Privacy Principle APP 11,” Kneller explained. “It introduces the concept that organisations are now required to notify a set of individuals, and the commissioner, in the event of an eligible data breach.”

The amendment aims to improve outcomes regarding the disclosure, interference or loss of information that could cause serious harm to an individual—such as a financial loss or psychological impact.

 “It wouldn’t necessarily cover people just for being upset their information has been disclosed.”

What does the notice need to say?

It must:

  • State which organisation has been affected
  • Explain the issue
  • Outline what steps have been  taken to remedy the issue
  • Outline the steps customers must take to protect themselves.
Other guidance
Organisations may:

  • Contact users directly
  • Contact a particular group of users
  • Make publications in a national newspaper
  • Make notifications online (on social media or company website).
What are the exceptions?
“There are exceptions in the notification requirements that are consistent with the exceptions in the existing Privacy Act,” Kneller said. “There are exceptions related to law enforcement. If the organisation is involved in some kind of law enforcement activity, then there is no mandatory obligation to notify. If the organisation has taken reasonable steps to remedy the breach within the requisite period of time, then it also doesn’t need to notify.”

“I think this might be a little bit of a thorny issue,” Kneller explained, “because that is an exception organisations will want to be able to rely on. This probably the most controversial part of the new legislation.”

The Information Commissioner, Timothy Pilgrim, has published guidelines around managing data breaches.

However, “We would expect they will update those response data breach guidelines to cover these mandatory breach notification obligations,” Kneller said.

While a guide on how to handle
data breaches already exists, Kneller hopes the new guides on mandatory breach reporting will be released before the law becomes active.

Potential compliance challenges?
“The issue with breach events is that, sometimes, they evolve over time, and it is not clear at what point an event starts and stops,” Kneller said. “So it can be a bit of a line-ball call to make those decisions not to notify, and obviously, organisations are worried about reputation.”

One advantage to notification, however, is that it can help organisations to be more up-front and transparent with their customers. The result of this is a customer-focussed culture, which—after all—can only be an aid to those in the compliance space.


Dudley Kneller is a technology lawyer with a speciality in privacy, social media and strategic sourcing and supply projects.  He has more than 18 years’ experience practising across Australia, Europe and the UK and has worked on projects based in a number of countries including the Philippines, India, Russia and throughout South America.
Dudley is listed as one of a group of leading Technology, Media, and Telecommunications lawyers for Melbourne in Doyle’s Guide for 2015 and 2016.
More information can be found in a whitepaper authored by Kneller entitled 
Australia’s New Mandatory Data Breach Notification Laws.