With the exponential growth of technology and information sharing, the risks associated with data breaches are becoming an increasing concern on a global scale. In Australia, a 2013 survey conducted by the Australian Information Commissioner (AIC) revealed that 89 percent of respondents were worried about the security of their personal information. The same survey revealed that over 90 percent of respondents believed they should be informed if personal information is lost, and would want to know how government and organisations protect and handle personal information. These user expectations, together with important legislative developments, are giving rise to increased obligations for entities dealing with personal information.

Australian regime

In Australia, obligations with respect to data privacy and protection are primarily dealt with by the Privacy Act 1988 (Privacy Act), which is administered by the AIC with support from the Australian Privacy Commissioner (APC). Although a voluntary data breach notification scheme has been in place since 2008, more recently the focus has shifted to the implementation of a mandatory scheme. Following the lapse of two earlier related bills, the latest amendments proposed in the Privacy Amendment (Notifiable Data Breaches) Bill 2016 purport to bridge this gap in Australian data security law. The proposed amendments provide that any entity holding personal information will be obliged to provide a notification to affected individuals and the AIC if: (i) it has reasonable grounds to believe that there is unauthorised access to, disclosure of, or loss of personal information that it holds; and (ii) the access, disclosure or loss is likely to result in a real risk of serious harm to any of the individuals to whom the information related.

Jan-Mar 2017 issue

Clifford Chance