Changes to the Privacy Act: What You Need to Know

According to the Attorney General, nearly one million people were exposed to a breach of their private information in 2016, quite a startling statistic given the increasing amount of personal data being housed online. To combat some of this activity there has been a major overhaul of the current Privacy Act 1988 that will come into effect in February of this year. The changes to the legislation are intended to address some shortcomings in the current laws where breaches are becoming increasingly damaging to individuals, particularly if the breach is not disclosed immediately. Of key importance is that data breach notification will become mandatory for all entities required to comply with the Act. This includes all Australian Government agencies as well as organisations and not-for-profits with an annual turnover in excess of $3 million.

What is a data breach?

A data breach is a situation where:

  • there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals.
  • such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
  • there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.

Relevant data can include data such as personal information, credit information and tax file numbers.

A real risk of “serious harm” can include physical, psychological, emotional, economic and financial harm, and also includes serious harm to reputation.


What are the major changes to the Privacy Act?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 means that all entities covered by the Australian Privacy Principles will now be obliged to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC), “as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.” The Commissioner is then able to direct an organisation to notify the individual/s whose privacy has been breached.

Entities currently subject to the Privacy Act are only ‘encouraged’ to notify the OAIC where there has been a data breach but they now have a legal and time critical obligation to do so. This can be via a public statement or where the Commissioner has directed the entity to publicly disclose the breach.

Failure to notify that is deemed to constitute a serious interference with privacy under the Act might result in a fine of up to $360,000 for individuals or $1.8 million for organisations. In addition to the financial burdens these breaches could also result in third party claims, interruptions to business, impacts on data and costs associated with managing customer notifications.

What should I do to prepare for the changes?

In light of the changes, there’s no better time to safeguard your organisation and embed processes that comply with the new requirements. This could include:

  • Sharing information with relevant staff;
  • Modifying processes and practices to ensure they uphold the recent changes;
  • Introducing a privacy policy that ensures business practices comply with the Australian Privacy Principles;
  • Appointing a staff member or steering committee to oversee all relevant activities;
  • Undertaking a risk assessment to flag any real or potential risks that may cause problems once the regulations are enacted;

How can Abacus help?

PSC Hiscock Insurance Brokers offers Abacus members a unique Professional Indemnity policy with a Cyber Cover extension.

The cover is for a limit of $250,000, subject to the policy wording, and incurs an additional premium of $225.

For further information or to discuss your PI Insurance needs, contact Roy Chen on 0472 877 991 or