Australia's Mandatory Breach Notification Explained

Australia's Mandatory Breach Notification Explained - A Guide For Small Business Owners

This article has been written with contribution from Alan Arnott (Managing Partner) and Sophia Joo (Lawyer) at Arnotts Technology Lawyers.

In a world where personal data is at the core of most transactions, the need for privacy protection has never been greater. In light of the increasingly data-driven economy, there has also been a rise in the number of malicious actors online who prey on businesses. Indeed, Australians have recently witnessed multiple large-scale cyber-security incidents resulting in the loss of millions of Australians’ data, their personal information being sold on the dark-web or otherwise misused.

Despite the significance of ensuring the protection of individuals’ personal information, it has been hard to keep legislation ahead of digital changes, leaving gaps and grey areas that have taken time to address. Most small businesses in Australia have not had strong legal guidelines, with the majority of laws in place, including the Privacy Act 1988 (Privacy Act) that governs privacy in Australia, primarily affecting businesses with a larger turnover (over $3 million annual turnover).

The Australian Government recognised the need to streamline data security in response to escalating concerns about who can access personal data and how it is accessed. In 2019, the Privacy Act Review began in response to the ACCC’s Digital Platforms Inquiry, more of which we’ll look at below. Early 2023 saw this review finalised and recommendations made, with the Commonwealth Government's response to recommendations released in late September of 2023.

Recommendations were made to strengthen measures to preserve privacy and safeguard personal information. One of the most significant changes to unfold has been the removal of an exemption for small businesses to comply with the Privacy Act, including compliance with the mandatory data breach notification laws (Mandatory Breach Notification Laws). There has always been a recommendation for small businesses to voluntarily do so, but no formal legal requirement.

The Privacy Act Review recommendations have left many small businesses unsure of what changes will happen. At the time of writing this, recommendations from the review have still not come into play - with a potential rollout in 2024. This will be done after careful consideration is given and consultation is undertaken to assess the impacts the amendments will have on small businesses, balanced with the benefits to individual privacy and data protection.

The need for expansion in a digital era 

As uptake of digital platforms increased, data breaches has become increasingly common and public awareness has surged. Australian regulatory bodies and security agencies have responded by reviewing current policies to create more robust processes to protect personal data. Among these initiatives is the requirement for larger or more data-sensitive organisations to report known or suspected data breaches to relevant authorities and affected parties.

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, which came into effect in early 2018, made it mandatory for all agencies and organisations subject to the Privacy Act to comply with the Mandatory Breach Notification Laws (also known as the Notifiable Data Breach Scheme). This involves an entity that is aware of, or suspects an eligible data breach to have occurred, to conduct an assessment of and contain the incident, determine whether an eligible data breach has occurred and if so, notify the Australia’s Information Commissioner, and affected individuals.

Small businesses who are currently exempt from the Privacy Act are not subject to the Mandatory Breach Notification Laws.

However, in light of the increasing impact and use of digital platforms, in 2019, the ACCC’s Final Report on the Digital Platform Inquiry recommended, amongst other things, a broad reform of the Privacy Act to ensure greater protections for individuals. The government responded with an announcement that it would review the Privacy Act to strengthen its protections for individuals, with consultations kicking off in 2020.

In 2022, the Attorney-General's Department, led by Australian Attorney-General, Mark Dreyfus, finalised and released a comprehensive review of the existing privacy laws. The consensus was clear: more needed to be done to safeguard individuals' personal information. Dreyfus acknowledged that the current laws were outdated and ill-suited to the digital age, spurring the overhaul of existing regulations.

“Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones. But when they are asked to hand over their personal data they rightly expect it will be protected.”

Attorney General Mark Dreyfus

Dreyfus' review aimed to introduce substantial reforms, further strengthening privacy protections. These proposed changes include broadening the definition of personal information, eliminating exemptions like the employee records exemption and small business exemption, refining the requirements for an organisation's privacy policy and collection notice, imposing fair and reasonable obligations for handling personal information, changing rules for cross-border data flows, and expanding individual rights. These rights included the right of erasure, direct action, and the establishment of a tort of privacy.

These adjustments would move Australia closer to the high privacy standard set by the EU's General Data Protection Regulation (GDPR). Similar data protection laws are emerging worldwide - signifying a global shift in data privacy standards.

What changes have been made to the Privacy Act and Mandatory Breach Notification laws in Australia that may impact small businesses?

Australia's digital data protection laws have been in effect for some years, primarily governing larger organisations. These measures have historically been applied to entities with an annual turnover of $3 million or more, some government agencies, and industries handling personal data that is more susceptible to attempts to access, such as healthcare providers and financial institutions.

As of September 2023, the Australian Government has agreed in principle to remove the exemption for small businesses to comply with the Privacy Act, which would also mean small business would become subject to the Mandatory Breach Notification Laws. However, it’s unknown at this time if this will be an obligation or attract penalties for non-compliance, as larger organisations have faced.

Over 94% of Australian businesses are small businesses - generating over $800 billion annually. This means that these changes have the potential to impact over 2.4 million small business owners in this country - or more - because micro businesses with an annual turnover of less than $75,000 don't need to register for GST and have not been included in this data.

Will small businesses face Mandatory Breach Notification penalties?

Small businesses are frequently the target of cyber-attacks and experience data breaches often, many of which occur due to limited cyber security protections or simply - human error.

Regulating smaller businesses will heighten data security collectively, but many business owners are concerned with how they will implement any new legislation or worried about penalties that may apply.

Presently, the Australian Government has committed to looking at the impact new legislation in this area will have on small businesses, including undertaking consultations to determine the most appropriate way to ensure small businesses meet privacy obligations proportionately. A transitional period will likely occur from 2024 onwards, and there may be some support packages made available.

It is also likely that in the short term, small businesses that engage in higher-risk activities such as collecting biometric information for the purposes of automated biometric verification will not be able to rely on the small business exemption.

Businesses governed by current Australian Privacy Laws face maximum fines for privacy law breaches that can be the greater of:

  • $50,000,000
  • 3 times the amount of any benefit gained by the offence, or,
  • 30% of the business’s domestic turnover

Whilst the new recommendations are an excellent step forward in terms of securing the privacy of Australians - they are yet another consideration for smaller businesses to contend with, many of whom may have already been impacted in the previous years with increased cyber guidelines to comply with, a pandemic and increasing costs and interests rates.

We’ll look at a brief history of how we arrived here and current obligations under the Australian Privacy Principles (APPs) and Mandatory Breach Notification laws, followed by recommendations that have been made based on the Privacy Act Review.

How we arrived here - a timeline of data & privacy protection in Australia

Privacy laws are not new in this country, but the furious pace of technology has made it challenging to respond to concerns as quickly as they arise. Below is a timeline of how Australian consumer data has been managed in the last 35 years, including more recent legislation that has come about to increase data security as technology expands.

Whilst privacy and data security have been areas of focus for decades, with both national and international laws in place to protect information, it’s become an increasingly technical and complex area. As data has moved from paper and on-premise storage to cloud and digital storage, a very different set of data protection challenges have required addressing - which require strong cyber security policies and implementation.

If you need technical advice in this area, please get in touch or take a look at Harvey Norman’s Cyber Security services. For legal advice, contact Arnotts Technology Lawyers.

1988: This year saw The Privacy Act of 1988 (Commonwealth) passed in Australian Parliament to regulate how personal data was collected, used, disclosed and stored, and covered some government agencies and particular industries deemed high risk in terms of sensitive data, such as healthcare and finance.

The Privacy Act was created in agreement with guidelines set out by the OECD (Organisation of Economic Cooperation and Development), and in line with Part III, Article 17 of the United Nations Human Rights ‘International Covenant on Civil and Political Rights’ (1966). This framework was also foundational for the Australian Government’s Information Privacy Principles (IPPS).

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks.

    Part III, Article 17 of the United Nations Human Rights ‘International Covenant on Civil and Political Rights’ (1966)

    1989: The Privacy Act of 1988 commenced in Australia, which included the Information Privacy Principles (IPPs) governing the handling of personal information by government agencies.

    2000: The Privacy Amendment (Private Sector) Act (Bill 2000) was amended, extending the Privacy Act's application to the private sector, including businesses with an annual turnover of $3 million or more. This also included the introduction of the National Privacy Principles (NPPs) for the private sector.

    2011: The National Digital Economy Strategy delivered a broad strategy for Australia’s digital goals and considerations to be addressed during the country’s transition into a digital era.

    2012: Privacy Amendment (Enhancing Privacy Protection) Act 2012. This amendment introduced significant changes to the Privacy Act, including the introduction of the Australian Privacy Principles (APPs) to streamline and replace the NPPs & IPPs, once the legislation came into effect in 2014. The changes aimed to enhance privacy protections, and new requirements for data breach notifications were introduced.

    2017: In response to increased digital privacy concerns, organisations subject to the Privacy Act were governed by mandatory data breach laws. This required organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) of any eligible data breaches. An eligible data breach occurs when unauthorised access, disclosure, or loss of personal information ‘likely to result in serious harm’ occurs.

    The Privacy Amendment (Notifiable Data Breaches) Act 2017 is the legislation that introduced the Notifiable Data Breaches (NDB) scheme in Australia.

    2017: The ACCC Digital Platform Inquiry commenced to research the impact of digital search engines, social media platforms, and digital content aggregators on competition in media and advertising services markets in Australia.

    2018: The Mandatory Data Breach Notification Scheme came into effect on February 22,

    2019: The final ACCC Digital Platforms Inquiry report was released, making 23 recommendations across competition law, consumer protection, media regulation and privacy law.

    2019: The Privacy Act Review began in December 2019 in response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry.

    2022: The Privacy Act Review was being finalised.

    2023: The Attorney-General publicly released the Privacy Act Review on 16 February, 2023, which contained 116 proposed amendments to enhance the privacy protections of Australians.

    6 months after the report was released, on 28 September 2023, the Australian Commonwealth Government responded to the Attorney-General’s report on the Privacy Act 1988 (Cth) review, agreeing with 38 of the 116 proposals made, and agreeing to a further 68 in principle, and noting the final 10.

    2024: 2024 is expected to see finalisation of the Privacy Act Review recommendations, with changes for businesses generating annual revenue of less than $3 million likely to come into play, after impact projections and necessary industry consultation.

    The APPs - Australia’s Privacy Law Framework

    The APPs have set the framework for privacy guidelines in Australia for some decades. In 2014, the Australian Privacy Principles (APPs) replaced the National Privacy Principles (NPPs) and Information Privacy Principles (IPPs), to establish a set of privacy principles that apply both to government, and the private sector.

    Australian Privacy Principles (APPs)

    The APPs are a set of privacy principles which came into force in 2014 as part of the Privacy Amendment (Enhancing Privacy Protection) Act 2012. There are 13 APPs, which specify how Australian entities should handle personal information, which apply to Australian Government agencies and for now, organisations with an annual turnover of AUD 3 million or more. Those covered by the Privacy Act, and therefore subject to the APPs are referred to as APP entities.

    They also apply to some smaller organisations, specifically those in the health service provider industry, certain smaller businesses, and credit reporting bodies. Key principles include rules for the collection, use, and disclosure of personal information, as well as ensuring data accuracy, data security, and providing individuals with access to their information. The introduction of the APPs significantly enhanced the protection of personal information in Australia and set the stage for the 2018 Notifiable Data Breaches (NDB) scheme.

    The APPs expanded on the principles of the NPPs and introduced new requirements, such as the mandatory notification of data breaches and obligations related to cross-border data flows.

    While the NPPs were more general and applied to a broader range of organisations, the APPs brought greater specificity and accountability to data protection. Both sets of principles aimed to safeguard individuals' personal information and ensure that organisations handled data transparently and responsibly.

    It's important to note that the APPs have been effective in Australia since the reforms in 2012, and they continue to play a fundamental role in privacy regulation in the country. Some significant obligations that apply to APP entities include:

    • Maintaining an up-to-date privacy policy;
    • Notifying individual at collection (or as soon as practicable afterwards) of specified matters;
    • Security measures to ensure the protection of personal information held by APP entities;
    • Destroying or de-identifying personal information; and
    • Ensuring access to and correction of personal information.


    What Constitutes A Breach That Requires Reporting? 

    While many people seem to envision breaches arising from characters in black hoods unscrupulously hacking data for profit, the reality is quite often far from this picture.

    Data breaches may occur in various ways, as cyber-attacks and online scams are becoming increasingly prevalent. This may include losing a device containing personal information, hacking of databases, or accidental disclosure of personal information to unauthorised individuals. Notifications to affected parties must also include guidance on how to respond to the breach.

    The Mandatory Breach Notification Laws make it necessary for entities subject to the obligations to notify the Australian Information Commissioner, and affected individuals of ‘an eligible data breach’. An eligible data breach can be identified according to 3 criteria:

    • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that is held by the entity;
    • this is likely to result in serious harm to one or more individuals; and
    • the entity has not been able to prevent the likely risk of serious harm via remedial action.

    While small businesses have not yet had to manage Mandatory Breach Notifications in Australia, if and when they do, which will likely be confirmed in 2024, guidelines may be similar to those already in place for larger organisations, with reduced financial or non-financial penalties.

    A data breach can happen in a myriad of ways, but here are a few to remain mindful of:

    • Human Error: This can be a PC with sensitive information left unlocked in a public space, an email or text with governed data sent to the wrong recipient, a shared password in the office, a lost phone or USB drive or data backed up to a platform that has open permission settings.
    • Cyber Attacks: Ransomware, phishing, social engineering, malware and viruses
    • System Security Vulnerabilities: Unauthorised system access, incorrect administrative privileges or unpatched applications

    Current Mandatory Breach Notification Laws can be found here. We also recently explored the topic in our blog ‘What To Do If Your Business Has A Data Breach 

    So, what are the key takeaways of Australia’s privacy reform deep dives?

    Until new legislation is formed, the overall impact of these reforms will not be evident, but they are definitely some of the most significant shifts Australia has seen in this area to date.

    These policies outlined in the Privacy Act Review fall under 5 broader categories. They are:

    • Bringing the Privacy Act into the digital age
    • Uplifting protections
    • Increasing clarity and simplicity for entities and individuals
    • Improving control and transparency for individuals over their personal information
    • Strengthening enforcement
    This means that many aspects of the way that information is handled and accessed have come under scrutiny. Aside from the removal of the exemption for small businesses, some highly significant changes include:


    Stronger mandatory data breach notification requirement

    The Government has ‘agreed in principle’ to a 72-hour reporting window for an eligible data breach (Proposal 28.2). It has also ‘agreed in principle’ that organisations must set out the steps taken or to be taken in response to a data breach, including to reduce any adverse impacts on the affected individuals in its statement for an eligible data breach (Proposal 28.3). This will create a necessity for businesses to ensure they have a solid response plan in place in the event of any potential breach occurring.

    Increased individual rights in terms of data erasure

    When legislation comes into effect, individuals will have the right to request the erasure of any personal data held (Proposal 18.2) and that any personal information stored in internet search results can be deindexed (Proposal 18.5). These laws are similar to those of the GDPR. Organisations will need to comply with these requests and ensure they have the necessary systems in place to do so properly.

    A direct course of legal action for groups and individuals

    New legislation will likely include a clause for individuals and groups affected by privacy interference in Australia to commence legal action or seek compensation for serious privacy breaches (Proposal 26.1). This includes both individual and class actions that could potentially be brought against businesses and entities whose actions, or lack thereof, have caused loss or damage. The government has also ‘agreed in principle’ to introduce a new statutory tort for serious invasions of privacy (Proposal 27.1).

    Potential changes to employee data laws

    Currently governed by workplace laws and exempt from the Privacy Act, the Government has agreed in principle to enhance privacy protections for employees under the Privacy Act after consultation with appropriate third parties (Proposal 7.1).

    Ensuring that any data collected, held or shared meets the ‘fair and reasonable’ circumstances test

    Data holders will have a set of criteria to adhere to when determining that holding, storing or sharing an individual's data is ‘fair and reasonable’ in the circumstances, that is to be assessed objectively, and irrespective of whether consent has been obtained (Proposals 12.1, 12.2, and 12.3).

    Expansions to the definition of ‘personal information’

    The definition of what constitutes personal information has been expanded to include technical information and inferred information, including via cookies and IP address logs, if the information whether alone or in conjunction with other information available to the data holder, is capable of identifying an individual (Proposals 4.1, 4.2 and 4.4).

    Prohibitions for targeting sensitive information

    Organisations will be prohibited from targeting individual based on sensitive information (such as sexual orientation or cultural background, political opinions or religious affiliations) unless such actions can be shown to be helpful to the target audience as socially beneficial content (Proposal 20.8).

    Heightened transparency for the use of AI (Artificial Intelligence) and ADM (Automated Decision Making)

    There will be further disclosure and transparency required for organisations and agencies who use Artificial Intelligence to make decisions that affect the public and individuals (Proposals 19.1, 19.2 and 19.3).

    Additional Protections For Children

    In recent years, there has been heightened concerns over the handling of children’s data and reasonably so. The concepts of businesses storing and selling, a child’s data, have created many calls for regulations in this area. The new Privacy Act reforms will prohibit direct marketing to children, as well as selling or trading children’s personal information, with an exception for targeting or direct marketing that is in the best interests of the child (Proposals 20.5, 20.6 and 20.7).

    A 2022 study by Human Rights Watch showed that over 80% of school approved children’s educational apps and technology on-sold data, with many entertainment apps doing similar.

    In a Media Release from The Hon Mark Dreyfus KC MP (Attorney-General of the Commonwealth of Australia) on September 28th, 2023, the Government agreed (or agreed in principle) to ‘establishing stronger protections for children, including the introduction of a Children’s Online Privacy Code’ (Proposal 16.5).


    “This is a vital set of proposals that will deliver significant gains for the Australian community. With increasing use of high-impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

    Angelene Falk Australian Information Commissioner & Privacy Commissioner

    How Privacy Act and Mandatory Breach Notification Law changes relate to your business and cyber security measures

    What can you do today to help your business transition while changes come into play? It’s hard to know without seeing the final legislation. Regardless of the direction it goes, it is worth familiarising yourself with the current Privacy Act and the Mandatory Breach Notification Laws, as well as the proposals made, as set out in this article, both as a business owner and as a consumer.

    In the interim, you can:

    • Assess your current organisational structure and data handling systems, processes and policies;
    • Consider how your business uses, shares and disposes of personal information;
    • Look at ways to strengthen your business’s cybersecurity policies to decrease the likelihood of a breach
    • Ensure you have an adequate plan in place to respond to a breach.

    While at the time of writing this article, Australia still stands at a transition point concerning privacy laws and digital security, significant changes are likely ahead, with reform to Australia’s privacy framework likely to come into place as early as 2024.

    If you have recently experienced a data breach or need assistance implementing cyber security, please contact our Small Business IT & Security Experts today. For legal advice, contact Arnotts Technology Lawyers.

    Disclaimer: This is general information only. Please contact us for further guidance or seek independent legal advice that considers your unique personal situation before making any decisions based on the information in this communication.