Mandatory Breach Reporting and/or Consumer Notification

As soon as practicable
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Written Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Mandated Rights of the Individual
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organisation of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- Fines up to $2.1 M

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Third Party Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Vendors of governmental entities must be contracted.
  • Organisations must have strict oversight of their Vendors located outside of Australia and the external Territories to ensure they comply with all requirements placed on businesses collecting and holding personal information of Australian residents.
  • Organisations assume full liability for any violations of the privacy principles committed by Vendors located outside Australia and the external Territories.
  • Organisations and Vendors (who are Australian businesses subject to the Australian Privacy Act 1988) must comply with all regulations of the Australian Privacy Principles (“privacy principles”), including:
    • must have policies, procedures and secure information systems in place to demonstrate compliance with the privacy principles.
    • must have a clear and up-to-date privacy policy stating their management of personal information.
    • must have measures in place to offer individuals the option to identify anonymously or by pseudonym.
    • must ensure any personal information collected, used and disclosed is necessary, accurate, up-to-date, complete and relevant.
    • must ensure an individual gives consent before collecting sensitive personal information, such as, but not limited to, biometric information, health or genetic information, racial or ethnic origin, religious beliefs, or political opinions.
    • must have safeguards in place for the protection of personal information to prevent improper use, interference, loss, as well as unauthorised access, modification or disclosure.
    • must have measures in place for the disposal or de-identification of records containing personal information.
    • must have procedures in place to respond within 30 days to individuals requesting access to their personal information.
  • An assessment of any suspected breach incidents must be completed within 30 calendar days of becoming aware of a security incident, to determine if individuals are at risk of serious harm.
  • Organisations and Vendors must come to an agreement on who will be responsible for required breach notifications. The Office of the Australian Information Commissioner recommends the entity with the most direct relationship with the individuals affected by the data breach carry out the notification.
  • Information on entities who share the affected individuals’ personal information must be included in any breach notifications.
  • Australia’s My Health Record system operates under and privacy regulations for the collection, use and disclosure of health information fall under the My Health Records Act 2012.
  • The Australian Capital Territory’s Information Privacy Act 2014 regulates the collection, storage, use, security, and access of personal information for public entities and contracted service providers for public entities.
  • The New South Wales’ Privacy and Personal Information Protection Act 1998, regulates collection and handling of personal information by New South Wales public sector agencies. New South Wales highly encourages all agencies to report all types of data breaches to the Information and Privacy Commission NSW (IPC) and affected individuals, which may involve personal information.
  • The Northern Territory’s Information Act 2002 regulates public sector organisations’ collection and handling of personal information. The Office of the Information Commissioner for the Northern Territory oversees the Information Act.
  • The Queensland’s Right to Information Act 2009 and the Information Privacy Act 2009 promotes access to government-held information, and to protect people’s personal information held by the public sector. These Acts are facilitated by the Queensland Office of the Information Commissioner (IOC). Queensland encourages public entities to report data breaches to directly to the IOC.
  • In addition to the South Australian Information Privacy Principles Instruction, South Australia has published a Personal Information Data Breaches guideline for the public sector.  The Privacy Committee of South Australia must be notified.  In some circumstances it may be appropriate to notify State Records, South Australian Government Chief Information Security Officer, the Agency Security Executive, Office for Cyber Security, and others.
  • The Tasmanian Personal Information Protection Act 2004 regulates the collection, use and disclosure of personal information, and applies to Personal Information Custodians.  Instead of establishing a central body, such as Privacy Commissioner, the Tasmanian Ombudsman investigates and makes any recommendation it considers appropriate in relation to the subject matter of a complaint.
  • The Office of Victorian Information Commissioner (OVIC) administers the Privacy and Data Protection Act 2014 which specifically regulates how government organisations, local councils and government-contracted service providers collect and handle personal information.  Victoria’s OVIC strongly recommends that these entities report data breaches to them.
  • The Western Australia public sector does not currently have a legislative privacy regime. The Office of the Information Commissioner in West Australia oversees their Freedom of Information Act 1992.
Statutes and Laws
  • Australian Privacy Act of 1988
    • Part IIIC – Notification of Eligible Data Breaches
    • Schedule 1 – Australian Privacy Principles
  • My Health Records Act 2012
BAck to map