Is your business ready for the new Australian Data Breach Act?

On February 23, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into effect. This new security law requires all businesses in Australia to notify the Office of the Australian Information Commissioner and any impacted clients about significant data breaches.

The law covers most businesses with an annual turnover of at least $3 million. This includes government agencies and smaller organisations that handle critical data. If you handle personal information, you are required to secure it and establish a data security and management standard plan. In the event of a data breach, your business will be responsible for notifying affected individuals and that is why it is important to have a managed detection and response protocol for unfortunate events like this.

If your organisation collects any of the following, the revised Privacy Act affects you:

1. Credit reporting or building data
2. Personally identifiable information
3. Tax data

Most Australian companies are already taking steps to ensure they comply with this new act, and their industry standard security initiatives.

Even if you are already taking data privacy seriously, it is a good idea to review your current policies against new regulations. By proactively developing and implementing a data breach and security contingency plan, you can mitigate the risk of legal action and diminished brand reputation.

We have summarised the following steps to ensure you are protected. We advise you to speak to your legal team and IT provider to make sure you are covered.

1. Identify your at-risk data

Perform an audit or a cyber security risk assessment to determine what data your company intentionally or inadvertently collects on your clients and customers. Carefully consider if the data is necessary to carry out your business operations, and minimise the actual amount of data collected. Make certain you are using the most effective security applications and technology to encrypt and secure the relevant personally identifiable information.

2. Develop a compliant response plan

There should be 4 components of your regulation and compliant response plan:

1. Identify and close security holes
2. Notify government agencies and impacted individuals
3. Train staff to prevent another breach (in the case of human-error). There should be a stated plan with an aggressive timeline to ensure rapid notification.
4. Include all third-party service providers that have access to your data in this process. You can mitigate some of the inherent risks this creates by making certain everyone is on board with the stated plan.

When do you notify the Office of the Australian Information Commissioner and your customers?

According to the new legislation, “where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals”.

If an organisation covered by the regime “is aware that there are reasonable grounds to suspect that there may have been an eligible data breach” it must take reasonable steps to complete within 30 days a “reasonable and expeditious assessment” of whether there has been a breach.

If there are reasonable grounds to believe there has been an eligible data breach, the organisation must prepare a statement detailing the breach and give a copy to the Australian Information Commissioner. Notify any affected individuals “as soon as practicable”.

Your notification will generally be in the manner that you usually use to contact the individual, as long as it is secure and protects their privacy. The notification needs to include the comprised information, the situation, what your client should do and your contact details.

3. Train your staff

Your employees should be trained to deal with data breach notification and prevention. Your communication team should also be involved when talking to the media. Schedule drills covering a variety of scenarios and use the results to further refine your initial plan. The best notification arrangements are those that can be handled by muscle memory.

For more information please visit:

  • Office of the Australian Information Commissioner, Data Breach Notification: A guide to handling personal information security breaches.
  • Privacy Amendment (Notifiable Data Breaches) Bill 2016 Explanatory Memorandum, available here.

How we can help?

If you are stuck and need some help particularly with IT security services, we can provide you with a Privacy Amendment (Notification Breaches) Analysis and Remediation Consultation. Express your interest in our professional services.



Register for an initial online discussion over Zoom, phone, or in person. And let’s find out where your business most needs our award-winning services and support.

By analysing your specific needs and priorities, we’ll give you a realistic and practical recommendation on what’s required to accelerate your modern architecture.

Our Senior Consultants will help you evaluate and understand your options, so you can make decisions that benefit both your business and your employees, while mitigating unnecessary risk.​

Combining Strategy, Transformation, Management and Optimisation, we identify and remove the obstacles to a successful outcome, before you even know they’re there.​

Step 1: Recap and review

Together we’ll examine the steps you’ve already taken in IT procurement and review the parameters for the architecture planning you’ll need in place going forward.

Step 2: Shape the

Future planning for optimal performance, focusing on effective communication and collaboration, device lifecycle and configuration management and security.

Step 3: Identify your requirements

This is where we clearly identify the steps you need to have in place to develop your Strategic Technology Roadmap to create a Modern Dynamic Workplace. 

Step 4: Get the

You’ll receive a high-level report with our recommendations to accelerate your modern architecture, and the next steps for delivering your Strategic Technology Roadmap.

We’ll get you there. Faster.

With a high-level plan in place, you’ll have a clear understanding on the business case, benefits, and high-level budget considerations for your technology platform to accelerate your modern architecture. And you’ll be ready to leverage the Cloud to deliver the services and applications your teams need.


Find out what a great MSP relationship should be delivering.

How successful was your business transition to a remote workforce during the COVID crisis? Read how the National Breast Cancer Foundation was able to transition to a remote workforce environment almost overnight, and with 93% employee satisfaction.


Is Your MSP Giving You Solutions or Problems During COVID-19? 5 Key Signs of Insufficient Management

There’s nothing like a one in 100-year pandemic to test how your IT operations are performing and how prepared you are for change.