Australian notification regime leads to change

01 June 2018

Data breach notifications in Australia have spiked under the country’s new mandatory breach notification scheme, which came into force on 22 February 2018.

According to the Office of the Australian Information Commissioner (OAIC) the regulator has received 63 data breach notifications during the first six weeks of the Notifiable Data Breaches (NDB) scheme. This compares to 114 data breach notifications made to the OAIC on a voluntary basis during the entire 2016–17 financial year.

This year has seen a number of organisations notify customers of a data breach under the scheme. Family Planning New South Wales recently notified the OAIC and customers that personal information may have been compromised after the organisation suffered a ransomware attack in April. The OAIC is also looking into claims that Australia’s Commonwealth Bank lost personal data for 20 million accounts after a contractor failed to destroy magnetic data storage tapes in 2016.

Just over half of the eligible data breach notifications in the first quarter were caused by human error, according to the OAIC quarterly report. Around 44%of reported breaches were the result of malicious or criminal attack, and 3% the result of system faults.

Over three quarters of the breaches involved personal contact information while around a third involved health information and 30% financial details. Some 90% of data breach notifications related to breaches involving the personal information of less than 1,000 individuals, although three breaches affected 1,000 – 9,999 people and a further three breaches 10,000 - 99,999 people.

Health service providers were responsible for the highest proportion of notifications (24%), followed by legal, accounting and management services (16%), finance (13%), private education (10%) and charities (6%).


With the NDB now in place, many Australian businesses are turning their attention to the EU’s General Data Protection Regulation (GDPR) from 25 May 2018. Given the extraterritorial reach of the GDPR (it covers the data of individuals that reside within the EU when Australian companies have offered to sell them goods/services or is monitoring their behaviour), the regulation is expected to affect a large number of Australian companies. It will also expose them to potential fines of EUR 20 million or 4% of annual turnover if they breach the rules.

The GDPR is similar to Australia’s Privacy Act, but the new EU rules go further than the Act in many respects. For example, under the GDPR, individuals have rights in respect of data portability, the right to be forgotten, and the right to restrict processing.

Speaking at a recent event ahead of the GDPR implementation date, Australian Information Commissioner and acting Privacy Commissioner, Angelene Falkand emphasised the need for businesses to foster accountability and transparency as a mechanism to drive consumer trust. Privacy-by-design, and clear and transparent information handling practices must be at the heart of all projects that involve personal information, she said.

Subscribe to our  Latest Cyber Decoder newsletter


With Facebook’s data privacy breach hitting the headlines, data protection and privacy has gained heightened awareness at a time of increasing regulation and consumer rights. In a litigious society like Australia, legal experts have speculated about the prospect of data protection and privacy law suits.

As yet, there has not been a successful collective class action case brought in Australia for a data breach, as has been the case in English courts. However, lawyers believe that Australia’s new mandatory data breach notification regime may have the effect of identifying a group of consumers that could constitute a “class” for the purposes of class action litigation.

According to lawyers, significant hurdles exist for individuals to pursue legal action for a data breach in Australia, but the law is evolving and there is potential for cases to arise in the future.

Download Cyber Decoder Newsletter

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on