Viewing entries tagged

Tougher penalties for privacy breaches

The Government has recently announced its intention to reform Australia’s privacy law regime and increase the penalties applicable to entities that breach their obligations under the Privacy Act.

The proposal involves bolstering the resources and powers of the Office of the Australian Information Commissioner (OAIC), and many commentators are expecting this may herald a more aggressive stance from the OAIC as it monitors compliance of entities subject to the Privacy Act.

The amendments that are proposed include:

• an increase to the maximum penalty for serious and repeated breaches to the highest of: $10 million; three times the value of any benefit obtained through the misuse of the personal information; or 10% of the entity’s annual domestic turnover;

• new power for the OAIC to issue infringement notices relating to minor breaches with fines of up to $63,000 for companies and $12,600 for individuals;

• new power for the OAIC to publicise specific breaches and notifying individuals who are affected;

• an obligation for social media and online platform companies to ceases using or disclosing the personal information of individuals upon their request; and

• certain additional rules to protect the personal information of children and other vulnerable groups.

The amendments are scheduled for consultation in the second half of this year. If passed, the tougher penalties together with OAIC’s new power to publicise specific breaches may significantly increase the financial and reputational risks of failing to comply with your privacy obligations.

The Government’s announcement serves as an important reminder for all entities subject to the Privacy Act to ensure appropriate information-handling measures, systems and processes are in place.

At Motus Legal, we have assisted many of our clients in complying with their privacy obligations. Get in touch with us if we can help you too.

Update on notifiable data breach scheme

As we have previously commented on in our blog post late last year, new laws are set to come into effect on 22 February 2018 which will require organisations covered by the Privacy Act 1988 (Privacy Act) to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals if an unauthorised disclosure of personal information occurs.

The OAIC has published draft resources on their website to assist organisation in understanding their compliance obligations (accessible at:

The draft resources cover:

·       Who must comply with NDB Scheme – the NDB Scheme will apply to you if you are an organisation or Australian government agency that is already covered by the Privacy Act;

·       Which data breaches are notifiable – a data breach is an ‘eligible data breach’ that requires notification if it is likely to result in serious harm to any of the individuals to whom the information relates (note that a data breach does not have to be ‘malicious’, such as a cyber-attack, for it to be an eligible data breach – accidental unauthorised disclosure may still require notification, for example);

·       How to notify – if the NDB Scheme applies to your organisation, your organisation must provide a statement to the OAIC, and notify individuals at risk of serious harm of the contents of that statement, if an eligible data breach occurs;

·       Australian Information Commissioner’s role in the NDB Scheme – the OAIC’s roles include receiving notifications of eligible data breaches, encouraging compliance with the scheme (including regulatory action in the event of non-compliance), and providing advice and guidance about the operation of the scheme.

It is important that you review your organisation’s policies, procedures and systems for securing personal information and preventing data breaches before they occur.  An effective data-breach response plan is also crucial to respond quickly if a data breach does occur, which may be the difference between averting serious harm and a breach requiring notification (which can be highly detrimental to an organisation’s reputation).

At Motus Legal, we have advised many of our clients on complying with their obligations under the Privacy Act.  Get in touch with us to prepare for the NDB Scheme before it comes into effect.

Quick refresher on privacy and "small businesses"

The Australian Privacy Principles (APPs) contain many obligations and requirements as to how "APP Entities" collect, hold, use and disclose personal information.   An APP Entity is any organisation (whether a sole trader, company, partnership or trust) that is not a "Small Business Operator" - that is, any organisation that does not have less than $3 million annual turnover.
However, even if your organisation is a "Small Business Operator" with annual turnover of less than $3 million, do not assume the APPs don't apply to you.  There are a number of exceptions to the Small Business Operator rule, which may require your organisation to comply with the APPs.
For example, if your organisation has less than $3 million annual turnover but provides health services and holds "health information" about an individual (other than in an employee record), then your organisation must comply with the APPs.  "Health information" includes any personal information about:
•    the health or disability of an individual at any time (whether physical or mental);
•    a health service provided to or requested by an individual; or
•    other information collected to provide, or in providing, a health service.
"Health information" is interpreted broadly.  For example, the records of fitness clubs relating to individuals will fall within this exception, and therefore such fitness clubs must comply with the APPs regardless of whether it was a Small Business Operator with less than $3 million annual turnover.
Another example where your organisation may be required to comply with the APPs (regardless of whether it has less than $3 million annual turnover) is where your organisation discloses personal information about individuals to receive a benefit or advantage, or to provide a service.  This also applies to organisations that provide a benefit, service or advantage to collect personal information about individual from anyone else.  Organisations caught by this include those that sell lists of personal information to another entity so that the other entity can use it for direct marketing.
However, a Small Business Operator will not be required to comply with the APPs for trading in personal information if the Small Business Operator does so with the consent of the individuals concerned.  Whether satisfactory consent has been obtained from the relevant individuals for this to apply then becomes critical to get right.
As you can see, whether your business is bound by the APPs is not simply a matter of whether or not your organisation exceeds an annual turnover of $3 million.  At Motus Legal, we have advised many of our clients on privacy matters and compliance with the APPs, including specifically in the health sector.
Get in touch with us at Motus Legal to find out how the Australian Privacy Principles apply to your business.

Mandatory privacy breach reporting

New laws, if passed, will require businesses that experience a data breach to notify the Australian Information Commissioner and any affected individuals that an unauthorised disclosure of personal information has occurred.
Cyber attacks and data breaches are becoming increasingly common in commercial life and will be experienced by most organisations at some stage. Now, under the proposed amendments to the Privacy Act 1988, certain businesses that fail to notify the Commissioner and affected individuals as soon as practicable may be exposed to hefty penalties.
Businesses and organisations that are considered "APP Entities" under the Privacy Act 1988 will be subject to the mandatory notification obligations if:
•    there is unauthorised access to or unauthorised disclosure of personal information; and
•    such access, disclosure or loss of personal information is likely to result in serious harm to any of the individuals to whom the information relates.
Providing notification of a data breach will likely result in significant negative publicity and scrutiny from the Commissioner. At Motus Legal, we have advised clients on policies and procedures that can be implemented to minimise the risk of a data breach occurring, as well as responding to claims of breaches of privacy.  However, businesses cannot entirely eliminate the risk that human error, a technology glitch or a malicious hack will cause a data breach.
It is therefore crucial that you act quickly if you become aware that a data breach has occurred or is likely to occur. Under the proposed amendments to the Privacy Act 1988, APP Entities that take effective remedial action before any serious harm occurs may be exempt from the costly mandatory notification obligations.
Get in touch with us at Motus Legal to find out how these new laws will affect your business and how we can help you manage data breaches before they occur.


The team at Motus Legal


Top 4 tips to become cyber resilient

Cyber security is an issue of increasing importance for organisations throughout Australia and the world. As businesses chase the undeniable benefits of going ever-more digital, the related cyber risks cannot be ignored.

It is now generally accepted in the business community that virtually all organisations will experience a cyber-related incident at some stage. Data breaches can lead not only to large civil penalties imposed on companies and personal liability for directors, but can also have a devastating effect on an organisation’s reputation. 

You should therefore view cyber security as not just a technical problem requiring technical solutions. As a key stakeholder in your business, you need to be proactive in implementing an effective management strategy to address cyber risk at all levels of your organisation. 

To enhance cyber resilience and succeed in the digital economy, you should at the very least adopt a strategy to: 
•    determine your business’ exposure to cyber risk, including with respect to its assets, supply chain, personnel, and response resources;
•    promote cyber security governance and raise awareness of cyber risks across your whole business;
•    assess and update your business’ policies and procedures, implement a data breach detection and response plan, and ensure your employees and contractors have the necessary training; and
•    review your business’ insurance policies and coverage.

Do not assume your business has satisfactory procedures in place to deal with cyber threats. Unfortunately, it is often only after a business has experienced a data breach and become exposed to the wide range of liabilities that they recognise the necessity of an effective cyber-resilience strategy.  Don’t let that be you. Get ahead of cyber risk by reviewing the above for yourself, or ask the experts to help.

At Motus Legal, we have helped many of our clients beef up their privacy policies and security procedures, and have provided much needed advice on data, privacy and security-related matters.  Get in touch with us so we can help your business become cyber resilient.

The team at Motus Legal