New Requirements for Use of Client Data

New Requirements for Use of Client Data

Published Jun 06, 2018

Personal data is collected every day by a wide range of businesses and organisations. This can be beneficial in providing ease of access to information. However, a breach of this data could potentially damage the reputation of an entity and pose potential harm to individuals.

The Privacy Act 1988 was recently amended to include the Notifiable Data Breaches Scheme. The Office of the Australian Information Commissioner (OAIC) oversees this Scheme. As a result, all entities with existing obligations under the Act must comply with the Scheme. Examples of these entities include:

  • Government bodies
  • Businesses with an annual turnover of more than $3 million
  • Credit reporting bodies
  • Entities that trade in personal information
  • Tax File Number recipients

Those who do not comply may be liable for significant fines of up to $2.1 million.

For an eligible data breach to occur the following needs to be satisfied:

  • Unauthorised access to, or disclosure of information occurs; AND
  • A reasonable person would conclude this would be likely to result in serious harm to the individuals involved.

OR the information is lost in circumstances where:

  • Unauthorised access to, or unauthorised disclosure of information is likely to occur; AND
  • A reasonable person would conclude this would be likely to result in serious harm to the individuals involved.

The term “Serious Harm” is not defined in the Act. The OAIC, however, has noted: “in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial or reputational harm”.

If an eligible data breach occurs, an entity must:

  1. Prepare a statement outlining details of the breach and steps the individuals should take in response to the breach.
  2. Take reasonable steps to notify the contents of the statement to the individuals at risk.
  3. If the above steps are not possible, to publish a copy on the company website and take reasonable steps to publicise the statement.
  4. Advise the OAIC of the breach and follow their recommended actions.

At Forsyths your privacy is important to us. We have a Privacy Policy that outlines the type of information we request from clients, as well as how we keep this information secure. We have also implemented a Notifiable Data Breach Scheme Policy to ensure the requirements of the Scheme are met. Click here to see the latest version of our Privacy Policy.

If you think your business may need to comply with the Scheme, please visit the OAIC website for more information https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.



This document has been prepared for general information only and is not intended as personal advice. Any statements of law or proposals are based on Forsyths' interpretation as at the date of issue. Accounting & business services are provided by Forsyths Business Services Pty Ltd ABN 66 182 781 401, liability is limited under a scheme approved under Professional Standards Legislation.