Significant amendments to the Privacy Act 1988 (Cth) will come into effect on 22 February 2018.
Pursuant to these amendments, subject entities will be required to notify the Office of the Australian Information Commissioner if there has been, or that entity has reasonable grounds to believe that there has been, an ‘eligible data breach’.
The notifiable data breach requirements are not just limited to ‘APP Entities’ under the Privacy Act 1988 (Cth). These requirements apply equally to all entities including tax ‘file number recipients’, which are defined as persons in possession or control of a record that contains tax file number information. The requirements therefore extend to entities with an annual turnover of less than $3,000,000.00 even though they, as a general proposition, are not required to comply with the Australian Privacy Principles.
Therefore, in additional to all ‘APP Entities’, any entity or person who is, or may be, in possession of tax file number information about their clients, customers or any other persons, will be a ‘file number recipient’ and be required to comply with the notifiable data breach requirements (regardless of their annual turnover), subject to any available exceptions. This is in addition to existing obligations of holders of tax file numbers, including those set out in the Privacy (Tax File Number) Rule 2015 (Cth).
In anticipation of these changes we recommend that all ‘APP Entities’ review their privacy policies, practices, and statements to ensure that they are compliant with these new requirements.
Please do not hesitate to contact our expert team for assistance if we can be of any assistance in this regard.