What is Mandatory Data Breach Notification?

Mandatory Data Breach Notification has been introduced to Australian as an amendment to the Privacy Act (1988).

This amendment will require government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm.
— Timothy Pilgrim PSM (Australian Privacy and Information Commissioner)

Under the amendment, businesses have up to 30 days after becoming aware of a serious data breach to notify the Information Commissioner and impacted individuals. Failure to notify may result in fines of up to $1.8 Million for an organisation.

Full details of the bill can be found here:


Does Mandatory Data Breach Notification Affect My Business?

The amendments will take effect within 12 months of the bill gaining Royal Assent. From that day forward any business covered by the Privacy Act will be required to notify or face fines. The Privacy Act applies to:

  • All private sector and not-for-profit organisations with an annual turnover of more than $3 million;
  • All private health service providers
  • Some small businesses (collectively called ‘APP entities’) that handle, use and manage personal information

For more information on who the Privacy Act covers refer to the Office of the Australian Information Commissioner.

How Can Cynch Security Help?

Our Small Business Cybersecurity Membership is specifically designed to help Australian Small and Medium businesses manage their cyber security risks as outlined in the Privacy Act.

As part of our mission to support Australian Small Businesses our Data Confidence Memberships can also provide you with support to ensure you're acting in line with the principals covered by the Privacy Act, protecting your data and preparing your business to respond in the event that a data breach occurs.