Violations of breach and notification laws:
- Fines up to $2.1 M
Third Party Management
Third Party Management
None to minimal
The Australian Capital Territory’s Information Privacy Act 2014 regulates the collection, storage, use, security, and access of personal information for public entities and contracted service providers for public entities.
The New South Wales Privacy and Personal Information Act 1998 (PPIP Act), regulates collection and handling of personal information by New South Wales public sector agencies. New South Wales highly encourages all agencies to report all types of data breaches to the NSW Information Privacy Commissioner (IPC) and affected individuals, which may involve personal information other than TFN numbers.
The Northern Territory of Australia Information Act, effective 12 April 2017, regulates public sector organisations (PSO) collection and handling of personal information. The Office of the Information Commissioner for the Northern Territory oversees the Information Act.
The Queensland Right to Information Act 2009 and the Information Privacy Act 2009 promotes access to government-held information, and to protect people’s personal information held by the public sector. These Acts are facilitated by the Queensland Office of the Information Commissioner (IOC). Queensland encourages public entities to report data breaches to directly to the IOC.
In addition to the South Australian Information Privacy Principles Instruction and the Code of Fair Information Practice, South Australia has published a Personal Information Data Breaches guideline for the public sector. The Privacy Committee of South Australia must be notified. In some circumstances it may be appropriate to notify State Records, South Australian Government Chief Information Security Officer, the Agency Security Executive, Office for Cyber Security, and others.
The Tasmanian Personal Information Protection Act 2004 regulates the collection, use and disclosure of personal information, and applies to Personal Information Custodians. Instead of establishing a central body, such as Privacy Commissioner, the Tasmanian Ombudsman investigates and makes any recommendation it considers appropriate in relation to the subject matter of a complaint.
The Office of Victorian Information Commissioner (OVIC) administers the Privacy and Data Protection Act 2014 (PDP Act) which specifically regulates how government organisations, local councils and government-contracted service providers collect and handle personal information. Victoria’s OVIC strongly recommends that these entities report data breaches to them.
The Western Australia public sector does not currently have a legislative privacy regime. The Office of the Information Commissioner in West Australia oversees their Freedom of Information Act 1992.
“BREAKING: As of Feb 2018, Australia mandates government agencies and various organisations with obligations to secure personal information to notify individuals affected by data breaches that are likely to result in serious harm.”
Statutes and Laws
Australian Privacy Act of 1988, Part IIIC
Notifiable Data Breach (NDB) Scheme, Effective February 22, 2018