this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

2020/21 Membership Year

Your membership is due for renewal by 30 June 2020. 

Renew Now
Select from any of the filters or enter a search term

Small firms may be caught by data breach notification scheme

Small firms may be caught by data breach notification scheme

By Karin Derkley

Confidential Information Technology 


Just because a firm has less than $3 million in turnover doesn’t mean it won’t be caught by the Notifiable Data Breaches Scheme (NDBS) that comes into effect 22 February, technology lawyers have warned.

The Notifiable Data Breaches Scheme requires organisations that have personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) to notify affected customers and the Australian Information Commissioner (AIC) if they experience a data breach likely to result in serious harm.

Organisations with annual turnover of less than $3 million are on the face of it exempt from the scheme, but there are several exceptions to this that are likely to capture smaller law practices, says technology and privacy law partner at Madgwicks, Dudley Kneller.

Those exceptions include organisations handling health-related information, trading in personal information, or collecting tax file numbers or other sensitive financial material.

"That could capture any law firms that deal with workplace or personal injury, any insurance-related matters that involve medical reports, or that have a residential tenancy database," Mr Kneller says.

Other circumstances that will catch law firms are if they are Commonwealth contracted service providers or have opted into the Privacy Act, says Aya Lewih, lawyer with Legal Vision’s IT Law team.

"All these little exceptions mean that even smaller firms can't automatically think they are going to be exempt from the requirements," Mr Kneller says.

Given the significant financial penalties and reputational risk involved in a data breach, Mr Kneller says all firms would do well to plan how they would deal with a data breach that compromises their clients' private information.

"With data breaches, it really isn’t a question of 'if' but 'when' – and then it comes down to how you manage it."

Education is the first step to firms preparing themselves for the new regime, says Ms Lewih. “Developing a well-rounded understanding of the requirements is key."

Mr Kneller says the scheme is an opportunity to review privacy policy, procedures for managing and storing information securely, and a data breach response plan..

If a data breach has taken place and the firm has not been able to prevent the likely risk of serious harm with remedial action, it must notify affected individuals and the AIC, says Ms Lewih.

“In addition to the NDBS, there could also be a breach of the duty of confidentiality to the client which the firm must address.”

More information about requirements under the Notifiable Data Breaches Scheme can be found on the website of the Office of the Australian Information Commissioner.

Views expressed on (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment