New rules on data breaches take effect

Businesses will face hefty fines for keeping breaches under wraps.

  • Businesses must notify consumers of data breaches
  • $2.1m fines for businesses, $420,000 for individuals
  • Comes after GoGet waited six months to notify customers of hack

Businesses that fail to let people know the security of their personal information has been jeopardised will face millions in fines as the Notifiable Data Breach Scheme comes into effect today.

Businesses, government bodies and not-for-profit organisations with an annual turnover of more than $3 million will have to report data breaches or face fines as high as $2.1 million.

They'll have a period of 30 days to conduct an assessment when the security of health information, identification details (such as a passport, driver's licence and Medicare card) and finances has been breached.

The scheme catches up to a communal belief that people should be told when their data is at risk, says Timothy Pilgrim, Australian Information Commissioner.

"It gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts," he says.

"The scheme also has a broader beneficial impact – it reinforces organisations' accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors."

Not knowing how to keep the data of customers safe is becoming a poor excuse, says Angus Taylor, minister for law enforcement and cyber security.

"There is a lot of information now available on cyber security. The onus is with business operators, with organisations and with government agencies to put measures in place to reduce the risk of data breaches."

The new program, legislated under the Privacy Act 1988 (Cth), follows a survey that found more than 90% of people believe they should be told if a business or a government body loses their personal information.

Its introduction comes after ride-sharing company GoGet notified customers about a breach six months after it happened, upon recommendations made by NSW Police.