Territory Stories






Law Society Northern Territory; PublicationNT; E-Journals




This publication contains many links to external sites. These external sites may no longer be active.; Made available via the Publications (Legal Deposit) Act 2004 (NT).; Celebrating 50 years 1968 - 2018 Law Society NT




Law -- Northern Territory -- Periodicals.; Law Society of the Northern Territory -- Periodicals.

Publisher name

Law Society Northern Territory

Place of publication



Issue no. 1

Copyright owner

Law Society Northern Territory

Parent handle


Citation address


Page content

C O V E R S T O R Y L A W S O C I E T Y N T 2018: A year of significant changes to privacy law, affecting legal practices and clients Snapshot Two significant reforms to privacy law commence in 2018. Legal practitioners will need to consider the impact on clients, as well as on the operation of their own legal practices. The changes will affect all medium-large Australian businesses; some smaller businesses depending on the nature of their business; all Australian government agencies; and to a lesser extent state and territory agencies and small businesses in their capacity as employers. The changes include mandatory notification of data breaches, and the extension of European data protection law to Australia. February Notifiable data breaches Who is affected Commencing 22 February, amendments to Part IIIC of the Privacy Act 1988 (Cth) will affect almost every organisation in Australia in some way: All entities already required to comply with the 13 Australian Privacy Principles (APPs), which includes all Australian government agencies, almost all businesses and non-profits with a turnover of more than $3m pa, plus some smaller businesses such as health service providers and contracted service providers to the Commonwealth; All organisations which receive Tax File Numbers (TFNs) which will include bodies not regulated by the APPs, such as state and territory agencies and most small businesses, in their capacity as employers; and Credit providers and credit reporting bodies. The key requirements The amendments require notification of certain types of data breaches. Notifiable data breaches are incidents which involve the loss of, or unauthorised access to or disclosure of, personal information (or a TFN, or credit eligibility/reporting information) and which are likely to result in serious harm to one or more individuals. When a data breach meets this threshold test, notification is required, as soon as practicable, to both the Australian Privacy Commissioner and the affected individuals. The Privacy Commissioner is part of the Office of the Australian Information Commissioner (OAIC). The legislation sets out the factors which impact on whether or not a data breach is likely to result in serious harm; the timeframes in which an assessment must be carried out on a suspected breach; what a notification must contain; and how a notification must be made. A failure to comply with the new notification requirements attracts a civil penalty of up to $2.1m. The takeaway There are two objectives driving the move towards mandatory notification of data breaches. The first is to fulfil a duty of care to the affected individuals, by letting them know that their personal information has been put at risk. The second is to create a sufficient financial disincentive, such as to prompt organisations into investing F E A T U R E L A W S O C I E T Y N T