Generally, the Act covers any business that:
- has an annual turnover of more than $3 million;
- is a private sector health service provider;
- sells or purchases personal information;
- is a credit reporting body;
- is a contractor that provides services under a Commonwealth contract;
- is an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009;
- is related to a business that is covered by the Act; or
- is prescribed by the Privacy Regulation 2013.
They must do so when:
- the breach is likely to result in serious harm to one or more individuals; and
- the business hasn’t been able to prevent the likely risk of serious harm with remedial action.
Examples of serious harm include:
- identity theft, which can affect finances and credit report;
- financial loss through fraud;
- a likely risk of physical harm, such as by an abusive ex-partner;
- serious psychological harm; or
- serious harm to an individual’s reputation.
- Even if you are not required to comply with privacy law your business partners may contractually bind you.
- Finally, in the event of a data breach, obtain advice from a lawyer immediately.