This article applies to all organisations.
Privacy and Other Legislation Amendment Act 2024 (Cth)
On 11 December 2024, the Privacy and Other Legislation Amendment Act 2024 (Cth) (the Amendment Act) commenced and amended the Privacy Act 1988 (Cth) (the Act).
All references to sections, divisions and parts in this Article are references to the Act unless otherwise stated.
What’s changed?
The key change made by the Amendment Act is the introduction of new Division 5 of Part IIIC which contains new obligations on entities related to personal information involved in eligible data breaches.
Further Information
New section 26X(1) provides that the relevant Minister may, by writing, make an eligible data breach declaration if there is an eligible data breach of an entity and the Minister is satisfied that making the declaration is necessary or appropriate to prevent or reduce a risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity.
The access or disclosure covered by the first dot point below, or the loss covered by the second dot point below, is an eligible data breach of an entity and an individual is therefore at risk from the eligible data breach:
- there is unauthorised access to, or unauthorised disclosure of, information, and a reasonable person would conclude that the access or disclosure would be likely to result in a serious harm to any of the individuals to whom the information relates; or
- information is lost where unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and, assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Authorisation of collection, use and disclosure of personal information
Under new section 26XB(1), at any time when an eligible data breach declaration is in force in relation to an eligible data breach, an entity may collect, use or disclose personal information about an individual only if:
- the entity reasonably believes that the individual may be at risk from the eligible data breach; and
- the collection, use or disclosure is for a permitted purpose specified in the declaration; and
- the information is information of a kind or kinds specified in the declaration; and
- the information is disclosed by an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and
- the information is disclosed to an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and
- if a matter mentioned in any of the above dot points (except the first) of this paragraph is specified in the declaration subject to conditions: those conditions are satisfied.
Importantly, an entity does not breach an Australian Privacy Principle, a registered APP code that binds the entity or a rule issued under section 17 (rules relating to tax file number information) in respect of a collection, use or disclosure of personal information that is authorised by the paragraph above.
Additionally, under new section 26XB(5), a collection, use or disclosure of personal information by an officer or employee of an agency in the course of duty as an officer or employee is authorised by new section 26XB(1) (as discussed above) only if the officer or employee is authorised by the agency to collect, use or disclose the personal information. An agency includes:
- a Minister; or
- a Department; or
- a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth law, not being an incorporated company, society or association or an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 (Cth) or a branch of such an organisation; or
- an eligible hearing service provider; or
- the service operator under the Healthcare Identifiers Act 2010 (Cth).
New offence: Disclosure of information
Under new section 26XC(1), a person (the first person) must not disclose personal information that relates to an individual which is disclosed to the organisation because of the operation of new Division 5 (related to dealing with personal information involved in eligible data breaches) of Part IIIC, unless the disclosure is permitted under new section 26XC(2), being:
- if the first person is an APP entity: a disclosure permitted under an Australian Privacy Principle, a registered APP code that binds the person or a rule issued under section 17 (rules relating to tax file number information);
- a disclosure for the purposes of carrying out a State’s constitutional functions, powers or duties;
- a disclosure for the purposes of obtaining or providing legal advice in relation to the operation of new Division 5 of Part IIIC;
- a disclosure permitted under new section 26XB (as discussed above);
- a disclosure made with the consent of the individual to whom the personal information relates;
- a disclosure to the individual to whom the personal information relates;
- a disclosure to a court (which includes any tribunal, authority or person having power to require the production of documents or the answering of questions);
- a disclosure prescribed by the regulations (no such regulation has been prescribed yet).
Failure to comply with new section 26XC(1) may result in a fine of 60 penalty units (currently, $18,780) or imprisonment for one year, or both.
What you should do
Organisations should ensure that systems and policies are updated to include these new obligations so that all relevant staff know how to correctly deal with personal information involved in eligible data breaches (as discussed above). Organisations may also wish to conduct staff training to ensure understanding across the organisation and to ensure that no offences are committed.
