Privacy Changes – Have you prepared?

Travis Campbell
April 17, 2018

Along with welcoming a new year, we also welcome two major changes to privacy legislation, both here an overseas that can potentially have dramatic impact on Australian businesses.

Notifiable Data Breaches

In February, the Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into full force. One of the key points of this amendment is that all entities covered by the Australian Privacy Principles (APPs) (ie have a turnover of more than $3m) must notify the Office of the Australian Information Commissioner and any potentially affected individuals of an "eligible data breach".

  • data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus); 
  • an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure; 
  • serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and 
  • serious harm will be likely if such harm is "more probable than not" having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).

Entities that simply suspect that an eligible data breach has occurred simply need to complete a "reasonable and expeditious" assessment into the relevant circumstances within 30 days. If this suspicion is confirmed, then a notification to the OAIC must be made using a prescribed format, and a statement to affected individuals must be made using any normal communications method. There are exceptions to this notification requirement, including if the entity has taken remedial action before any serious harm caused by the data breach has occurred.

Causeis takes client data security very seriously. We have strict policies in relation to how staff handle offline versions of client data. We advise all clients to ensure they are ready for the changes by confirming that all policies and procedures relating to data handling have been updated and staff are aware of their responsibilities so that private information does not get left on the bus! Do you know where your backups are?

EU General Data Protection Regulation (GDPR)

Another major change is the introduction of the GDPR in May. This has ramifications for any clients that hold any personal information about any EU citizen. Even though your company is not located in the European Union, GDPR also applies to the processors and controllers outside the EU where it:

  • offers goods or services to individuals inside the EU, even if no payment is required or 
  • monitors the behaviour of individuals within the EU – especially if you perform analysis or profiling of that activity for predictive purposes.

The GDPR and the Australian Privacy Act share many similar goals – like privacy by design and transparency, however there are key differences that your organisation should be aware of if you meet either criteria above, such as a requirement to appoint a data protection office and an individuals right to be forgotten and to data portability. There are also strict requirements regarding the transfer of personal data outside the EU. If your organisation meets or suspects that you meet either of these requirements, it is vital that you seek advice on implementing the GDPR. For more information about the GDPR please refer to

For more information refer to the Office of the Australian Information Commissioner via 

About Causeis: With over 50+ years combined experience, Causeis provides an award-winning iMIS consultancy service to Australia’s leading non-profits. We specialise in business strategy alignment, engagement modelling, critical system management, website development and data analytics.

Latest blogs

Are You Renewal Ready?

Posted on 22/05/2020
We wanted to share our tips and advice for being renewal ready. Your associations renewal campaign cannot be left up to chance and in-fact last year’s strategy may need further refinement.

Google Ads - How can they Benefit your Association

Posted on 6/03/2020
Google provides paid advertising called Google Ads. Google ads have become one of the most cost-effective and far-reaching methods of promoting businesses online.

Cash, accrual, deferred: what does it all mean?

Posted on 12/02/2020
iMIS uses double entry bookkeeping to record transactions. Every transaction entered in iMIS contains at least two lines