New privacy obligations – the data breach notification scheme

by Imogen Thomas

Privacy and protection of personal information is riding high in the public eye after a number of high-profile breaches over the past six months. As consumers, it is important to have a good understanding of how your personal information is being handled and we rightfully expect that organisations will look after our personal information with due care. For businesses, the requirement to protect personal information of your staff, clients and stakeholders is not just a social expectation – there are legal requirements in place to ensure you manage personal information safely and appropriately.

On 22 February 2018, the Notifiable Data Breaches (NDB) scheme came into force in Australia, bringing with it some new obligations for agencies and organisations subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The scheme introduces an obligation to notify individuals and the Office of the Australian Information Commissioner (OAIC, the national privacy regulator) when a data breach occurs that carries a risk of serious harm. The notification should include guidance on how to reduce the potential harm of the breach.

Privacy refresh – what are the APPs?

The APPs are a framework of privacy obligations that apply to all Commonwealth government agencies, private sector, not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively, ‘APP entities’).

The APPs follow the lifecycle of ‘personal information’ from collection through to use and disclosure, to eventual destruction or disposal. An overview can be found on the OAIC website.

If an APP entity breaches an APP, this is called an ‘interference with the privacy of an individual’. Interferences with privacy can lead to complaints and in some circumstances, compensation may be awarded to the individual. Over recent years, awards of compensation have ranged from $1,000 to over $20,000.

Not sure if the APPs apply to your organisation or if your privacy practices are up to standard? Contact elringtons for assistance and advice on meeting your privacy obligations.

New obligations

The NDB scheme applies to “eligible data breaches”, which are breaches that are likely to result in serious harm to an affected individual. Unless an exception applies, the APP entity is required to notify the affected individual(s) and the OAIC that the breach has occurred, so that action can be taken to mitigate any potential harm.

Notifications must include the following information:

  • Identity and contact details of the organisation;
  • Description of the data breach
  • The type or kind of information concerned; and
  • Recommendations about steps that individuals should take in response to the breach.

The OAIC has a specific form for notifying the Commissioner of notifiable data breaches.

Breaking it down

A “breach” includes an unauthorised access to, disclosure of or loss of personal information. A breach may be as simple as sending a letter to the wrong person or leaving a memory stick or a briefcase on the train. Although the thought of a “data breach” often conjures up thoughts of computer hackers or determined criminals, the reality is that they most commonly occur due to simple human error.

Not every breach will require notification. If a breach has occurred, the next question to consider will be whether serious harm is likely to occur as a result. Serious harm includes physical, psychological, emotional, financial or reputational harm. The Privacy Act sets out a number of relevant matters to assist in assessing whether serious harm is likely to occur, including the kind(s) and sensitivity of the information, what other security measures exist (e.g. is the information encrypted), the nature of the harm that may result and the likelihood that a person who could have obtained the information would have the intention of causing harm to any of the individual.

There are some exceptions to the notification requirements, including where the data breach involves more than one entity. In those circumstances, only one entity is required to undertake notification.

Prevention is better than a cure! elringtons can provide advice and guidance on best privacy practices, including undertaking privacy impact assessments or delivering training to your staff, to help your organisation manage privacy carefully and responsibly.

e: | p: +61 6206 1300

Debt Recovery Against Companies – Statutory Demand

A Statutory Demand is a formal written request for payment of debts owed by a company, issued pursuant to the Corporations Act 2001 (Cth) (“Act”).  Under the Act companies are prohibited from trading insolvent and incurring further debts.

The Statutory Demand is an initial step in the winding up process against an insolvent company. Thus, the Statutory Demand is a very powerful tool in recovering debts against companies, as ignoring it may result in the company being liquidated.

Once the Statutory Demand has been served upon a company, within 21 days the company must either:

(a) pay the debt(s) which is the subject of the Statutory Demand; or

(b) apply to have the Statutory Demand set aside.

Should the company fail to take either of those actions within the 21-day period, it will be presumed insolvent and any further operations by the company may be in the breach of the Act. If a Statutory Demand is not set aside, the creditor can make an application to the court that the company be wound up. The presumption of insolvency can be rebutted by the company, but it is not easily achieved and it is usually costly. Therefore, it is prudent not to ignore a statutory demand once served on the company.

Grounds for setting aside the Statutory Demand – Genuine dispute

Although the Statutory Demand is a useful tool for creditors to recover outstanding debts against companies, a debtor company can apply to have the demand set aside if there is a genuine dispute about the existence or amount of the debt. It is not a “high bar” to show that a genuine dispute exists – generally it will be sufficient to shoe that there is a “plausible contention requiring investigation”, in the sense that the dispute is put forward in good faith and that the grounds for alleging the existence of a dispute are not spurious, illusory or hypothetical.

Therefore, creditors should only issue a Statutory Demand if there is no genuine dispute about the debt, or consider withdrawing the demand once the debtor company raises the issue of a genuine dispute. If the creditor does not withdraw the demand and the company successfully obtains a court order to have the demand set aside, the creditor may need to pay the company’s costs in making the application. Given the potential consequences it would be prudent for the creditor to obtain legal advice prior to issuing a Statutory Demand.

There are other grounds for setting aside a Statutory Demand, such as:

  • the amount of the debt claimed is less than the statutory minimum;
  • the amount of the debt is unspecified;
  • the Statutory Demand does not comply with the prescribed form (Form 509H);
  • the Statutory Demand is not clear and fails to include the warning about the 21-day period;
  • the accompanying affidavit verifying the existence of the debt is not a proper affidavit;
  • the demand was not properly served on the company;
  • the company has a genuine off-setting claim against the creditor; and/or
  • the Demand is defective and will cause substantial injustice if not set aside

Case study

Here at elringtons, we have lawyers specialising in debt recovery against companies and individuals. This ensures that our clients are provided with quality legal advice and professional support.

Recently, we managed to recover a significant sum from a company for one of our clients. The debt related to invoices which had been outstanding for over 6 months and there was no genuine dispute regarding the debt owed. Our client had been chasing payment for quite some time and the debtor company had started to dodge their calls! An initial letter of demand from our office resulted in part of the original debt being repaid, but over $20,000 remained due and owing. A Statutory Demand was issued and the debtor company was left with only two choices: pay the debt or be wound up. They chose to pay.

Whilst the Statutory Demand is a very powerful tool for recovering debts against companies, it must be done properly. Failure to do so may result in costly and prolonged legal proceedings with, sometimes, the opposite effect.

If you’ve been served with a Statutory Demand, or are having trouble recovering debts owed to you by a company, elringtons can help.

For more for advice and assistance please contact our Civil Litigation team:

p:  +61 2 6206 1300 | e: