New privacy obligations – the data breach notification scheme

by Imogen Thomas

Privacy and protection of personal information is riding high in the public eye after a number of high-profile breaches over the past six months. As consumers, it is important to have a good understanding of how your personal information is being handled and we rightfully expect that organisations will look after our personal information with due care. For businesses, the requirement to protect personal information of your staff, clients and stakeholders is not just a social expectation – there are legal requirements in place to ensure you manage personal information safely and appropriately.

On 22 February 2018, the Notifiable Data Breaches (NDB) scheme came into force in Australia, bringing with it some new obligations for agencies and organisations subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The scheme introduces an obligation to notify individuals and the Office of the Australian Information Commissioner (OAIC, the national privacy regulator) when a data breach occurs that carries a risk of serious harm. The notification should include guidance on how to reduce the potential harm of the breach.

Privacy refresh – what are the APPs?

The APPs are a framework of privacy obligations that apply to all Commonwealth government agencies, private sector, not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively, ‘APP entities’).

The APPs follow the lifecycle of ‘personal information’ from collection through to use and disclosure, to eventual destruction or disposal. An overview can be found on the OAIC website.

If an APP entity breaches an APP, this is called an ‘interference with the privacy of an individual’. Interferences with privacy can lead to complaints and in some circumstances, compensation may be awarded to the individual. Over recent years, awards of compensation have ranged from $1,000 to over $20,000.

Not sure if the APPs apply to your organisation or if your privacy practices are up to standard? Contact elringtons for assistance and advice on meeting your privacy obligations.

New obligations

The NDB scheme applies to “eligible data breaches”, which are breaches that are likely to result in serious harm to an affected individual. Unless an exception applies, the APP entity is required to notify the affected individual(s) and the OAIC that the breach has occurred, so that action can be taken to mitigate any potential harm.

Notifications must include the following information:

  • Identity and contact details of the organisation;
  • Description of the data breach
  • The type or kind of information concerned; and
  • Recommendations about steps that individuals should take in response to the breach.

The OAIC has a specific form for notifying the Commissioner of notifiable data breaches.

Breaking it down

A “breach” includes an unauthorised access to, disclosure of or loss of personal information. A breach may be as simple as sending a letter to the wrong person or leaving a memory stick or a briefcase on the train. Although the thought of a “data breach” often conjures up thoughts of computer hackers or determined criminals, the reality is that they most commonly occur due to simple human error.

Not every breach will require notification. If a breach has occurred, the next question to consider will be whether serious harm is likely to occur as a result. Serious harm includes physical, psychological, emotional, financial or reputational harm. The Privacy Act sets out a number of relevant matters to assist in assessing whether serious harm is likely to occur, including the kind(s) and sensitivity of the information, what other security measures exist (e.g. is the information encrypted), the nature of the harm that may result and the likelihood that a person who could have obtained the information would have the intention of causing harm to any of the individual.

There are some exceptions to the notification requirements, including where the data breach involves more than one entity. In those circumstances, only one entity is required to undertake notification.

Prevention is better than a cure! elringtons can provide advice and guidance on best privacy practices, including undertaking privacy impact assessments or delivering training to your staff, to help your organisation manage privacy carefully and responsibly.

e: | p: +61 6206 1300

Volunteers and Vicarious Liability

Are you a volunteer or an organisation that employs volunteers? Are you and/or your volunteers covered by adequate insurance? Have you considered the important exemptions to public liability protection under your relevant insurance policy? Do you need help deciphering what your insurance policy document means and where your organisation might not be covered?

Under the Civil Liability Act 2002 (NSW) (“CLA”) if you have arranged for adequate insurance cover for your volunteers, and your volunteers are acting in the best interests of the organisation and not involved in any wrongdoing, they should be protected against any civil claims arising from acts or omissions by them or others during the course of their volunteer activities. This means that if your volunteer was acting within the bounds of their position description and through their own personal negligence caused a third party to injure themselves, they will most likely be protected from personal liability for the accident as long as the appropriate insurance cover has been arranged.

It is important to note that the protection of volunteers from incurring personal liability for their acts or omissions during the course of their duties does not apply where:

  • The volunteer was not acting in good faith (“good faith” = acting honestly and without fraud);
  • The volunteer knew, or ought reasonably to have known, that he or she was acting outside the scope of the activities organised by the community organisation, or contrary to instructions given by the community organisation (section 64 CLA);
  • The volunteer was engaged in an activity that constitutes a criminal offence (section 65 CLA);
  • The volunteer’s ability to exercise reasonable care and skill when doing the work was significantly impaired by alcohol or drugs voluntarily consumed (whether consumed for medication or not), and volunteer failed to exercise reasonable care and skill when doing the work (section 63 CLA);
  • The volunteer was engaged in defamatory behaviour; or
  • The volunteer incurred liability that would otherwise be covered by third-party insurance under the Motor Accidents Compensation Act 1999 (NSW), that is, a liability for compensation in respect of people who are injured or die as a result of transport accidents

In addition, in certain circumstances (whether a volunteer gains this protection or not) the community organisation may be liable for the volunteer under the legal doctrine of ‘vicarious liability’.

If you are running any kind of volunteer organisation, it is important to outline very clearly to your volunteers their roles and responsibilities in instruction manuals and training guides. A written job description and/or volunteer policy document may also state what behaviours or actions are prohibited (for example, the giving of medical advice).  These documents may help to define what kind of work or actions are authorised or instructed by the organisation and what volunteer actions might be considered to be outside the scope of their authority or contrary to instructions.

Please contact one of our friendly solicitors if you have any questions in relation to your organisation’s insurance policy, legal structure, or if you require advice in relation to a claim against you or your organisation.

For more information please contact:

e: | p: +61 2 6206 1300

Is it legal to employ only non-smoker workers? What employee attributes are protected under law?

An ABC News article on 15 March 2018 highlighted that employers, across a broad range of areas, are advertising specifically for non-smoker employees. While this may appear to be discriminatory, it is not unlawful employment discrimination under Australian laws.

In Australia, anti-discrimination laws protect employees (or prospective employees) against discrimination on the grounds of certain attributes. Smoking is not specifically covered by these laws, so it is not something that an employee is protected against.

What are protected attributes? When is an employer unlawfully discriminating?

Australian anti-discrimination laws differ slightly in each state, but generally, an employee is protected against discrimination on the basis of the following:

  • Age, sex or race
  • Sexual orientation, gender identity
  • Disability (physical or mental)
  • Marital status, family or carer responsibilities
  • Pregnancy or breastfeeding
  • Religion or political opinion

The above attributes protect you from being discriminated against in the recruitment process or during your employment. During employment includes discrimination in consideration of the terms offered as part of your contract, training in your job, a promotion of transfer or dismissed from your job.  If your employer threatens or takes any of the following actions against you because of the above attributes, it is considered unlawful discrimination:

  • Refuses to employ you
  • Dismisses or fires you
  • Alters your position in a disadvantageous way
  • Discriminates between you and another employee

What is not protected? When is an employer not unlawfully discriminating?

There are certain attributes that are not protected, meaning it is not necessarily unlawful to discriminate against an employee, such as in the non-smoker employees example above. If your position has been changed in a way that you feel disadvantages you, but it was due to something such as poor performance, it is not unlawful. Employers may also advertise for applicants with certain attributes, qualification or skills that are an essential requirement for the job. For example, if driving is involved in a job, then the employer can lawfully only consider people with a driver’s licence for the position.

Please feel free to contact our Litigation and Dispute Resolution team if you think you have been discriminated against at work or wish to discuss any concerns.

Further information:

When is employment discrimination lawful?
How can you protect your business from bullying, harassment and discrimination claims?

e: | p: +61 2 6206 1300

NSW Workers Compensation

The NSW workers compensation scheme is complex. However, there is a legal aid type scheme to help injured workers in NSW obtain legal assistance, in order to understand their rights and entitlements. This means you do not pay legal fees. The scheme is administered by the Workers Compensation Independent Review Office (WIRO). We routinely obtain funding from WIRO to represent NSW workers compensation clients to:

  • Investigate claims for weekly benefits, medical treatment or permanent impairment;
  • Dispute insurer decisions where liability is denied, treatment is declined or where entitlements are ceased; and
  • Commence proceedings at the NSW Workers Compensation Commission.

Obtaining Legal Assistance

WIRO funding covers your legal fees as well as things such as expert reports and clinical records.  In order to access this funding, simply contact us to book an initial consultation.  In that consultation, we will discuss important facts such as:

  • When you were injured and how.
  • Whether you have already made a workers compensation claim in relation to your injury, and if so, what was the outcome.
  • What assistance you require.

Once we have identified the nature of your claim, and providing we consider you have some prospects of success, we make an application on your behalf to WIRO. The aim of the scheme is to ensure all NSW workers are fully appraised of their rights and entitlements following a workplace injury.


An injured worker may be eligible for all or some of the following payments:

  • Weekly benefits
  • Medical or related treatment
  • Occupational rehabilitation services
  • Travel expenses to attend appointments for medical and other treatment
  • Lump sums for permanent impairment
  • Damages under general law
  • When the injury results in the death of the worker, the dependent family members may be eligible for death benefits and/or funeral expenses

elringtons can help you

Because of the legal aid type scheme for injured works in NSW, it will cost you nothing to speak to us. We have represented clients to:

  • Establish liability for injuries;
  • Dispute denial of medical treatment;
  • Dispute cessation of weekly benefits;
  • Obtain expert opinions about injuries;
  • Obtain permanent impairment assessments; and
  • Obtain lump sum compensation following a death of a family member.

We understand the impact a workplace injury has on your life: physically, emotionally, and financially.  We use this knowledge to build rapport with our client. Matthew Bridger and Tom Maling represent clients in NSW workers compensation matter.

Matt Bridger is an accredited personal injury specialist by the NSW Law Society. He has over 25 years’ experience helping injured NSW workers. His experience enables him to provide expert and timely advice to assist injured workers.  Tom Maling, who trained as a Registered Nurse and uses his health knowledge to understand your injury experience and advocate on your behalf.  Tom also has a particular interest in working with client’s who have received a psychological injury at work.

Please do not hesitate to contact Matt Bridger or Tom Maling to discuss your circumstances.

p: +61 2 6206 1300 | e:

Further Reading

Hospital Complications and Medical Negligence

By Tom Maling

According to new research from the Grattan Institute, almost 11% of all people hospitalised have a complication while in hospital. This equated to approximately 74,000 people in January 2015, a staggering number. While not all complications (thankfully) will have lasting consequences for patients, in our experience some do.

A medical negligence claim can help pay for the cost of picking up the pieces after a hospital complication, such as paying for further treatment, covering loss of wages and compensating your pain and suffering.

elringtons health and medical law

elringtons has represented people injured by hospital complications in medical negligence claims for many years. We are different from other law firms because we have:

  • Inside knowledge about the health industry;
  • University acquired knowledge about injuries and disease;
  • An understanding of how healthcare should be provided; and
  • A proud history of success for clients in the Canberra, Queanbeyan and South East NSW regions.

We understand the impact of negligence on our clients.  We use this knowledge to build a rapport with you, to work with you, and to help you obtain compensation for your injuries.

Matt Bridger and Tom Maling represent clients in medical negligence claims.  We act for Canberra and the surrounding regions including NSW residents from Queanbeyan, Batemans Bay, Goulburn, Yass, Cooma, Bega and Merimbula areas, in both ACT and NSW claims.

Matt is an Accredited Specialist in Personal Injury Law and has over 25 years of experience representing people in medical negligence matters, including small claims right up to multimillion dollar catastrophic injury claims.  He has great medical knowledge across a whole range of areas and has conducted cases in general surgical, birth and obstetrics, dental, orthopaedics, pharmacological and cardiology negligence.  Tom completed training as a Registered Nurse and has experience in hospitals and nursing homes.  He also represents our clients on all medical negligence and treatment dispute claims.  Our experience means we have insight into health issues, health service delivery, and most importantly our client’s experiences.

Please contact Tom Maling for further information:

p: +61 2 6206 1300 | e:

Further elringtons articles

Other Resources