Australia Privacy Amendment (Notifiable Data Breaches) Act 2017 Compliance

Thales can help your organization comply with Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017.

Australia Privacy Amendment


Australia's Privacy Act establishes a mandatory requirement to notify the Privacy Commissioner and affected individuals of data breaches. It took effect on February 22, 2018.

Thales’ CypherTrust Data Security Platform provides the tools you need to protect your organization through:

  • Strong access management and authentication
  • Data-at-rest encryption
  • Secure key management
  • Granular privileged access controls
  • Regulation
  • Compliance

Regulation Summary

On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of "eligible" data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 20171 amends Australia's Privacy Act 19882 and took effect on February 22, 2018 if no earlier date is proclaimed.


According to Global Legal Monitor3:

A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act 1988 can be penalized with a fine of up to … AU$1.8 million ….


Compliance Summary

Section 26WG of The Act says breach notification is not necessary if “access or disclosure … would not be likely to result in serious harm.” The section further states:

Access to, or disclosure of, information would not be likely [to result in serious harm] if a security technology or methodology:


(i) was used in relation to the information; and

(ii) was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information

Best practice security solutions

Thales can help your organization keep data breaches from happening in the first place through:

  • Sensitive data discovery and classification
  • Encryption of data-at-rest and data-in-motion
  • Certified protection of encryption keys
  • Tokenization with dynamic data masking
  • Access management and authentication

Data discovery and classification

The first step in protecting sensitive data is finding the data wherever it is in the organization, classifying it as sensitive, and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data isn’t overlooked and your organization does not fall out of compliance.

Thales’ CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud. Supporting both agentless and agent-based deployment models, the solution provides built-in templates that enable rapid identification of regulated data, highlight security risks, and help you uncover compliance gaps. A streamlined workflow exposes security blind spots and reduces remediation time. Detailed reporting supports compliance programs and facilitates executive communication.

Protection of sensitive data at rest

Separation of privileged access users and sensitive user data

With the CipherTrust Data Security Platform, administrators can create strong separation of duties between privileged administrators and data owners. CipherTrust Transparent Encryption encrypts files, while leaving their metadata in the clear. In this way, IT administrators -- including hypervisor, cloud, storage, and server administrators -- can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.

Separation of administrative duties

Strong separation of duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, the CipherTrust Manager supports two-factor authentication for administrative access.

Granular privileged access controls

The CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and APT attacks. Granular privileged-user-access management policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options can control not only permission to access clear-text data, but what file-system commands are available to a user.

Protection of sensitive data in motion

Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception—all at an affordable cost and without performance compromise.

Strong access management and authentication

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organizations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.

Support for smart single sign on and step-up authentication allows organizations to optimize convenience for end users, ensuring they only have to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, ensuring they can prove compliance with a broad range of regulations.

  • Related Resources
  • Other key data protection and security regulations


    Active Now

    Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


    Active Now

    Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

    Data Breach Notification Laws

    Active Now

    Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.