Close this search box.

Privacy Policy

Wilson & Gilkes Pty Ltd 

  1. What this Policy is about

Our business partners commercial confidentiality and the privacy of the individuals in those businesses are important principles for Wilson & Gilkes Pty Ltd. Our contracts and commercial dealings with third parties are carefully reviewed with regard to safeguarding those interests.

Wilson & Gilkes Pty Ltd and its related parties 1 (in this document, generally referred to as Wilson & Gilkes Pty Ltd) must comply with the Privacy Act 1988 (the Act) and implement policies and procedures that expressly address the Australian Privacy Principles (APPs). Some of our related parties may, by the nature of their business, require more specific provisions to properly address the APPs. These will be notified in their own Privacy Policy and you (or your client or concerned individual) should refer to those related parties directly.

This Policy sets out how Wilson & Gilkes Pty Ltd through its officers and staff expressly manages the collection disclosure storage and use of personal information (PI) of members, clients, suppliers, contractors and subcontractors and other individuals (including visitors to our websites, forums, and training services) having regard to the Act, the APPs and other relevant statutory requirements. References in this policy to “you ” mean the individual concerned who ‘owns’ the PI.

  1. Why NOT to breach privacy laws

Direction on how to treat PI, the consequences of infringing this Policy or the APPs that this Policy seeks to address, and changes to its scope may be issued by the Chief Executive (or with the authority of the shareholders) from time to time.

Internally, infringements of statutory requirements and or significant policy matters could lead to disciplinary action, termination of contract or other lawful actions.

In addition, there are externally enforced consequences: serious breaches of privacy legislation can involve the individuals knowingly concerned in the infringement in penalties of more than $100,000 and for Wilson & Gilkes Pty Ltd itself, the penalty can be $1.7million, in Australia.

This Policy and any procedural guides issued in connection with its implementation should be considered in light of affiliated policies and regulatory matters such as use of emails, Spam Act, Facebook Protocols (and our social media T&Cs), and even the Do Not Call Act. Most of these mentioned may not necessarily directly deal with ‘personal information’ as defined in the Act but extends to uses of data that may incidentally include PI.

The personal information collected and used by Wilson & Gilkes Pty Ltd can be provided or used electronically or by conventional methods and the principles of protection outlined in this Policy apply equally to all information mediums.

  1. When does Wilson & Gilkes Pty Ltd use PI?

The essence of our business is communication and so we collect the PI of individuals from our websites, our servers (emails) and other electronic means like telecommunication facilities. We also collect it through exchange of business cards, referrals from other individuals, attendance registers and sometimes we purchase databases for particular purposes.

In every mode of collection or use, we follow the guidelines and rules laid down by the Australian Privacy Principles, and this Policy outlines how we comply. Obviously, our compliance procedures can be overridden by legal process – law enforcement, regulatory intervention, and emergency health or safety issues all take priority to our protocols and procedures.

Our Policy (and the PPS) are subject to updating as the law itself evolves in respect of the protection of all forms of personal data. Our internal compliance units are responsible for the administration of the privacy principles and for securing compliance in our contractual documentation, our modes of communication and marketing and holding third parties who may be providers or suppliers of software or communication services accountable in observing the principles when dealing with data we may have collected or stored.

Wilson & Gilkes Pty Ltd has appointed a Quality Assurance Manager to address enquiries, complaints or concerns about how your personal data is being managed. Contact details can be found at the end of this Policy.

  1. Wilson & Gilkes Pty Ltd ‘s Approach to the APPs

APP 1 – Open and transparent management of PI

This is the comprehensive Wilson & Gilkes Pty Ltd Privacy Policy and is also available on our public website – www.wilsongilkes.com.au. You may also obtain a copy by emailing or writing to our Quality Assurance Manager, details of which are at the end of this Policy.

Wilson & Gilkes Pty Ltd ‘s primary purpose in collecting personal information is to focus our communications in an orderly and efficient manner so as to deliver our goods and services and respond to our stakeholders’ expectations and needs promptly and efficiently. Most of the personal information about individuals that we collect in whatever form and from whatever source, is used only so that we can communicate more effectively and efficiently with them, and numerous clients, contractors, government departments and agencies in the performance of our contractual obligations.


For our business partners, both written and electronic application forms and incidental material all contain express details on why we need some personal information concerning the various persons in authority and how we can communicate effectively with that business through its authorised employees or in some cases, their contractors. Wilson & Gilkes Pty Ltd also provides for mechanisms that entitle Wilson & Gilkes Pty Ltd to treat persons who are purportedly authorised by their corporate entity(employer) to deal with us, as having the requisite authority and where their employer provides us with the individuals’ information, we can safely assume that the employer has obtained the relevant consent from the individual to use collecting and using the information for our membership and related purposes.

Our websites and our internal databases and information access facilities all provide individuals whose data is stored and used by us with options to access. remove, alter and update their personal data. All forms of collection facilities like emails, invitations, registration forms, purchase orders and even subscribed marketing material carry the ‘unsubscribe’ facility. Our Database team has also been trained in the Privacy APPs and the compliance processes and we have formal internal controls in place to mitigate human error wherever reasonably practicable.

Our information systems have both built in controls wherever possible but we have an overlay of monitoring and audit processes, both an in-house team and external providers who are regularly briefed on privacy and data protection issues and are required to implement additional security and controls where needed.

Wilson & Gilkes Pty Ltd ‘s Management Committee which reports directly to the committee of management (our Board) is also briefed on privacy and data protection issues as they arise and a risk monitor on privacy is included in the Risk Register.

Wilson & Gilkes Pty Ltd ‘s Legal Counsel provides updates and advice to the Chief Executive to facilitate training in new policies and procedures and to secure the chain of effective supervision of database and marketing personnel involved in the collection or use of personal data. Our internal corporate documentation including our agreements and arrangements with external persons are subject to regular review and updating. In particular, the recent amendments to the mandatory notification of data breaches introduced to the Privacy Act in early 2017 are being incorporated by way of covenants and warranties in our risk management of those relationships.

APP 2 – Anonymity and pseudonymity

The scope of personal information that maybe collected from you includes: Names, employment addresses, title or positions you hold, telephone and mobile numbers, credit card details for payment of goods or a service (see also information on storage and retention rights).

We do not collect tax file numbers or other government identifiers of individuals, except as a legal necessity, if you are an individual carrying on a business we will collect and use the ABN of that business for our business and tax requirements.

If you want to communicate with us on a particular matter you may ask to remain anonymous or use a pseudonym but it will be rarely appropriate in your dealings with us due to the nature of the relationship we have with you. We can refuse to deal with you anonymously if we are collecting your personal information like your real name because we:

  • collect it for compliance purposes with any law or regulation
  • need it to properly provide whatever service or advice you are seeking from us and it is impracticable for us to do that using a pseudonym or anonymity;
  • to verify or assist you with passwords or other security matters or other technical services like internet access;
  • ensure quality controls within our services; or
  • we are required or authorised by law or a court or tribunal to identify you.

We only collect the information we need to provide you with the goods or services you seek or are likely to be interested in due to the nature of our relationship. Generally, it’s to administer that relationship, for supplies, acquisitions or disposals of assets or interests, potential clients, contractual or legal compliance and insurance purposes.

We are committed to protecting the confidentiality of your business and we implement a number of governance measures to help protect the privacy of the individuals when dealing with us. For that reason, we need to know that the information or advice we provide is going to the right person within the entity. Accordingly, it will be only in isolated cases (e.g. when we are doing industry wide surveys) that your personal information can be obscured by anonymity or aliases.

We collect the information in numerous ways – telephone, internet, email, and written correspondence. Other sources of collection of that personal information include –

  • registration forms, invitations and expressions of interest forms for briefings, interest groups, training courses
  • notices, invoices and order forms
  • forms and notices for statutory compliance purposes (such as consents to act)
  • surveys and questionnaires
  • project and consultancy proposals and contracts for services
  • telephone enquiries to our offices
  • email broadcasts
  • business cards
  • publicly available directories and publications.

In some cases, we collect it using the services of a formal personal information collection agency or third party. (We will tell you when it comes from someone other than you). Where you provide us with information about someone else, you must ensure you have that individual’s consent to giving it to us, especially if it is an employee or contractor to you. You should tell them it’s going to Wilson & Gilkes Pty Ltd (and its related parties) and that they can get a copy of our PPS on our internet site.

Collection of PI from anyone other than the individual themselves is considered to be ‘unsolicited information’ which is expressly covered by APP 4.

Our on-line infrastructure facilities such as web browsers, log information collectors and cookies do not collect personal data about individuals. You can disable cookies and opt out of on-line advertising, but there is a risk that in doing so, you and your business may not receive the services you have sought from us or updates or other information pertinent to our relationship with you.

APP 3 – Collecting solicited PI

PI we solicit and collect directly from you or from another entity about you can only be the PI that is reasonably necessary for us to do our job for you for our functions and our activities and not for someone’ else’s. 

Unless we satisfy one of the statutory exemptions, we cannot collect any sensitive PI without the express consent of the individual. (there are some clear exceptions such as where the sensitive information is necessary for the safety or health of an individual). Sensitive information includes racial and religious backgrounds, political and union affiliations, health matters, and the like.

Clearly, we are bound to collect the information by lawful and fair means and this too is built into our procedures and our controls.

A core principle of the APPs and the current legislation is the obligation to collect PI only from the individual concerned unless either there are express exceptions in the Act or its unreasonable or impracticable to do so.

The APP also distinguishes between collection (which is the gathering acquiring or obtaining of PI for inclusion in a record or a generally available publication) and solicitation (which involves an entity (us) requesting another entity to provide PI about an individual or to supply information which might ordinarily include PI). A ‘request’ in this context means any active step to acquire the PI.

Examples of solicited PI collected by us could include:

  • personal information provided by an individual in response to a request, direction or order
  • personal information about an individual provided by another entity in response to a request, direction, order or arrangement for sharing or transferring information between both entities
  • personal information provided at a business meeting, where it relates to the subject matter of the meeting, including business cards exchanged at the meeting
  • a completed form or application submitted by an individual
  • a record of a credit card payment
  • video footage that identifies individuals.
  • an employment application sent in response to either a job advertisement published by an entity or an expression of interest register maintained by the entity.

Understanding the scope of ‘reasonably necessary collection’ is also relevant to this Policy: examples provided by the OAIC include –

  • collecting personal information about a group of individuals, when information is only required for some of those individuals
  • collecting more personal information than is actually required for a function or activity. For example, collecting all information entered on an individual’s driver licence when the purpose is to establish if the individual is aged 18 years or over
  • collecting personal information that is not required for a function or activity but is being entered in a database in case it might be wanted in the future (this is to be distinguished from the situation where personal information is required for a function or activity, but is not being used immediately)
  • Wilson & Gilkes Pty Ltd collecting personal information for or on behalf of a related body corporate where the collection of that personal information is not reasonably necessary for our own functions or activities.

APP 4 – Unsolicited PI

Sometimes we receive personal information that we have not asked for directly from the individual concerned (unsolicited). When that happens, we will determine whether that information could have been collected directly by us from you. If we could not have collected it directly, and the information is not part of a Commonwealth record (e.g. a document or record held by a government agency, which is very broadly defined by the Archives Act), then we are required to destroy it or de-identify it as soon as practicable (provided that would be lawful and reasonable to do in the circumstances).

Unsolicited information that may be relevant to our relationship with you is any personal information that we receive but have taken no active steps to collect. Examples include:

  • misdirected mail
  • unsolicited correspondence to us
  • an employment application sent to us on your own initiative and not in response to an advertised vacancy
  • a promotional flyer containing your personal information, that has been sent to in connection with your business or services.

It is our responsibility to determine if the PI we have collected through any unsolicited means could have been lawfully collected under any of the ways permitted under APP 3. If that is not open to us, then we have to destroy or de-identify the PI as soon as is reasonable unless either:

  • we collected it because we are a contracted service provider to the Government and the PI is contained in a Commonwealth record; or
  • it would be unlawful or unreasonable to do so.
  • A complicated set of rules is required by APP 4 follows from our determination about how we collected the unsolicited PI.

Essentially, if the unsolicited PI –

  • could have been collected by us under APP 3, or
  • is contained in a Commonwealth record, or
  • we are not required to destroy or de-identify it because it would be unlawful or unreasonable to do so

then we may be entitled to retain it but we then have to ensure we comply with APPs 5-13. These APPs involve the following issues to be considered and implemented:

  1. a ‘collection notice’ under APP 5 may be required to be given to you
  2. it may only be used or disclosed for the primary purpose for which it was collected unless an exception applies
  3. we have to ensure that the PI is kept secure and protected
  4. you are entitled to request access to the PI and to have any of the PI corrected.

Before we use the PI or disclose the PI to anyone else, we have to review the reasons why we are holding it – unless its contained in a Commonwealth record or cannot be destroyed or de-identified because it would be unlawful or unreasonable to do so – and was it collected for our primary purpose?

We also have to be mindful of APP 11 – even if all these other conditions are satisfied, we must destroy all PI that is no longer necessary for the purpose for which it was collected (unless, again, it is contained in a Commonwealth record or we are required by or under an Australian law, or a court/tribunal order, to retain the information.)

APP 5 – Collection notices

As soon as practicable after we have collected your PI (solicited or unsolicited) APP 5 obliges us to inform you of various matters relating to the PI and the way we protect your PI, the way you can access your PI and how to contact us or the regulatory authorities in relation to a privacy concern. This is the collection notice and can be located on our websites, attached or referenced in application forms, emails, and other modes of collection.

While the circumstances of each ‘collection’ may require some change to the way we reply to the APP 5 questions from time to time, the following addresses the general ways or ‘default’ responses to those issues in the absence of any more specific communication:

Who we are and how you can contact us

Our webpage – www.wilsongilkes.com.au,  provides you with more detail on who we are.

Our contact details are available from the website or from any communication you have with us. Details of the particular persons with responsibility for the management of the compliance issues of the Privacy Act are set out at the end of this Policy and in the PPS.

How, when and from where is your PI collected?

Unless you are the individual who provided us with the PI (and therefore know when and how we collected it), we will advise you of the how and when, if practicable. We will also tell you where we got it from if our use or disclosure of the collection of your PI comes as a surprise to you. Due to the nature of our business, your PI is likely to be collected by us because you are an employee or a representative of a business or employer with whom we are dealing or expecting to deal. Your PI may in those cases have been provided to us by your employer or business or another business who has had dealings with your business or, as a consequence of our primary purpose (the exchange of information and advice on all industry, workplace and employment related matters through membership or contracted services). Where the PI has been provided to us from a direct source such as another entity that may itself have collected your PI (e.g. a government agency or a marketing firm) then we will take all lawful steps to identify that source for you effectively.

What is the exact content of that PI?

In most cases, the PI will only involve your name and your business title or position and nowadays, your business email addresses and mobile phone numbers. Depending on the purposes for the collection, we may necessarily have to include for legal compliance purposes (e.g. if you become an officer of Wilson & Gilkes Pty Ltd), your birthdate and place, home and work addresses, personal mobile telephone numbers or direct landline numbers.

Rarely, we may have to ask for sensitive information like your affiliation or membership of a union, or your health background, in the context of employment and regulatory advice provided as part of our primary purpose. If the information is expressly required by a law or regulation relevant to our purpose, we will identify the law or regulation when we ask for the PI (e.g. in the case of Workplace Health and Safety, Fair Work or Industrial Relations, VET or EBA training). That information is treated separately and more confidentially and is destroyed as soon as it is no longer needed for the purpose. We also require your written consent to the disclosure of PI that contains sensitive information. (See APP 6 for more details).

Why we have to collect it.

In most cases, it is self-evident in the context. But as explained in APP 2 above, the nature of our business and the purposes of our communications with you mean it is rare that we will be able to deal with you if you insist on anonymity or use a pseudonym: first, if you represent a business partner of ours, we have to have the proper details of the person with whom we are dealing to ensure that you are entitled as an authorised representative of that member to receive the information or advice from us or that we can deal with you without breaching confidentiality obligations. If it is compliance related, or has a legal process element to the dealing, then it would not be lawful to pretend you are someone else or to give us an alias.

What are consequences of you not giving us the PI?

The most obvious reason as outlined above in paragraph 4, is that if we do not know who you are or how to contact you or how to provide you with the service you or our business seeks from us, or cannot verify it from our records, then either you or your business may not get the relevant information necessary for you to comply with legal process, regulation or other workplace related matters; we cannot keep you up to date with relevant matters; and you or your business may miss out on significant regulatory or government-sponsored activities. In that case, while we do take as many actions as reasonable and practicable to get the relevant PI, we cannot be liable to you or your business for the consequences of not having relevant and up to date contact details in our records. Those consequences could involve statutory fines, damages or losses arising from contractual, award or other arrangements to which you are a party.

How and in what circumstances would your PI be disclosed?

Disclosure to third persons could include regulatory and other government agencies connected with the subject matter of our dealings with you and contracted service providers who are undertaking a service on our behalf.

Note that in some cases your dealings with us may necessarily involve the transfer of your PI overseas. This should only occur when you have directly requested it such as for trade missions, travel documentation, export or import documentation and international introductions or referrals. In these cases, we cannot be held responsible for the end destination, the recipient’s compliance with our privacy policy, Australian privacy laws or their own internally regulated security or privacy compliance. While any contractual arrangements we may undertake on your behalf that involve an overseas recipient include specific obligations in relation to protection of your information (including any confidential information you need to disclose), it is neither practicable nor reasonable for us to identify each possible recipient, the business, or agency and to explore and advise on their privacy environments. If you need to have that disclosed overseas, you have to be careful and take full responsibility for the consequences. See APP 8 for more detail.

How you can access the PI we hold and to whom you and complain – internally and externally.

All you need to do to access or correct any of your PI we hold is to contact Wilson & Gilkes Pty Ltd and ask to be put through to our Quality Assurance Manager. All contact details are available on our website. If you are in email contact with Wilson & Gilkes Pty Ltd already, then submit your request to your usual contact and copy info@wilsongilkes.com.au. 

Note that this APP 5 cannot apply where the collection itself arises in the course of possible litigation or other legal process and the disclosure of our collection may jeopardise professional standards, confidentiality, privilege or put the legal process or any person’s health or safety at risk.

APP 6 – Hold, Use, Disclose, and Purpose

If we hold your personal information for a particular purpose this is the primary purpose and we cannot use it for any other reason (a secondary purpose) unless:

  • you have consented to that use or disclosure; or
  • you would have reasonably expected it to be used for that secondary purpose.

We will always try and get your consent wherever practicable. We also try not to deal in sensitive information like health or criminal records or matters of that kind unless it’s necessary for the service we provide or we are compelled to do so for legal reasons. If we do have to collect your sensitive information, then your written informed consent will be obtained before it’s disclosed.

If we collect personal information from one of our related parties or they collect it from us, then the primary purpose of the collector is considered to be the primary purpose for the related party. In this respect, as outlined in this Policy, our related parties may provide specific expert services in connection with or directly related to our business services or they may provide those services directly to one of our clients or customers because it’s a necessary part of the relationship we have with that client or other person.

However, we cannot share your personal information with our related parties if the purpose involves direct marketing unless you have requested or consented to it.

APP 7 – Direct Marketing

It is important that you be aware that the Act and particularly the APPs prohibit the use or disclosure of personal information for the purpose of direct marketing unless:

We have collected the data directly from you and you would reasonably expect us to use or disclose it for that purpose. In that case, we will always provide you with an easy way of requesting us not to bother you again with any marketing material. This is in the form of a telephone call, an email, or sometimes an electronic opt out/unsubscribe facility, provided we can verify the caller. We will immediately take steps to remove you from our marketing communications.


We collected it –

from you (but you would never reasonably expect to receive marketing material from us or for your data to be disclosed for that purpose)


we collected it from someone else


in either case, you have consented to the use or disclosure or it’s impracticable to get your consent.

(In either of these instances we will offer you the same easy means of removing yourself from that marketing list and we will include a prominent statement in every such communication that you can request to be so removed.)


In the case where we are a contracted service provider to a government agency under a Commonwealth contract and we have collected the personal information for the purpose of meeting our obligations under that contract and the use of your personal information is in fact necessary to so meet that obligation.

In all cases where we use or disclose personal information for the purposes of our own direct marketing or to facilitate another organisation’s direct marketing, and the consent express or implied has been obtained in accordance with this APP, you can always request that you be removed from the marketing list and or ask us not to disclose your data to the other organisation(s) for that purpose and also require us to tell you where we got the information from. There is no charge for you to action this right.

(Note that the Spam Act and the Do Not Call Register Act both continue to apply regardless of the APPs.)

APP 8 – Cross border disclosures

We endeavour to bring cost effective and timely service to our business partners and this necessarily involves us in reviewing our providers and the providers’ service deliverables regularly. So, while most of our data is presently residing in data centres in Australia, there may be times when, due to the nature of the transaction you seek with us or the communication facility used, your data is available to overseas recipients. The purpose of these sorts of disclosures are for software solutions, help desk support or for simply storage purposes through contracted service providers or facilities we use that include cloud options.

We will take all reasonable steps to find out if any of our telecommunications providers or their contractors and other service providers use cloud or any service that may involve our data (which could include your personal information) being disclosed to overseas recipients, where they are located and why they may get access if the data is more than simply routed through an offshore provider. These are required by APP 8.1. But the reality and practicalities of modern technologies means that in most cases this is going to be impracticable as the breadth of service and the subcontracting within specialist fields of service puts Wilson & Gilkes Pty Ltd far from the actual data centre provider.

So, it is imperative that you be aware that by using our telecommunication facilities and specifically internet access, you will be consenting to the possibility of the data we collect for the service transaction or relationship being disclosed overseas and to unknown destinations and in that case, you will have consented to APP8.1 not applying. This covers those cases where we are simply undertaking normal business activity.

Obviously, if we learn of a risky destination and our providers advise us of either changes they will adopt or they want us to adopt to ensure that we maintain our high standards of security, or that our data may have been put at risk, then we will take all reasonable actions to prevent the continuing possible infringement of our confidentiality and your privacy. Nevertheless, we cannot guarantee or assure you that there is no risk or that we will be able to take any remedial action.

On the other hand, if the very service or transaction you are requiring from us involves you necessarily providing us with your personal data that needs to be sent overseas, (e.g. in a trade or international service) then we will be acting as your agent in the transfer and you will need to be comfortable with the destination of, and the people who will have access to, that information. Where we can help, we will certainly direct you to government sites that may provide some assistance in this respect so that you may make an informed decision about your disclosure overseas but in any case, APP8.1 will expressly not apply to Wilson & Gilkes Pty Ltd. Your consent will be part of the request for us to take the action on your behalf. If you are concerned about the potential for that personal information to be misused overseas and withdraw your consent, then we will be unable to complete the service or activity on your behalf. We cannot be held responsible for the consequences of your decision in that case.

APP 9 – Government identifiers

Wilson & Gilkes Pty Ltd does not use government identifiers (e.g. Medicare numbers, Tax File Numbers, etc.) for the purpose of identification of individuals in our client base. As mentioned earlier, if an individual carries on a business which is registered with an Australian Business Number (ABN) then that ABN will necessarily be stored and used by us for financial and taxation purposes only.

APP 10 – Quality of PI held

APP 11 – Security

APP 12 – Access

APP 13 – Correction

We use strict protocols to guard the integrity and quality of and access to the personal information we collect or hold. We review our service providers’ contracts to ensure as far as practicable that they have implemented the security measures appropriate to reasonably protect us and you from misuse, interference and loss and particularly from unauthorised access amendment or disclosure. In particular, credit card and financial information is held under strict security until able to be deleted or destroyed: unless you tell us to do so, we do not retain such information for future transactions.

We have implemented procedures that facilitate the destruction or de-identification of personal information when it is no longer necessary for the purposes for which it was collected (unless it is needed for legal reasons).

Accessing your personal information for verification amendment or removal can be effected in any of the ways mentioned above including emailing the database management (info@wilsongilkes.com.au) or telephoning our office, writing to the Quality Assurance Manager at Wilson & Gilkes Pty Ltd.

There is no charge for this service and we promise to action your request as promptly as possible (subject only to the usual qualifications like legal compulsion or compliance obligations). You should note that some personal data is automatically destroyed or deleted after set periods of time or as a requirement of a contract or government program. In other cases, archived material may be deleted as a matter of technology, efficiency or space requirements. Deletion or destruction of a Commonwealth record or a statutory record is not legally permissible without a court order or other due legal process.

PART 111C – Notifiable breaches

All affected entities must notify ‘eligible data breaches’ they experience to the Information Commissioner and to relevant individuals in connection with information they hold about the individuals.

The threshold for notification is where serious harm to any of the individuals is likely. The threshold tests which trigger the notice obligations are based on an objective test of what a reasonable person would conclude.

An ‘eligible data breach’ occurs when, in respect of personal information, credit reporting information, credit eligibility information or tax file number information held by an entity required to comply with data security obligations in the Privacy Act, the following conditions are satisfied:

  • there is unauthorised access to, or unauthorised disclosure of, the information, or where the information is lost, unauthorised access to, or unauthorised disclosure of, the information, is likely to occur; and
  • a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to which the information relates (in the case of lost information assuming that unauthorised access or unauthorised disclosure were to occur).

There are some important exceptions to notification, in particular where remediation taken by the affected entity has reduced the risk of serious harm.

Most critically the unauthorised loss, access or disclosure of the information will not be an eligible data breach where, as a result of remedial action taken by the relevant entity in relation to the breach, before it results in serious harm to any individual to whom the information relates, a reasonable person would conclude that the loss, access or disclosure of the information is unlikely to result in serious harm to any of those individuals. Similarly, if such action were taken in respect of particular individuals prior to serious harm occurring and a reasonable person would conclude that, as a result the loss, access or disclosure would not be likely to result in serious harm to those particular individuals, the entity will not be required to notify those individuals of the loss, unauthorised access or unauthorised disclosure.

Serious harm is broadly construed. The explanatory memorandum to the amendment explains that serious harm could include serious physical, psychological, emotional, economic and financial harm as well as serious harm to reputation. There is also a non-exhaustive list of relevant matters to have regard to when determining whether access or disclosure would likely to result in serious harm:

  • the kind and sensitivity of the information;
  • whether the information is protected by security measures and the likelihood any such security measures would be overcome including the use of an encryption key to circumvent the encryption technology or methodology;
  • the persons or kinds of persons who have or could obtain the information;
  • the likelihood that any persons who have or could obtain the information could obtain information or knowledge or circumvent any security technology or methodology applied to the information with the intent to cause harm;
  • the nature of the harm; and
  • any other relevant matters.

Where legal enforcement obligations or secrecy provisions apply to the PI the subject of the notifiable breach, then the provisions of Part IIIC will not be applicable to that part of the PI.

If a notifiable breach occurs which is not subject to an exception or exemption, then a formal notification statement must be issued to the Office of the Australian Information Commissioner as well as the individuals concerned as soon as practicable. Where the actual identity of a single individual is not the issue (i.e. where a group of individuals or a class of persons in a data holding centre may have been subject to a breach) then the statement will be published on our website and in any other format required by the OAIC without identifying the individuals themselves.

  1. Contacts

If you have a complaint or a concern or an enquiry, then contact us first. If we cannot help or resolve your issue, then we can offer a number of dispute resolution processes or you can apply directly to the OAIC for assistance or action. OAIC is the Office of the Australian Information Commissioner – refer to www.oaic.gov.au.


Wilson & Gilkes Pty Ltd 

337 – 349 Newbridge Rd Moorebank NSW 2170

PO Box 63 Moorebank NSW 1875

T: (+61) 2 9914 0900

E: info@wilsongilkes.com.au