news The government has released an exposure draft of a bill that will define what it considers a ‘serious’ data breach and place notification requirements on some businesses or organisations should they suffer from such an attack.
In 2008, the Australian Law Reform Commission (ALRC) published a report which described mandatory data breach notification as, “in essence, a legal requirement on agencies and organisations to notify individuals when a breach of security leads to the disclosure of personal information”.
The ALRC further recommended introducing a mandatory data breach notification scheme that would apply to those breaches which create a “real risk of serious harm” to individuals potentially affected by the attack.
The previous government introduced a mandatory data breach notification bill in 2013 based on the ALRC’s recommendation, but the bill did not pass during the life of that Parliament.
In its introduction to the bill, the government said: “The rationale of data breach notification is to allow individuals whose personal information has been compromised in a data breach to take remedial steps to avoid potential adverse consequences, such as financial loss or identity theft. Examples might include cancelling a credit card, or changing an online password.”
At present, government agencies and businesses must to take “reasonable steps” to secure any personal information they hold, but notification is not required following a data breach. Mandatory data breach notification is currently only required by organisations holding patient data on eHealth systems.
The new bill will act as an amendment to the Privacy Act 1988 to deal with serious data breaches in “a practical, effective way without placing an inappropriate regulatory burden on business”, the government said in a 3 December statement.
The draft bill states:
“Failure to comply with an obligation included in the Bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.”
Entities holding data will have 30 days to reasonably assess whether there are reasonable grounds to suspect a serious data breach has occurred before the entity is required to notify the commissioner and affected individuals.
Furthermore, not all entities will be subject to the data breach notification requirement. Those entities already exempt from the operation of the Privacy Act, such as intelligence agencies and small business operators, will be exempt. Law enforcement bodies will not be required to notify affected individuals “if compliance with this requirement would be likely to prejudice law enforcement activities”.
The government said it intends to consult extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact. Feedback will be considered before the legislation is finalised for introduction into the Parliament.
The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is available for public consultation and comment until 4 March 2016.