Government closes in on legislation over serious data breaches


news The government has released an exposure draft of a bill that will define what it considers a ‘serious’ data breach and place notification requirements on some businesses or organisations should they suffer from such an attack.

In 2008, the Australian Law Reform Commission (ALRC) published a report which described mandatory data breach notification as, “in essence, a legal requirement on agencies and organisations to notify individuals when a breach of security leads to the disclosure of personal information”.

The ALRC further recommended introducing a mandatory data breach notification scheme that would apply to those breaches which create a “real risk of serious harm” to individuals potentially affected by the attack.

The previous government introduced a mandatory data breach notification bill in 2013 based on the ALRC’s recommendation, but the bill did not pass during the life of that Parliament.

In its introduction to the bill, the government said: “The rationale of data breach notification is to allow individuals whose personal information has been compromised in a data breach to take remedial steps to avoid potential adverse consequences, such as financial loss or identity theft. Examples might include cancelling a credit card, or changing an online password.”

At present, government agencies and businesses must to take “reasonable steps” to secure any personal information they hold, but notification is not required following a data breach. Mandatory data breach notification is currently only required by organisations holding patient data on eHealth systems.

The new bill will act as an amendment to the Privacy Act 1988 to deal with serious data breaches in “a practical, effective way without placing an inappropriate regulatory burden on business”, the government said in a 3 December statement.

The draft bill states:

“Failure to comply with an obligation included in the Bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.”

Entities holding data will have 30 days to reasonably assess whether there are reasonable grounds to suspect a serious data breach has occurred before the entity is required to notify the commissioner and affected individuals.

Furthermore, not all entities will be subject to the data breach notification requirement. Those entities already exempt from the operation of the Privacy Act, such as intelligence agencies and small business operators, will be exempt. Law enforcement bodies will not be required to notify affected individuals “if compliance with this requirement would be likely to prejudice law enforcement activities”.

The government said it intends to consult extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact. Feedback will be considered before the legislation is finalised for introduction into the Parliament.

The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is available for public consultation and comment until 4 March 2016.


  1. “Law enforcement bodies will not be required to notify affected individuals “if compliance with this requirement would be likely to prejudice law enforcement activities”.”

    Yeah, ’cause the police have *never* claimed that something will adversely prejudice their activities just because compliance was inconvenient… FFS. Why even bother adding the qualifier? Oh right, this way you get to pretend you’re not an authoritarian government operating a police state, because you’ve told us exemptions will only be an *exception*. Seems legit…

  2. The current system of “government agencies and businesses must to take ‘reasonable steps’ to secure any personal information they hold” is likely the big problem here. Naturally, nobody likes to be told how he must run his business, especially when that instruction needs him to shell out money for something to ward off a perceived low risk.

    On top of all that is the universal understanding that computers/databases/etc are just like cars, you don’t need tuition, anyone can do it. Besides which, “I have nothing that would interest them.”

    The sad part of this Privacy Act Amendment is that it will contain zero regulations penalising businesses for failing to implement adequate security, for failing to subject their operations to rigorous penetration testing.

    I wonder how many businesses actually insure against breaches; and would any insurance company (excluding the well-known Dodgy Bros) actually offer such a policy without first insisting on “adequate locks on all entrances and windows”? (Pun intended, but Macs and Linux are just as vulnerable, just look at my employer’s paperless database!)

Comments are closed.