news The Australian Industry Group (Ai Group) has hit out at the government’s mandatory data breach bill, airing concerns over its implementation and saying it will bring an “unreasonable” burden for businesses.
Published in December 2015, the Exposure Draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 deals with mandatory data breach notifications, and sets out what the government considers a serious breach and how businesses and organisations must respond in the event of such a breach.
The exposure draft is now due for review following a consultation period that closed on March 4, although the legislation was originally intended to be in place by the close of 2015.
In the draft bill the government sets out that it considers a serious breach has occurred if:
“(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information (or certain other information) held by an entity; and
(b) as a result, there is a real risk of serious harm to any of the individuals to whom the information relates.”
The draft specifies the types of qualifying information as personal details, credit reporting and eligibility information, and tax file number information.
In its submission to the government, the Ai Group explained that it understands the reasons for the drafting of the bill, but added that it is “not convinced of the need for the Bill” given that there are existing privacy protections in place which deal with serious data breaches.
Further it says, that the draft legislation could be “difficult to implement” and “could impose an unreasonable compliance burden on businesses”.
Should the bill proceed in its current form, the industry group said it would welcome the proposed delayed commencement date for the scheme, since it would give businesses more time to prepare, including “introducing the necessary changes to systems and processes”.
It makes further suggestions over the wording of the bill, saying: “The concept of ‘ought reasonably to be aware’ in s.26WC(1) of the Bill is too uncertain and should be removed.”
Notification, it added, should only be required where the entity is aware that there has been a serious data breach.
Additionally, since the draft bill specifies that organisations’ obligations arising under the proposed Part IIIC of the Privacy Act 1988 apply only to an ‘APP entity’, the group offered its opinion that small businesses “will be exempt from proposed Part IIIC”.
Further, the suggestion was made that Part IIIC does not apply with respect to employee business records.
The group concluded that it would oppose “any proposal for small business operators or employee business records to be captured by the Draft Bill”.
Image credit: Still from Gladiator