Australia: Amendments to data breach notification requirements
Published 1 January 2016
What does this cover?
In February 2015 an Advisory Report endorsed the implementation of a data breach notification system in Australia, and a new draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill) has been produced in response to this report, following unsuccessful attempts by previous governments to introduce such a measure.
The Bill does not extend the scope of the existing Privacy Act that will continue to apply to:
- The majority of government agencies;
- Private organisations with annual turnover in excess of AUS $3 million;
- Some health service providers; and
- Organisations that trade in personal information.
The Bill's notification requirement would apply in situations involving "serious" data breaches. These are defined as breaches involving unauthorised access to an individual's financial information (including credit and tax information) held by an organisation, where the consequences of such access presents a "real risk of serious harm." The seriousness of any given breach is to be ascertained by analysing all the circumstances of the breach.
In situations where a serious data breach is suspected to have occurred, organisations would have to notify the Office of Privacy Commissioner (the Commissioner) as well as affected individuals. Organisations would be given a 30 day period to analyse the breach and ascertain whether to make a notification. The Commissioner will be able to examine failures to comply with the notification requirements, and depending on the severity of noncompliance, be able to employ a range of enforcement powers, including issuing binding determinations and applying to the courts to enforce civil penalties.
Organisations would be required to take reasonable steps to notify affected individuals by the most appropriate method of communication. Notifications would need to:
- Identify the organisation concerned and provide contact details;
- Describe the data breach incident and the types of information involved; and
- Provide suggested steps individuals should take to mitigate the impact of the incident.
Exceptions apply where (a) another form of mandatory notification is already required, and (b) in cases where notification may be contrary to public interest, the latter would require authorisation from the Commissioner.
Comments on the Bill can be submitted until 4 March 2016.
Please click here to view the following documents:
- Mandatory Data Breach Notification discussion paper
- Draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015
- Explanatory Memorandum
- Draft Early Assessment Regulatory Impact Statement
What action could be taken to manage risks that may arise from this development?
Companies should monitor the progress of the Bill and consider whether to make a submission on the Bill. For further details on how to make a submission, please click here.
In addition, companies should consider the preparations that would need to be implemented to ensure adequate policies and procedures are put in place to deal with these new notification breach requirements.