The Government has introduced the Privacy Amendment (Privacy Alerts) Bill 2013 into the House of Representatives.
If passed the Bill will introduce mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act.
UPDATE: This Bill lapsed when the 2013 election was called.
The Bill will commence immediately after the amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence on 12 March 2014.
Notification would be provided to those whose privacy had been infringed when data breaches relating to their personal information causing ‘a real risk of serious harm’ occurred. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest.
There are specific provisions relating to serious data breaches by credit providers and credit reporting bodies of credit eligibility information and credit reporting information. There is also a requirement relating to tax file number information.
A data breach arises where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.
Data breaches can be the result of hacking, poor security and sometimes carelessness.
Serious harm, in this context, includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm. The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach.
It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation.
In the event of a serious data breach, the regulated entity is required to provide notification to the Commissioner and affected individuals as soon as practicable after the entity believes on reasonable grounds that there has been a serious data breach.
The notice must include:
- the identity and contact details of the entity
- a description of the serious data breach
- the kinds of information concerned
- recommendations about the steps that individuals should take in response to the serious data breach, and
- any other information specified in the regulations.
The Privacy Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements.