The Federal Government hopes to pass the Privacy Amendment (Notifiable Data Breaches) Bill (Bill) by the end of the year. If passed, the Bill will amend the Privacy Act 1988 (Privacy Act) to introduce a mandatory data breach notification scheme (Scheme).
The proposed change
At the moment, entities subject to the Privacy Act have to take reasonable steps to protect personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. They are not required to disclose data breaches, though some do so voluntarily.
If passed, the Scheme would make it compulsory to disclose certain data breaches to the individuals whose information is affected.
Advocates say that mandatory notification will give affected individuals an opportunity to minimise any impacts of a data breach. It will also encourage transparency about business data handling practices.
Overview of the Scheme
An exposure draft of the Bill was released for public consultation in December 2015. The final wording may differ to address concerns raised during the consultation period. This overview is based on the exposure draft and is not a comment on any final Scheme.
The Scheme would commence 12 months after the Bill receives Royal Assent, unless the final version of the Bill provides for a different timeframe.
The Scheme will cover entities subject to the Privacy Act. With some exceptions, these include:
businesses with an annual turnover over of $3 million, and entities related to them;
Commonwealth Government agencies, and contracted service suppliers to them;
health service providers, and other organisations that hold health information;
organisations that collect, disclose and provide personal information for a benefit, service or advantage. Examples are information traders, credit agencies, and small businesses that operate residential tenancy databases;
telecommunications service providers with statutory data retention obligations.
Exceptions will apply for law enforcement and national security purposes, among others.
‘Serious data breach’
Under the Scheme, entities must notify the Australian Information Commissioner (Commissioner) and affected individuals after a ‘serious data breach’.
A ‘serious data breach’ would occur where:
there is unauthorised access or disclosure of personal, credit reporting, credit eligibility, tax file number, or other prescribed information that results in a ‘real risk of serious harm to the individual’;
any of the above information is lost, if that loss is likely to lead to unauthorised access or disclosure that would result in a real risk of serious harm to the individual.
‘Harm’ includes physical, psychological, emotional, reputational, economic, and financial harm.
In determining whether there is a ‘real risk of serious harm to an individual’, entities must consider certain matters including:
The type and sensitivity of the information involved;
Whether the information is intelligible to an ordinary person; and
Who obtained, or could obtain, the information.
Entities must notify the Commissioner and affected individuals if there are reasonable grounds to believe that a serious breach has occurred, and the obligation will extend to where they ought to have been aware that a serious data breach had occurred.
If an entity suspects a serious data breach, they have a 30-day assessment period.
Non-compliance with the requirements of the Scheme may attract penalties.
Concerns raised about the exposure draft include that some aspects require speculative and/or subjective assessment, meaning that it would be difficult for entities to objectively view their notification obligations.
Another key concern is that, as a result of this difficulty, entities may ‘over-report’.
In any case, the final wording of the Bill may well reflect such feedback.
You can download a discussion paper, exposure draft and explanatory memorandum from the Attorney-General’s website.