Draft Exposure Bill For Notification Of Serious Data Breaches Released By Attorney-General

Monday 14 December 2015 @ 11.10 a.m. | Legal Research

The Commonwealth Attorney-General’s Department has released an exposure draft of the  Privacy Amendment (Notification of  Serious Data Breaches) Bill  2015 for public comment.  Federal Attorney-General George Brandis had previously indicated that the bill would be introduced into Parliament before the end of the year, as an adjunct to the metadata retention legislation.  However, the Bill will now likely be introduced into Parliament next year, with public submissions on the exposure draft closing on 4 March 2015.

In a media release, the Attorney-General’s Department said:

“The Government is committed to improving the protection of privacy of Australians, particularly where serious data breaches place individuals at risk of harm such as financial loss or identity theft.

The Bill will amend the Privacy Act 1988 to deal with serious data breaches in a practical, effective way without placing an inappropriate regulatory burden on business.

The Government intends to consult extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact.”

Key Provisions

The draft Bill would insert a new Part IIIC into the Privacy Act 1988 (Cth), dealing with “serious data breaches”.  In a discussion paper released with the exposure draft, the new provisions are outlined as follows:

  • “Notification to the Australian Information Commissioner (the Commissioner) and affected individuals would only be required following a ‘serious data breach’.
  • A serious data breach would occur if:
    • personal information
    • credit reporting information
    • credit eligibility information, or
    • tax file number information

that an entity holds about one or more individuals is subject to unauthorised access or unauthorised disclosure that puts any of the individuals to whom the information relates at ‘real risk of serious harm.”

If an entity is not certain that a serious data breach has occurred, they have 30 days to assess whether notification is required.

The Commissioner would also have the power to direct entities to undertake notification if the Commission believes an entity has experienced a serious data breach, but has not reported it.

The new Part would apply to entities that already fall under the Australian Privacy Principles in the current Privacy Act, essentially meaning that the new provisions would only apply to private sector organisations with over $3 million in annual turnover, and most Australian Govenrment agencies.

Reaction to the Exposure Draft

The Vice chair of the Australian Privacy Foundation, David Vaile, told the Sydney Morning Herald  that this application of the provisions may be too narrow:

“A backyard data-munging operation can now cause as much damage, and release as much data (but may be less scrupulous or well defended) than any big bank, telco or government agency.”

A spokesman from CHOICE, Tom Godfrey, told the Sydney Morning Herald that regardless of what happened with the draft bill, all companies should be disclosing these kinds of breaches:

"Any company, regardless of size, should be interested in protecting their customers and notifying them when there's a real risk that their personal data could have fallen into the wrong hands.”

TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products.

Sources:

Related Articles: