In 2015, several countries introduced new data privacy regulations and approved new data protection regulators. As the year draws to a close, Australia joins the list of countries advancing new data privacy legislation with the Australian government’s recent release of a draft bill amending its Privacy Act to implement a new security incident notification framework.

Australia’s existing Privacy Act 1988 governs the treatment of personal information by certain government agencies and private entities. While the Office of the Privacy Commissioner has stated that notification may be part of an entity’s “reasonable steps” to protect personal information, the Privacy Act in its current form does not require notification to affected individuals or to the Privacy Commissioner following a data breach.

The new draft bill is in response to the February 2015 Advisory Report by Australia’s Parliamentary Joint Committee on Intelligence and Security into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, which recommended the introduction of a data breach notification scheme by the end of 2015. A mandatory breach notification bill was previously introduced in 2013, but failed to pass Parliament.

Definitions and scope of the proposed draft bill

The draft bill states that notification obligations would be triggered following a “serious data breach,” which is when personal information, credit reporting information, credit eligibility information, or tax file number information that an entity holds about one or more individuals is subject to unauthorized access or unauthorized disclosure that puts the individual or individuals at “real risk of serious harm.”  This includes the loss of information, if the loss is likely to lead to unauthorized access that would result in a real risk of serious harm. When considering whether an incident constitutes a “serious data breach,” an entity may take into account various factors, including the type and sensitivity of the information affected, whether the information is intelligible, whether the information is protected by security measures, the individuals who obtained or could have obtained the information, the nature of the harm, the steps taken by the entity to mitigate the harm, and any other factors the entity deems relevant.

The current Privacy Act is applicable to most Australian Government agencies and to private sector organizations with over $3 million in annual turnover, subject to some exceptions for certain private health service providers or entities that sell or purchase personal information. The proposed bill would not expand the types of entities subject to the Privacy Act.

Notification Obligations

The proposed bill would require entities to notify affected individuals and the Office of Privacy Commissioner as soon as is practicable if there are reasonable grounds to believe that a “serious data breach” has occurred. If an entity is unsure as to whether a serious data breach has occurred, the bill provides that an entity has 30 days from when it suspects the potential breach to assess the incident and decide whether notification is required. The Office of Privacy Commissioner would have the power to direct an entity to provide notification if the entity has not done so but the Office of Privacy Commissioner believes a serious data breach has occurred.

If notification is required, it must contain the identity and contact details of the entity, a description of the incident, the types of affected information, and recommendations about the steps that individuals should take in response to the incident. The entity must take reasonable steps in the circumstances to notify each individual, using whatever channels it normally uses to contact those individuals, whether by email, letter, or phone. If the entity does not have sufficient contact information for the affected individuals, it would be required to publish a notice about the data breach on its website, if it has one, and take reasonable steps to publicize the notice through a social media post or an advertisement in online or print media.

Exceptions to the requirement to notify would apply if a breach fell under the existing mandatory data breach notification obligations applicable to certain health information. Entities would also be able to apply to the Commissioner for an exemption if they believed that a serious data breach had occurred but that notification would be contrary to the public interest.

Enforcement

The draft bill provides that if an entity failed to comply with the new notification obligations, the Commissioner could investigate noncompliance and issue a binding determination if necessary, or in the event of serious or repeated noncompliance, apply to the courts to impose a civil penalty. An entity would have the ability to seek review from the Administrative Appeals Tribunal if the Commissioner directed it to provide notification of a serious data breach, or refused to grant an exemption.

The Australian government will consider comments on the bill submitted by March 4, 2016. It anticipates that the mandatory data breach notification scheme would commence 12 months after the draft bill receives royal assent.