Australian businesses are one step closer to being required to report serious data breaches to their customers and to the Privacy Commissioner after the Commonwealth Government released its draft serious data breach notification bill (“Bill”) for public consultation on 3 December 2015.

Businesses with annual turnover less than $3 million per year and not otherwise regulated by the Privacy Act would not be bound by this requirement.

First proposed in 2013 by the former Government, the current Government supported the introduction of a mandatory scheme in February 2015, committing to introduce the legislation by the end of 2015.  Although the introduction of the Bill will now be delayed until early 2016, it will almost certainly be given bipartisan support when it is introduced.

Under the Bill, if an entity regulated by the Privacy Act is aware, or ought reasonably to be aware, that there are reasonable grounds to believe that it has suffered a ‘serious data breach’, the entity must (as soon as practicable after becoming aware or ought reasonably to have become so aware) notify the Privacy Commissioner and those affected by the serious data breach of:

  • the identity and contact details of the entity;
  • a description of the breach that the entity has reasonable grounds to believe has happened;
  • the kind(s) of information concerned; and
  • recommendation(s) about what steps individuals should take in response to the breach.

The Commissioner would have the power to exempt an entity from providing notification if it is in the public interest to do so.  Conversely, the Commissioner could direct an entity to provide notification if the Commissioner believes that a serious data breach has occurred and no notification has been given.

The Bill includes several exceptions, including a situation where the affected entity has investigated the circumstances of the suspected serious data breach within 30 days of the entity becoming aware of the suspected breach and the investigation leads the entity to conclude that there was not a serious data breach.

The Bill defines what comprises a ‘serious data breach’.  Generally, a serious data breach occurs if there is unauthorised access to, unauthorised disclosure of, or loss of, certain information held by an entity and, as a result, there is a real risk of serious harm to any of the individuals to whom the information relates.  The information covered by the Bill includes personal information, credit information and tax file number information.

The Government proposes that serious harm could include physical, psychological, emotional, economic and financial harm, as well as harm to reputation.

The Government released a discussion paper and seeks submissions by 4 March 2016.