On December 3 2015, the Attorney General released the exposure draft for a bill on notification for serious data breaches. A discussion paper, a draft explanatory memorandum and a draft regulatory impact statement were also released. The legislation would impact all APP entities and telecommunications services providers that are subject to the Data Retention obligations to the extent that their activities relate to retained data. This will mainly include Federal Government agencies as well as most private sector organisations with an annual turnover of above AU$3 million. However businesses not covered by the Privacy Act 1988 and State and Territory government agencies or local councils will not be affected by the scheme. Under the new legislation, the Australian Privacy Commissioner and affected individuals must be notified if there are reasonable grounds to believe that "a serious data breach" has occurred. A "serious data breach" occurs where credit reporting or eligibility information, tax file number information, or personal information is subject to unauthorised disclosure that creates a "real risk of serious harm" to affected individuals. The exposure draft identifies some relevant matters that entities could take into account in determining whether there is such a "real risk of serious harm" that gives rise to the duty of notification. This includes the kind and sensitivity of the information concerned, as well as the nature of the harm and whether steps are being taken to mitigate it. As indicated in the discussion paper, it is also expected that the Privacy Commissioner will issue guidance material to help entities assess whether a real risk of serious harm existed. Non-compliance may result in the Privacy Commissioner issuing a binding determination and, in instances of repeated non-compliance, civil penalty orders could be sought by the Privacy Commissioner from the Australian Federal Court. Submissions on the draft legislation are open until 4 March 2016.