A draft serious data breach notification bill could change the way that businesses protect the privacy of their customers. The public was permitted to submit their comments on the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 until 4 March 2016.

Now that submissions have closed, they will be reviewed before the legislation is introduced in Parliament later in the year.

The draft bill is seeking to make amendments to the Privacy Act 1988 (Cth) (‘the Act’) by inserting Part IIIC, which will define when a ‘serious data breach’ occurs and when and in what form notification should be carried out.


The amendment will require entities that are regulated by the Act to notify individuals whose personal information has been compromised as well as the Commissioner when there has been a ‘serious data breach’.

A breach may occur where there has been:

  1. Unauthorised access given to an individual’s personal information;
  2. Unauthorised disclosure of an individual’s personal information; or
  3. Where information is lost and it may give rise to unauthorised access or disclosure.

A serious breach occurs where the unauthorised access, disclosure or loss of the information would cause the affected individual a real risk of harm. This harm can include psychological, physical, economic emotional or financial harm and the risk of harm must be real, not remote.


Notification must occur as soon as practicable after the breach has come to the attention of the entity. The draft has suggested a limit of 30 days from the date the entity becomes aware of the breach.

The notification must include the contact details of the reporting entity, a description of the breach, the information involved (for example, financial) and recommendations of steps the individual whose information has been compromised should take in response to the breach.

A notification may be sent by the typical method the entity utilises for communicating with the individual (for example email, fax or post). If the notification is sent via a different method, the individual may consider it a scan and fail to take action.

Where the entity is unable to provide a notification to each affected individual involved, it must take reasonable steps to publicise the breach.

However, notification will not be required for every data breach, only those that are considered ‘serious’ as defined within the Act. This will reduce the burden on entities likely to experience ‘notification’ fatigue from reporting all breaches (including those that are minor in nature).


Failure by an entity to communicate a serious data breach will result in an interference with the privacy of an individual pursuant to the Act.

The Commissioner may then exercise their power to investigate, make a determination and provide a remedy to the affected individual where necessary. Remedies enforced may include civil penalties for repeated or serious interferences with an affected individual’s privacy.


The Office of the Australian Information Commissioner has put forward the following recommendations to prevent breaches of privacy pursuant to the Act:

  1. Implement internal policies with respect to data breaches including a response plan and an appointed team of employees to manage breaches;
  2. Undertake regular reviews of your company’s security measures and record retention practices to ensure ongoing compliance;
  3. Update employee training processes to ensure your workforce is able to identify, report and (where possible) resolve potential breaches.

If the proposed amendments are adopted, the notification requirement will serve to protect individuals from the emotional and financial consequences of a serious data breach.

It is recommended that all entities undertake reviews of their current internal policies and take legal advice to adequately protect their customers and the reputation of their business.