On 3 December 2015 the Government released for public consultation an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the "Bill"). The Bill follows a Government announcement in April 2015 that it supported the recommendation of the Parliamentary Joint Committee on Intelligence and Security to introduce mandatory data breach notification.
The Bill covers entities and information that are subject to the Australian Privacy Principles and is largely identical to the bill submitted by the previous government in 2013. Various unauthorised access or disclosures are defined to constitute serious data breaches. A "serious data breach" will occur where unauthorised use or disclosure results in a real risk of serious harm (reputational, economic or financial) to an individual.
The Bill requires entities to comply with the notification provisions where there are "reasonable grounds to believe" that a "serious data breach" has occurred. A serious data breach occurs when there is unauthorised access to, unauthorised disclosure of, or loss of, personal information which results in a real risk of serious harm to the individual to whom the information relates. Where sensitive information, such as health information, is subject to a data breach, in most cases the risk of serious harm being suffered by an individual is likely to be heightened.
The real risk of serious harm standard reflects the standard referred to in the Office of the Australian Information Commissioner's ("OAIC's") "Data Breach Notification Guide: A guide to handling personal information security breaches". The Bill sets out a variety of factors that will be taken into account in assessing whether there is a real risk of serious harm, including the sensitivity of the information, whether it is in an intelligible form and who may have accessed or could access it. Further practical guidance from the OAIC is foreshadowed in the explanatory memorandum. Harm in this context includes physical, psychological, emotional, reputational, economic and financial harm to the affected individual.
An entity is required to notify both the Commissioner and the individuals to whom the information relates, as soon as practicable after the entity becomes aware, or ought reasonably to have been aware, that there are reasonable grounds to believe that there has been a serious data breach. Where an entity suspects a serious data breach may have occurred but is not sure, it has 30 days to conduct an assessment of whether notification is required.
There are limited exceptions, including if the breach falls under the existing eHealth data breach notification scheme under the My Health Records Act 2012 (Cth).
The notification must include the identity and contact details of the entity, a description of the data breach, the kind of information involved, and recommendations about the steps that individuals should take in response to the breach.
The entity must take such steps as are reasonable in the circumstances to notify the individuals involved. If it is not practicable to do so, the entity must publish a copy of the notification statement on its website and otherwise take reasonable steps to publicise the contents of the statement.
Failure to notify as required triggers the Commissioner’s usual powers to investigate, make determinations, seek enforceable undertakings and provide remedies for non-compliance. If the failure amounts to a serious or repeated interference of privacy, penalties may be imposed of up to A$360,000 for individuals and A$1.8 million for corporates.
The impact of the notification requirements on Australian businesses and foreign entities conducting business in Australia is likely to be far-reaching. Businesses should ensure they have the systems and processes in place to be able to comply with the requirements once enacted. The mandatory data breach scheme will become effective 12 months after the Bill receives royal assent.