Following a massive overhaul of the Australian Privacy Act 1988 (Cth) late last year, the Commonwealth Government has again introduced a Bill to the Australian Parliament to further reform Australian privacy and data protection laws.
The Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) will introduce mandatory reporting for privacy breaches; a matter which has previously not been mandated in Australian law.
If passed, the Privacy Act will require that serious data breaches be reported. Fortunately for business the Bill will not require that all breaches be reported. A serious data breach is one that involves a real risk of serious harm to the data subject as a result of the breach. If there is unauthorised access to, or disclosure of personal information, credit reporting information, credit eligibility information, or tax file numbers, and that access or disclosure will cause harm, reporting will be required.
A serious breach also includes circumstances where information is lost in circumstances that could give rise to unauthorised loss or disclosure and there is likely to be harm to the data subject. Breaches by your overseas recipients of information may also need to be reported if the Bill is passed.
If the Bill is passed and your business discovers a serious data breach, you will need to notify the person(s) concerned and the Information Commissioner as soon as practicable after discovering the breach.
If the Information Commissioner agrees that there has been a serious breach, you may be directed to provide a notice with your identity and contact details, a description of the breach, the information concerned and the steps the individual should take to mitigate the breach.
If businesses fail to notify individuals and the Information Commissioner, the Commissioner may use the existing powers under the Privacy Act to investigate the matter and potentially seek enforceable undertakings and pursue civil penalties of up to $1.7 million.