Hot on the heels of the comprehensive changes to Australia’s privacy laws that took effect on 12 March 2014, the Privacy Amendment (Privacy Alerts) Bill 2014 (2014 Bill) was introduced on Thursday 20 March 2014, and had its second reading in the Senate. The 2014 Bill would amend the Privacy Act 1988, which does not currently require any notification of a privacy breach detected by an organisation or agency. However this looks set to change if the 2014 Bill is passed.
The 2014 Bill is identical to the Privacy Amendment (Privacy Alerts) Bill 2013 (2013 Bill), which was introduced to Parliament in May last year, other than its commencement date if passed (unless otherwise proclaimed, it would be 6 months after Royal Assent). Although the 2013 Bill was not passed before the Federal Election, and therefore lapsed, it appeared that the concept of breach notification had bi-partisan support.
While the 2014 Bill may yet change, if it is passed in its current form the proposed laws will require an organisation or agency to notify privacy breaches to the Office of the Australian Information Commissioner (OAIC) if there is a “real risk of serious harm” to the affected individuals. A notification to the OAIC will need to include various details regarding the privacy breach, such as the personal information that was accessed and steps that individuals should take in response to the breach. In addition, in some circumstances the organisation or agency will be required to notify the affected individuals or publish public notices, which could of course potentially cause significant commercial and reputational damage.
We will keep you updated on the passage of the 2014 Bill, and when it will take effect if passed.