Australia may have mandatory privacy breach notification requirements introduced before the election later this year. This development combined with the Privacy Commissioner’s pronouncement late last week that he would be taking an aggressive stance on enforcement, means that organisations need to get compliant with the new privacy laws as soon as possible. See below for details on a fixed price privacy compliance package.
An exposure draft of the proposed Privacy Amendment (Privacy Alerts) Bill 2013 has recently been released to a number of key industry stakeholders. While the exact text of the Bill is still a secret (we haven’t seen the Bill yet), there have been some public comments on its contents. Of course, the text of the exposure Bill could change before it is introduced to Parliament.
Based on media reports, the Bill appears to require organisations to notify privacy breaches to the Office of the Australian Information Commissioner (OAIC) if there is a “real risk of serious harm”. The definition of harm is important. Apparently, in the exposure draft, harm is specifically reputational harm and economic and financial harm (although other forms of harm are not specifically excluded). As the Bill currently stands, it appears that privacy breach notifications will still be largely voluntary, with notifications to the OAIC only being required in response to a serious privacy breach.
Our understanding is that a notification to the OAIC would need to include various details regarding the privacy breach, such as the information that was accessed or disclosed and remedial steps that are being taken. In addition, all the affected individuals need to be notified individually. We note that similar notification requirements are currently in place in parts of Europe and the United States.
Under the exposure draft, we understand that the Privacy Commissioner will have the power to hold an organisation responsible for a privacy breach. The Commissioner may have the power to require an organisation to post a public statement on its website or inform media outlets of the privacy breach. These powers are to be read in conjunction with the powers the Privacy Commissioner will be gaining under the Privacy Amendment (Enhancing Privacy Protection) Act 2012. From March 2014, the Privacy Commissioner has the power to issue penalties of up to $340,000 for individuals and $1.7 million for organisations for serious breaches.