The federal government has released a discussion paper and exposure draft on the final sitting day of Parliament for 2015 that contains a new iteration of a mandatory data-breach notification regime in Australia.
The new bill is the latest attempt to introduce a mandatory breach notification regime in Australia and appears largely similar to previous iterations.
The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 will require most federal government agencies and Australian ‘APP entities’ with an annual turnover of more than $3 million to notify the Australian Information Commissioner and other affected parties of a ‘serious data breach’ if it has reasonable grounds to believe that such a breach has occurred in respect of personal or credit information.
A serious data breach includes any unauthorised access or disclosure of information that will result in a ‘real risk of serious harm’ to affected entities. An entity is to make notifications ‘as soon as practicable’ after it becomes aware of the breach. This includes a 30 day period for entities to assess whether there are reasonable grounds to believe a ‘serious data breach has occurred’.
Submissions regarding the draft bill can be made until March 2016. The earliest the bill will come into effect is some time in 2017. As we have reported previously, a mandatory data breach regime may be the catalyst to further improving the rate of awareness of cyber risks and adoption of appropriate counter measures by businesses.
We will provide a more detailed analysis of the draft bill in the coming weeks.
A link to the announcement on the Attorney-General’s website can be found here.