The long-awaited Australian mandatory data breach notification scheme for serious data breaches is now one step closer to becoming reality. On 4 December 2015, the Australian Government opened a public consultation period on the draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Draft Bill), with submissions sought by 4 March 2016. If the Draft Bill is passed in its current form, government agencies and businesses (APP entities) which are subject to the Privacy Act 1988 (Cth) (Privacy Act) will be required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of serious data breaches.
At present, mandatory data breach notification is required only in the event of unauthorised access to eHealth information under the My Health Records Act 2012.
A voluntary data breach notification scheme is currently administered by the OAIC, with notification encouraged where there is a "real risk of harm" to an affected individual.
Under the proposed regime set out in the Draft Bill, APP entities will be required to notify the OAIC and take reasonable steps to notify affected individuals if there are reasonable grounds to believe that a serious data breach has occurred, or if the APP entity is directed to do so by the OAIC.
The Draft Bill contains a similar notification threshold to that in the current voluntary notification regime. It states that a "serious data breach" occurs if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information (or certain other information) held by an entity and as a result, there is a real risk of serious harm to any of the individuals to whom the information relates; or
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information (or certain other information) held by an entity and any of the information is of a kind specified in the regulations.
Importantly, an APP entity will be deemed to be non-compliant with the notification obligations where the entity fails to become aware of a serious data breach that they reasonably should have detected. In the event that an APP entity suspects, but is not certain that a serious data breach has occurred, the APP entity will have 30 days to assess whether a notification is required.
The Draft Bill also sets out the minimum level of information to be included in a notification, as well as guidance on what organisations can do when the costs of notifying will be unduly excessive.
Some limited exceptions to the mandatory notification requirements are provided in the Draft Bill, such as for law enforcement purposes and exemptions if a notification would be contrary to public interest.
The Draft Bill has a higher notification threshold than regimes in some other international jurisdictions, as notification will only be required in the event of a "serious data breach". The rationale for this higher notification threshold is stated to be intended to strike a balance between enhancing the privacy of Australians without placing an unreasonable regulatory burden on business.
The public consultation period runs until 4 March 2016, with the scheme to commence 12 months after the draft Bill receives Royal Assent.