Australia has passed data breach notification legislation requiring certain companies with annual revenue over AU $3 million ($2.3 million) to notify the Australian Information Commissioner and affected individuals in the event of a qualifying data breach.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”), which the Australian Senate passed on February 13th, amends the Privacy Act of 1988 (Privacy Act) to require that qualifying companies provide notification if there is “unauthorized access to, unauthorized disclosure of, or loss of, personal information by an entity,” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.” According to the Office of the Australian Information Commissioner, examples of personal information include names, signatures, addresses, telephone numbers, dates of birth, medical records and “commentary or opinion” about individuals.

Companies must “take all reasonable steps” to complete a “reasonable and expeditious” assessment of whether a breach triggers the Bill’s notification requirements within 30 days of becoming aware of a breach. In conducting such an assessment, companies should consider the type and sensitivity of the personal information at issue, security measures that protect the information, the likelihood those measures may be overcome, the identity of the individuals who obtained the information, and the likelihood that these individuals have any intention of causing harm. The Bill’s explanatory memorandum describes serious financial, economic or physical harm as the most likely harm giving rise to the Bill’s notification requirements, but does not exclude serious psychological or emotional harm.

Companies must notify the Commissioner and individuals as soon as practicable after becoming aware of an applicable breach. Notifications must include a description of the breach, the kinds of information concerned, and steps individuals should take in response. According to the Bill’s explanatory memorandum, the Commissioner can initiate investigations and make applications for civil penalties for “serious or repeated interferences with the privacy of an individuals.”

Entities that are not covered by the Privacy Act’s requirements, such as intelligence agencies, political parties, media organizations and small business operators, are also exempt from the Bill’s requirements.

The Bill may take effect on a date set by proclamation, or otherwise if the provisions do not commence before 12 months from the day after the Bill receives the Royal Assent, which is still pending. It is generally expected that the Bill will become effective in 2018.