Under Australia's current privacy law, there is no legal requirement for an entity to notify affected individuals if their personal information has been compromised. Recently, Australia's Government proposed data breach notification legislation that would require covered entities to report serious data breaches to affected individuals and to the Office of the Australian Information Commissioner (OAIC), the country's data protection authority. The Bill would not require notification in the event of every data breach, but contains a "harm trigger". Under the proposed legislation, covered entities would be required to notify individuals who are "significantly affected" by a "serious" data breach involving the breach of personal information, credit reporting information, credit eligibility information, or tax file number information. Factors to consider in determining whether a breach is serious enough to warrant notification would include harm to reputation, economic harm, and financial harm. Covered entities would be required to notify the affected individuals as soon as practical after the entity reasonably believed that there had been a serous data breach. If the Australian Parliament enacts the Bill as written, the breach notification requirements would go into effect in March 2014.
TIP: Australia joins a growing number of countries to pass –or consider- data breach notification laws. These laws typically apply to information collected from local residents. Entities that have a breach of triggering information should keep in mind these obligations, and should take care to examine where the impacted individuals are located. We will continue to monitor this proposed bill.