The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) was introduced to Parliament on 19 October 2016. The Bill seeks to amend the Privacy Act 1988 (Cth) to include a mandatory data breach notification regime. This follows the introduction and lapse in 2013 of the Privacy Amendment (Privacy Alerts) Bill 2013, and consultation on the exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. The Bill takes into account stakeholder feedback on each of the previous versions.
Who will need to comply?
The Bill applies to APP entities, including credit providers and credit reporting bodies, and holders of tax file number information.
What are the obligations?
The Bill provides for mandatory reporting in the event of an ‘eligible data breach’. This requires entities to:
- prepare a statement describing the data breach and the information concerned, and recommending steps that affected individuals should take in response;
- give a copy of the statement to the Privacy Commissioner; and
- take reasonable steps to communicate the contents of the statement to the affected individuals (or, if impracticable, publish the statement on its website and take reasonable steps to publicise its contents).
These steps must be carried out as soon as practicable after the entity becomes aware of the data breach.
What is an ‘eligible data breach’?
The Bill provides that an eligible data breach will occur where:
- there has been unauthorised access to or disclosure of information which a reasonable person would conclude would be likely to result in serious harm to any of the individuals to whom the information relates; or
- information is lost in circumstances where unauthorised access or disclosure is likely and, if it were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Determining whether a reasonable person would conclude that access to, or a disclosure of, information would be likely to result in serious harm will require consideration of a number of factors, such as the sensitivity of the information accessed or disclosed, whether the information is protected by security measures, the likelihood that any such security measures could be overcome, the persons or types of persons who have obtained or could obtain the information, and the nature of the harm to individuals to whom the information relates.
If the Bill is passed, entities will need to incorporate a compliant data breach reporting regime into their systems and processes. Entities will have 12 months from Royal Assent to do so.