Today the Federal Government released its Discussion Paper as well as its Exposure Draft in relation to the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 for consultation (Draft Bill).
The Draft Bill would apply to entities that are currently bound to the Privacy Act including most government agencies and businesses with a $3million + turnover. It would amend the Privacy Act to insert a new Part IIIC, to require entities to notify the Australian Information Commissioner and affected individuals if there are reasonable grounds to believe that a 'serious data breach' (being breaches that create a 'real risk of serious harm') had occurred.
Where an entity suspected but was not certain that a serious data breach had occurred, the entity would have 30 days to assess whether notification is required. Where the Commissioner believed that an entity has experienced a serious data breach, but the entity had not notified the breach, the Commissioner could direct the entity to undertake notification. The Draft Bill contains detailed provisions explaining when and in what form notification of serious data breaches is required, providing exceptions to the notification requirements and granting the Commissioner enforcement powers.
At present, Australian Privacy Principle (APP) 11 in the Privacy Act 1988 requires government agencies and businesses subject to the Act to take reasonable steps to secure personal information they hold, but does not mandate notification following a data breach. Mandatory data breach notification is required only in the event of unauthorised access to eHealth information under the My Health Records Act 2012. The national privacy regulator, the Office of the Australian Information Commissioner (OAIC), administers a voluntary data breach notification scheme. However, the OAIC does not have specific powers to deal with data breaches.
Click here for a link to the Draft Bill, Explanatory Memorandum and Regulatory Impact Statement. We will report in greater detail once have had the chance to review the documents in greater detail. Submissions must be made before 4 March 2016.