Today the Federal Government tabled amendments to the Privacy Act to introduce the mandatory reporting of privacy breaches, the Privacy Amendment (Privacy Alerts) Bill 2013.

When will these changes take effect?

If the Bill is passed, it will commence on 12 March 2014, at the same time as the amendments to the Privacy Act made last year.

What breaches need to be reported?

Serious data breaches involving the following information need to be reported:

  • personal information;
  • credit reporting information;
  • credit eligibility information; or
  • tax file numbers.

Serious data breaches will arise where there has been:

  • unauthorised access to, or disclosure of that information, or where that information is lost in circumstances that could give rise to unauthorised loss or disclosure; and
  • there is a real risk of serious harm to the data subject as a result of the breach.

If you are accountable for the acts of your overseas recipients of the information under Australian Privacy Principle 8.1, you must also report breaches by that overseas recipient.

What needs to be reported and to whom does it need to be reported?

The Information Commissioner and each of the individuals significantly affected by the serious data breach need to be notified.

The notice must set out:

  • your identity and contact details;
  • a description of the serious data breach;
  • the kind of information concerned; and
  • recommendations about the steps that the individual should take in response to the serious data breach.

It is intended that when notifying affected individuals, you may use the method of communication (if any) that you normally use to communicate with the individual.

When does the report need to be made?

As soon as practicable after forming the belief that a serious data breach has occurred.

If the Commissioner forms the view on reasonable grounds that a serious data breach has occurred, it can direct you to provide the report.

What to do now?

Assuming the Bill is passed, you should incorporate mandatory data breach reporting as part of your processes to comply with the other Privacy Amendments which take effect on 12 March 2014.