The Government has released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 for public consultation.
The Bill will amend the Privacy Act 1988 to deal with serious data breaches which place individuals at risk of harm such as financial loss or identity theft.
The Office of the Australian Information Commissioner (OAIC), currently administers a voluntary data breach notification scheme. The OAIC publishes guidelines on how entities subject to the Privacy Act should manage data breaches, and how to assess the risk of harm to individuals following a data breach.
The draft Bill would amend the Privacy Act to insert a new Part IIIC, which would define when a ‘serious data breach’ occurs and explain when and in what form notification of serious data breaches is required.
The draft Bill’s mandatory data breach notification scheme would commence 12 months after the Bill receives Royal Assent.
Notification to the Australian Information Commissioner and affected individuals would only be required following a ‘serious data breach’.
A serious data breach would occur if:
- personal information
- credit reporting information
- credit eligibility information, or
- tax file number information
that an entity holds about one or more individuals is subject to unauthorised access or unauthorised disclosure that puts any of the individuals to whom the information relates at ‘real risk of serious harm’.
A serious data breach would also occur following the loss of any of the above information, if that loss is likely to lead to unauthorised access or unauthorised disclosure that would put any of the individuals to whom the information relates at real risk of serious harm.
Entities would be required to notify the Commissioner and affected individuals if there are reasonable grounds to believe that a serious data breach has occurred. An entity who failed to become aware of a serious data breach that they reasonably should have detected would not be compliant with their notification obligations.
Where an entity suspected but was not certain that a serious data breach had occurred, the entity would have 30 days to assess whether notification is required. If the assessment found that there are not reasonable grounds to believe a serious data breach has occurred, notification would not be required.
Where the Commissioner believed that an entity has experienced a serious data breach, but the entity had not notified the breach, the Commissioner could direct the entity to undertake notification. This discretion would be expected to operate in cases where an entity fails to comply with its notification obligations.