The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has been passed by both Houses of Parliament.
UPDATE: Royal Assent given on 22 February 2017. This means the notification scheme will start no later than 23 February 2018.
The Bill amends the Privacy Act 1988 in order to introduce mandatory data breach notification provisions which will apply to entities currently subject to the Privacy Act, namely most Commonwealth Government agencies, private sector organisations, credit reporting bodies, credit providers and tax file number recipients.
The Bill imposes a legal requirement to provide notice to affected individuals and the relevant regulator when certain kinds of security incidents compromise information of a certain kind or kinds.
Currently, the Privacy Act does not impose an obligation on entities to notify the Australian Information Commissioner or any individuals whose personal information has been compromised. However, APP 11 requires that agencies and organisations take reasonable steps to maintain the security of the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Other provisions in the Privacy Act create equivalent obligations in relation to credit reporting information, credit eligibility information and tax file number information.
The Office of the Australian Information Commissioner (OAIC) currently has in place a voluntary guide for entities giving advice on how to handle a data breach.
The OAIC has also published a Guide to developing a data breach response plan.
The Bill’s notification scheme will commence within 12 months after the Bill receives Royal Assent.
More.
