- Federal Parliament recently passed a bill to amend the Privacy Act 1988 (Cth) to introduce mandatory data breach notification obligations.
- Large organisations and Commonwealth public sector agencies will be required to notify the Federal Privacy Commissioner and affected individuals if an ‘eligible data breach’ occurs; essentially where personal information held by the organisation or agency is accessed, lost or disclosed in circumstances that are likely to result in serious harm to any of the individuals to whom the information relates.
- The introduction of mandatory data breach notification obligations may ultimately lead to an increase in privacy-related litigation (including class actions) and could drive an increase in demand for cyber risk insurance.
Personal information is in essence any information that allows an individual to be personally identified. The Privacy Act 1988 (Cth) (‘Privacy Act’) regulates the handling of this ‘personal information’ by all Commonwealth public sector agencies; as well as private sector organisations that have an annual turnover of more than $3 million, are health service providers or which otherwise trade in personal information (together, ‘Organisations’). The recent introduction of a mandatory data breach notification regime in Australia has been on the horizon for a number of years.
The road to mandatory data breach notification
In May 2013, the Commonwealth Labor government introduced the Privacy Amendment (Privacy Alerts) Bill 2013 (‘2013 Bill’) to amend the Privacy Act to introduce a mandatory data breach notification regime. Despite the 2013 Bill having bipartisan support, it was not passed before the 2013 federal election and lapsed as a result.
There were then various subsequent attempts to revive the push to amend the Privacy Act and in February 2015, as part of a report into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Parliamentary Joint Committee on Intelligence and Security (‘PJCIS’) recommended the introduction of a new mandatory data breach notification scheme. In March 2015, the government indicated that it would support all of the recommendations made by the PJCIS. In December 2015, the Attorney-General’s Department released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (‘Exposure Draft’) for public comment. It received approximately 45 submissions from industry and consumer groups, regulators, government departments, law reform bodies and major Australian and international companies. Many of the submissions raised similar issues, including concerns about the scope or lack of definition of key terms such as ‘real risk’ and ’serious harm’ and the possibility that multiple breach notices may be required in respect of a single incident.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) was subsequently introduced into the Senate on 19 October 2016. The Bill differs from the Exposure Draft in a number of ways, including some changes to address many of the issues raised in the submissions on the Exposure Draft. The Bill was passed in February this year but will not take effect until 22 February 2018, unless an earlier commencement date is proclaimed.