Consultation begins on mandatory reporting for privacy breaches

Overview

The Government has released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill (Bill), which proposes to incorporate mandatory reporting of serious data breaches into the Privacy Act 1988. There are currently no mandatory reporting requirements following a breach of the obligation to secure personal information.

The changes

Where there has been a ‘serious data breach’, the Bill proposes that affected individuals and the Australian Information Commissioner must be notified.

A ‘serious data breach’ occurs where:

  • there is unauthorised access to, or disclosure of, information, and the access or disclosure will result in a ‘real risk of serious harm to any of the individuals’ that the information relates, or any of the information is of a kind specified in the regulations;
  • information is lost in circumstances where unauthorised access to, or disclosure of, the information is likely to occur, and the access or disclosure will result in a ‘real risk of serious harm to any of the individuals’ that the information relates to; or
  • information is lost in circumstances where unauthorised access to, or disclosure of, the information may occur, and any of the information is of a kind specified in the regulations.

The Bill gives some guidance on the matters relevant to whether there is a ‘real risk of serious harm to an individual’. Relevant considerations include:

  • the kind of information concerned;
  • the sensitivity of the information involved;
  • whether the information is in a form that is intelligible to an ordinary person;
  • the people who have obtained, or who could obtain, the information; and
  • the nature of the information.

The Bill would become effective 12 months after receiving Royal Assent.

Implications 

Prior to the the Bill becoming effective, businesses should ensure that they have suitable measures in place to detect, manage and assess serious data breaches. Failure to comply with notification obligations may incur penalties for serious or repeated infringements.

Any submissions on the Bill are to be made by 4 March 2016.

If you would like further information or have any queries about this article, please contact Justin Hill jhill@pageseager.com.au

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy