In December last year, the Federal Government released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill) for public consultation.
The draft Bill, which was promised by the Government in April 2015, proposes to establish a mandatory data breach notification scheme under which entities bound by the Australian Privacy Principles (APP Entities) would be required to disclose “serious data breaches” to both the Office of the Australian Information Commissioner (OAIC), and affected individuals. A serious data breach is defined in the Bill as one which involves personal information, and results in there being a real risk of serious harm to any of the individuals to whom the information relates. The Explanatory Memorandum flags that the OAIC will likely issue guidance materials to help APP Entity’s assess whether a data breach is ‘serious’ for the purpose of notification.
If the new Bill sounds like old news, that’s because it is. The scheme set out in the exposure draft of the Bill is almost identical to that proposed in the Privacy Amendments (Privacy Alerts) Bill 2013 (Privacy Alerts Bill) which was stalled in 2013, and unsuccessful in 2014 when reintroduced to Parliament.
While the Privacy Alerts Bill was unable to gain traction, we are optimistic for the new Bill. The difference this time is that the Government has committed to introducing a mandatory data breach notification scheme, in response to widespread public discomfort with the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Data Retention Laws) which commenced in October 2015. Given the vast amounts of metadata required to be held under the Data Retention Laws, a mandatory data breach notification scheme is now a priority – more so than ever.
Under our current laws, an organisation is not legally required to notify either the OAIC or affected individuals if it experiences a data breach, no matter how serious the breach is. The OAIC has issued guidelines for when organisations should consider giving notification of a data breach. Organisations are encouraged to comply with the guidelines, but notification is essentially voluntary.
While some data breaches are notified under the OAIC’s voluntary scheme are notified, many are not. According to Timothy Pilgrim, the acting Australian Information Commissioner, a mandatory notification scheme is required to “provide confidence to all Australians that, in the event of a serious data breach, they will be given the opportunity to manage their personal information accordingly.” Notification is important, as it empowers individuals affected by a data breach to take steps to protect themselves, for example by changing passwords, cancelling credit cards, etc.
The draft Bill is a welcome indication that a mandatory data breach notification scheme will become law in Australia, sooner rather than later. That said, the general consensus is that it still needs work – particularly in relation to when the obligation to notify arises, and the kinds of organisations that the obligations apply to. To illustrate, an APP entity is required to notify the OAIC and affected individuals breach as soon as practicable after it becomes aware, or ought reasonably to have been aware that a serious data breach has occurred. The question of when an APP Entity ought reasonable be aware of a serious data breach is likely to create difficulties in a practical sense. There are also arguments that more organisations should be captured by the scheme (as opposed to APP Entities only), as a small organisation with lots of data can cause just as much damage as an APP entity in the event of a serious data breach.
The Government is accepting submissions on the exposure draft of the Bill until 4 March 2015. If you are interested in making a submission, or would like to understand how the Bill, if passed, will impact your organisation, Sainty Law would be pleased to assist.