• Privacy Law Update: Notification Obligations for Data Breaches
  • July 2, 2013 | Author: Adam Salter
  • Law Firm: Jones Day - Sydney, New South Wales Office
  • There have been significant developments in the Australia privacy landscape in the past year, with the most recent developments comprised in the Privacy Amendment (Privacy Alerts) Bill 2013 (the “Bill”) which was introduced into Federal Parliament on 29 May 2013. The purpose of the Bill is to amend the Commonwealth Privacy Act 1988 (“Privacy Act”) to introduce a mandatory data breach reporting scheme for federal government agencies and private sector organisations.

    If passed, the Bill will take effect on 12 March 2014, immediately after the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (“Privacy Amendment Act”). The Bill seeks to further enhance Australian Privacy Principle 11 introduced by the Privacy Amendment Act, which provides that entities currently regulated by the Privacy Act (“APP entities”) must take reasonable steps to protect personal information held by them.

    The Bill introduces compulsory notification requirements for serious data breaches in relation to personal information held by APP entities, credit reporting information held by credit reporting bodies, credit eligibility information held by credit providers and tax file number information held by recipients. This accountability extends to breaches by overseas entities associated with APP entities and domestic credit providers (such as parent companies and foreign service-providers).

    Under the Bill, where a serious data breach occurs (for example, through hacking or accidental disclosure of information), notification will be required to be made to affected individuals and the Australian Privacy Commissioner. Notification details must include the identity and contact details of the organisation, a description of the breach, the kinds of information concerned, and recommendations about the steps affected individuals should take. Any contravention of the proposed notification provisions will be taken to be an interference with the privacy of an individual and will accordingly enliven the enforcement and remedy provisions of the Privacy Act.

    As at 25 June 2013, the Bill is before the Commonwealth Senate (upper house of Parliament) and is likely to be passed by Parliament by the end of its term as it has bipartisan support and has received a recommendation from the Senate Committee for the passing of the Bill.