The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (‘the Bill’) was introduced in the Australian Parliament on 19 October 2016 and is currently before the House of Representatives. The Bill proposes mandatory data breach notification provisions for agencies, organisations and other entities already regulated under the Privacy Act 1988 (Cth) (‘the Act’).
The Bill is based on recommendations by the Australian Law Reform Commission and the Parliamentary Joint Committee on Intelligence and Security. These bodies noted that with advances in technology, entities are holding increasingly larger amounts of personal information in electronic form, thus raising the risk of security breaches.
‘Mandatory data breach notification’ refers to a legal requirement to provide notice to individuals affected by security incidents compromising personal information. Entities regulated by the Act will also need to provide data breach notifications to the Australian Information Commissioner.
A data breach arises where there is unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals. A breach can also arise where personal information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. Examples of data breaches include:
- malicious breach of the secure storage and handling of information (e.g. a cyber security incident);
- an accidental loss (e.g. the loss of IT equipment or hard copy documents); and
- a negligent or improper disclosure of information.
The Bill also introduces a harm threshold test to determine whether a data breach incident is notifiable. The test is whether a reasonable person would conclude that there is a real risk of serious harm to the person that the information relates to. ‘Harm’ includes physical, psychological, emotional, economic, and financial harm, in addition to harm to reputation.
How the amendments can affect you?
If your agency, organisation or business already has obligations under the Act, you will be subject to the notification requirements once the Bill is passed and the amendments come into operation. The proposed amendments will not apply to entities that are currently exempt under the Act, such as certain small business operators with an annual turnover of $3 million or less.
Health care and aged care providers, who regularly deal with the sensitive personal information of patients and clients, will be subject to the proposed notification obligations.
To read the Bill and find out more, click here.