On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (the Bill) to create a mandatory notification scheme for serious data breaches was introduced into Parliament.

The Bill follows on from the Australian Government's discussion paper, Australian Privacy Breach Notification, which was released on 17 October 2012 (see our article Privacy breaches: mandatory notification a step closer). The discussion paper, in turn, followed the Office of the Australian Information Commissioner's (OAIC) publication, Data Breach Notifications: A Guide to Handling Personal Information Security Breaches (see our article, Privacy: the sands continue shifting).

The O"AIC publication strongly endorsed the recommendation of the Australian Law Reform Commission's (ALRC) report on privacy laws, published in 2008, that the Privacy Act 1988 (Cth) be amended to impose a mandatory breach notification obligation.

Who does the scheme apply to?

All agencies and organisations regulated by the Privacy Act will be subject to the mandatory notification scheme. However, entities that are already exempt from the operation of the Privacy Act, such as intelligence agencies and small business operators, won't be subject to the scheme.

Law enforcement bodies will not need to comply with the scheme if notification is likely to prejudice law enforcement activities.

When must you notify?

The Bill requires notification when there has been a serious data breach. A serious data breach is where there:

  • has been unauthorised access to, or disclosure of, personal information, where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure, and
  • is a real risk of serious harm to the individual affected by the breach.

Importantly "harm" includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial harm.

The Bill provides for the Commissioner to exempt an entity from providing notification of a serious data breach where the Commissioner is satisfied that it is in the public interest to do so.

What are the notification requirements?

If the entity believes there has been a serious data breach, it must notify the Commissioner and affected individuals as soon as practicable after forming that belief. The notice must include:

  • the identity and contact details of the entity
  • a description of the serious data breach
  • the kinds of information concerned
  • recommendations about the steps that individuals should take in response to the serious data breach, and
  • any other information specified in the regulations.

The entity may give notice by any method that it normally uses to communicate with the individual. Where there is no normal mode of communication with the particular individual, the entity must take reasonable steps to communicate with them, which could be via email, telephone or mail.

The Commissioner may direct an entity to notify where they believe that a serious data breach has occurred and no notification has been given.

What if you fail to notify?

Failure to comply with the mandatory notification obligations is an interference with the privacy of an individual for the purposes of the Privacy Act.

The Commissioner has the power to investigate, make determinations and provide remedies for non-compliance with the Privacy Act, including:

  • initiating own motion investigations
  • making determinations
  • seeking enforceable undertakings, and
  • pursuing civil penalties for serious or repeated interferences with privacy of up to $1.7 million.

What happens next?

If passed by Parliament, the amendments will commence on 12 March 2014, at the same time as the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

Implications for agencies

Privacy remains a hot issue in the community and media, with breaches of privacy posing an increasingly serious reputational risk to agencies. The potential introduction of a mandatory notification requirement, penalties and the intention of the Privacy Commissioner to take a tougher approach means that agencies will need to monitor developments carefully and review their privacy practices to ensure that they comply with the developing legislative changes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.