Earlier this month, the government released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill) for public comment. If the Bill is passed without major changes, it will have a significant impact on businesses in Australia.

Effect of the Bill if Passed

The Bill will apply to any businesses or agencies already subject to the Privacy Act 1998 (Cth).

If the Bill is passed through parliament, it will become legally mandatory for businesses or agencies to ‘notify individuals when a serious breach of security leads to the disclosure of personal information’ – but only for data breaches that cause a ‘real risk of serious harm.’[1]

Examples of “serious harm” include financial loss or identity theft, and more broadly, physical, psychological and emotional harm.

Breaches are not just limited to theft or ‘hacking’ – the concept includes internal errors that cause accidental loss of an individual’s personal information.

If there is reasonable belief that a serious data breach has occurred, businesses would be required to notify both the Commissioner and each affected individual – using whatever customer communication tools they normally use.

If it is not practical to contact every individual, the business must take reasonable steps to publicise the notification – including on social media, on the business’ website or through print media.

Failure to Notify Penalties

If a business fails to notify the affected individuals of a serious data breach – the business will be subject to the penalties outlined in the Privacy Act.

The Commissioner can investigate the issue and direct the business to notify the affected individuals.  The current drafting allows businesses to seek a review of the Commissioner’s directions in the Administrative Appeals Tribunal.

For businesses that repeatedly fail to notify individuals, the Commissioner can apply to court to impose financial penalties.

How to submit a comment

The government is seeking submissions on the draft Bill as well as the explanatory memorandum, and the Regulatory Impact Statement. These documents and instructions on submission guidelines can be accessed here:

Submissions received may be made public on the Attorney-General’s Department website unless otherwise specified.  Contributors should indicate whether any part of the content should not be disclosed to the public.

[1] ALRC 108, 2008, For your information: Australian Privacy Law and Practice, [51.1].