On Wednesday, 19 October the Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 to Parliament.
The Bill is designed to establish a data breach notification scheme for Australia and would amend the Privacy Act as it applies to all APP entities, credit reporting bodies and credit providers, and tax file number recipients. If passed, the Bill would commence 12 months after Royal Assent, so it is possible the new provisions could commence in late 2017.
What does this mean for businesses?
If there has been unauthorised access to or disclosure of personal information, and if a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the affected individuals, there is an ‘eligible data breach’ and new obligations would arise. It would also be considered an eligible data breach if information is lost with a risk of unauthorised access or disclosure.
If the entity affected by an eligible data breach can take action before any serious harm is caused, so that the serious harm is not likely to result, then the ‘eligible data breach’ is treated as never having existed, and there will not be any new legal requirement to notify affected individuals.
If there is an eligible data breach, the organisation must carry out a reasonable and expeditious investigation (using all reasonable endeavours to conclude it within 30 days). The Privacy Commissioner must be informed of the eligible data breach as soon as it is practicable to do so. There is a separate obligation to notify all affected individuals as soon as it is practicable for them to be notified.
The Privacy Commissioner (on its own motion or on application) has a public interest power to exempt an entity from the obligation to formally notify the Commissioner or affected individuals, or to specify a date by which affected individuals are to be informed.
Some welcome technical changes have been made since draft legislation was circulated in late 2015.
For corporate groups, it is intended that one group member can respond to an eligible data breach on behalf of all affected group members. The definitions relating to seriousness of harm have been simplified into a single test which seeks to balance the risk of misuse with the sensitivity of the information and the scale of the breach. Eligible data breaches are no longer legislatively described as ‘serious’, and a regulation making power which permitted some breaches to be deemed ‘serious’ has been removed.
Next steps:
Organisations doing business in Australia should prepare to implement new breach reporting processes by late 2017 or early 2018.
If you have any questions or would like assistance with preparing for the new breach notification bill, please contact If you have any questions or would like assistance with preparing for the new breach notification bill, please contact a member of our Financial Services and Regulatory Team or of the Firm’s broader Privacy team.
This article was written by James Moore, Partner.
HWL Ebsworth’s Online Account seeks to keep you up to date with important changes and developments in the financial services regulatory sector. Please feel free to share this article with any interested colleagues, or they can subscribe here to receive future Financial Services and Regulatory updates.