Govt refuses to support data breach notification bill

The Coalition Government has refused to back a reinvigorated bill that would force companies to notify customers of a data breach, saying while it agrees with the concept in principle, the proposed legislation needs more work.

In March this year Labor Senator Lisa Singh re-introduced the lapsed Privacy Alerts Bill, which failed to be heard in the Senate before the upper house closed ahead of the 2013 federal election.

The text of the current Privacy Alerts Bill 2014 is identical to the Privacy Alerts Bill 2013. It seeks to compel entities that suffer a serious data breach - involving personal, credit, or tax file number data - to notify the Privacy Commissioner and individuals affected as soon as possible.

The previous bill received unconditional support from a parliamentary committee investigating the issue, but Coalition senators at the time expressed concerns about a lack of definition around terms like “serious breach” and “serious harm” in the bill, along with the speed in which the legislation was drafted.

Coalition senators today repeated the same concerns in a second reading of the bill in the Senate, arguing that by re-introducing a bill with identical text as the previous "rushed" bill, Labor had failed to address the issues highlighted in the last round of debate.

"Defitions are important. It's not something we should just be rushing through," Liberal Senator David Fawcett said.

Liberal Senator Simon Birmingham said the government needed to ensure the legislation would not have adverse impacts on stakeholders.

"These are genuine concerns because it is reasonable for people to wonder in terms of compliance how it is they can definitively comply, and what their obligations and responsibilities are in absence of a clear definition in the legisation," Birmingham said.

"It creates a circumstance of uncertainty for businesses and agencies who are expected to comply."

Fawcett said the wording of the legislation needed to be informed by further consultation with stakeholers in civil society before the Coalition would be prepared to consider it, despite interjections by Senator Singh that the previous Labor Government had spent many years discussing the proposal with industry.

"I commend Senator Singh for her desire to bring this forward and keep it on the agenda, but it's not the way to do it, without asking what we can take out of re-instituting consultation with civil society."

Fawcett said several of the parties that provided a submission to the committee investigating the topic last year had complained about the limited amount of time - in some cases only 10 hours - they were given to draft and finalise a submission.

"Without time for the committee system to do an adequate review to understand where the unintended consequences could be, that's where we see bad outcomes," he said.

The bill proposed to amend the Privacy Act with two new provisions:

• “Serious data breach” - which outlines the circumstances in which an entity would have been subject to a serious data breach;

• and “notifying serious data breaches” - which outlines the circumstances in which an entity must notify of a serious data breach and to whom it must do so.

The bill also floats the option of forcing affected organisation to publish a statement on their website and potentially in media outlets detailing the breach, the information affected and actions individuals should take in response.

Under the scheme, the Privacy Commissioner would be able to seek penalties of up to $340,000 for individuals or $1.7 million for organisations who repeatedly or seriously offend. Small-scale offenders could be fined up to $34,000 for individuals and $170,000 for organisations.