Australia will have a mandatory data breach notification scheme in place within the year after several aborted attempts, following the passage of legislation through the senate today.
The Labor and Liberal parties today united to pass the government's Privacy Amendment (Notifiable Data Breaches) Bill 2016 into law. Learn what the rules mean for your organisation.
The passage came despite a last-ditch attempt by the Greens to make changes to the bill that would shorten the period in which an organisation must notify of a breach down from 30 days to three.
The party also attempted in vain to capture political parties and businesses with less than $3m turnover under the legislation.
The scheme applies only to government agencies and organisations governed by the Privacy Act, meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.
The bill now needs only royal assent - a formality - before it becomes law.
The Liberal government had pledged to have a mandatory data breach notification scheme up and running before the end of 2015, but missed its own deadline to get the bill into parliament.
It debuted the Privacy Amendment (Notifiable Data Breaches) Bill 2016 last October.
The bill edited the language of a draft published the year prior slightly to bend to industry calls to remove the requirement for notification if an organisation "ought to have been aware" a breach had occurred.
The newly-passed law means organisations that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach.
The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.
Those that fail to notify face penalties including fines of $360,000 for individuals and $1.8 million for organisations.
The legislation considers a serious breach to have occured when there is unauthorised access to, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to individuals involved.
Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.
Organisations can take certain actions that mean a suspected data breach will not be considered one under the law.
The bill gives the example of when an entity becomes aware that it has "mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request".
It also uses the examples of when a lost or stolen device has been remotely wiped before its content can be accessed, or when a device is left in a taxi and the individual can be certain the driver did not access the device.
The scheme will come into operation at an as-yet unannounced date within the next 12 months.
Years of effort
The passage of the bill marks the end to three years of effort by both sides of parliament to get a data breach notification scheme in operation.
The government's newly-passed bill is almost identical to the Privacy Alerts bill introduced by Labor in 2013 and again in 2015.
The Coalition government refused to support the Labor bill at the time because of concerns about a lack of definition around terms like “serious breach” and “serious harm”.