A parliamentary committee investigating Australia's proposed mandatory data breach notification laws has expressed “unconditional support” for the bill and recommended it be passed by the Senate.
The bill aims to force organisations to notify both the Privacy Commissioner and affected individuals when the integrity of personal information held in their systems has been compromised.
A data breach notification scheme was first recommended by the Australian Law Reform Commission in 2008.
The Privacy Alerts Bill 2013 would amend the Privacy Act with two new provisions:
- “Serious data breach” - which outlines the circumstances in which an entity would have committed a serious data breach, and
- “Notifying serious data breaches” - which outlines the circumstances in which an entity must notify of a serious data breach and to whom it must do so.
The Committee recommended an entity be forced to notify affected customers and the Privacy Commissioner when a breach of specified personal information occurs that gives rise to a “real risk of serious harm” to individuals.
“Real risk of harm”, according to the Committee, should also take into account whether the information was adequately encrypted or was acquired in good faith.
The Committee also recommended the definition of “specified personal information” be taken to include information such as a combination of name and address with a unique identifier like a Medicare or account number.
The report noted that organisations would not be required to notify customers if the Privacy Commissioner deemed it to not be in the public interest.
An organisation would be required to undertake three actions when made aware of a serious data breach. The proposed legislation would force the body to prepare a detailed statement concerning the breach, provide a copy of that statement to the Privacy Commissioner, and notify those affected.
Notification could mean providing the statement to each affected individual and/or publishing a copy of the statement on the entity’s website and in "at least one newspaper circulating generally in each state/territory”.
According to the confidential bill, obtained by SC Magazine last month, failure to take reasonable steps to secure data prior to a breach could mean organisations face fines of up to $1.7 million for serious and repeat offences, or up to $340,000 for individuals.
Small-scale offenders face fines of $34,000 for individuals and $170,000 for organisations. Failure to notify the Privacy Commissioner could also attract civil penalties.
“The committee agrees that the proposed reform is 'long overdue' and would benefit Australian consumers, as well as industry stakeholders, who would be simultaneously encouraged to effect andmaintain high-quality data security practices,” the committee said in its report today.
With only two and a half sitting days left, it is unclear whether the legislation will be passed before the Parliament rises ahead of the Federal Election on September 14.
The Attorney-General's office said it remains hopeful the bill will be passed before the end of the week.