Senate urged to pass data breach notification law

The Senate has been urged by a standing committee to pass mandatory data breach notification law that has been in the making since 2008.

The Privacy Amendments (Privacy Alerts) Bill 2013 was formed from recommendations by the Australian Law Reform Commission, and would force organisations to tell the Federal Privacy Commissioner, affected consumers and on occasion the media, when data breaches occur.

Organisations would be fined for breaches resulting from lax security controls that failed to take "reasonable steps" to protect user data as required by the Privacy Act.

If passed, the scheme could be enforced as early as March next year when a suite of privacy reforms come into effect.

While the six-person committee recommended the Bill be passed, they flagged issues raised in received submissions.

These included an apparent lack of clarity on the definition of "real risk of serious harm" within the definition of "serious data breach" and the breadth of exceptions to notification.

The Australian Bankers' Association, for example, argued it would be difficult to determine "what to report and what not to report".

But the government dismissed those concerns, pointing out that existing guidelines by the Office of the Australian Information Commissioner (OAIC) made it clear that only breaches likely to cause serious harm would be reported.  

Other security professionals commenting on the leaked Draft Exposure Bill raised concerns with the specific security controls and processes that the Federal Privacy Commissioner would consider to be "reasonable steps".

Federal Privacy Commissioner Tim Pilgrim said he would update the OAIC guidance as a priority should the bill pass, a move which the standing committee said it supported.

Copyright © SC Magazine, Australia