The federal government has introduced mandatory data breach notification laws into parliament after missing a self-imposed deadline to have a scheme up and running before the end of last year.
The substance of the proposed laws – and the process for declaring a breach – is largely unchanged from an exposure draft published by the Attorney-General last December. The government spent until March this year consulting with industry on the proposed changes.
However, the government has heeded calls from industry to edit the language of the bill to remove the requirement for notification if an organisation "ought to have been aware" a breach had occurred.
Under the bill, organisations that determine they have been breached or have lost data will need to report the incident, and notify customers that are directly impacted or “at risk”. Those that don’t face a range of penalties, including fines of $360,000 for individuals and $1.8 million for organisations.
However, in self-assessing the seriousness of a breach – a key requirement in working out whether the organisation is subject to the scheme – entities are asked to take into account steps they took to mitigate or limit damage once they became aware of the issue.
The bill makes it clear that certain actions can mean that a data breach or loss “is not, and is taken never to have been, an eligible data breach” under the law.
The explanatory memorandum accompanying the bill said this could arise when “an entity which becomes aware that it has mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request".
It could also come into play when an employee accesses information without authorisation or malicious intent, “where the entity restricts the employees’ access to the information and otherwise ensures that no further unauthorised access, use or disclosure of the information occurs, and continues to otherwise comply with the Privacy Act in relation to the information".
A breach may also not be reportable if a lost or stolen device is remotely wiped “before its content can be accessed without authorisation".
And the exemptions could even apply if action is taken “to recover hard copy information that an employee of the entity left in a taxi”.
In this case, the entity would need an assurance from “the driver … that he or she has not accessed or disclosed the information while it was in his or her care".
The government made it clear in both the exposure draft and bill that while it wants to prevent under-reporting of data breaches in Australia, it also does not want companies to over-report "out of an abundance of caution".
Industry had warned of the perils of "notification fatigue" in its response to last year's exposure draft.
The scheme applies to government agencies as well as organisations that already must comply with the Privacy Act.
The government said about six percent of Australian businesses would be subject to mandatory data breach notification.
Liberal and Labor governments have each tried to introduce legislation governing breach notifications on two separate occasions, but both efforts failed to make the deadline for entry.