iTnews
  • Home
  • News
  • Technology
  • Security

Australia finally has mandatory data breach notification

By Allie Coyne on Feb 13, 2017 1:18PM
Australia finally has mandatory data breach notification

After many years of trying.

Australia will have a mandatory data breach notification scheme in place within the year after several aborted attempts, following the passage of legislation through the senate today.

The Labor and Liberal parties today united to pass the government's Privacy Amendment (Notifiable Data Breaches) Bill 2016 into law. Learn what the rules mean for your organisation.

The passage came despite a last-ditch attempt by the Greens to make changes to the bill that would shorten the period in which an organisation must notify of a breach down from 30 days to three.

The party also attempted in vain to capture political parties and businesses with less than $3m turnover under the legislation.

The scheme applies only to government agencies and organisations governed by the Privacy Act, meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.

The bill now needs only royal assent - a formality - before it becomes law.

The Liberal government had pledged to have a mandatory data breach notification scheme up and running before the end of 2015, but missed its own deadline to get the bill into parliament.

It debuted the Privacy Amendment (Notifiable Data Breaches) Bill 2016 last October.

The bill edited the language of a draft published the year prior slightly to bend to industry calls to remove the requirement for notification if an organisation "ought to have been aware" a breach had occurred.

The newly-passed law means organisations that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach.

The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.

Those that fail to notify face penalties including fines of $360,000 for individuals and $1.8 million for organisations.

The legislation considers a serious breach to have occured when there is unauthorised access to, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to individuals involved.

Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.

Organisations can take certain actions that mean a suspected data breach will not be considered one under the law.

The bill gives the example of when an entity becomes aware that it has "mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request".

It also uses the examples of when a lost or stolen device has been remotely wiped before its content can be accessed, or when a device is left in a taxi and the individual can be certain the driver did not access the device.

The scheme will come into operation at an as-yet unannounced date within the next 12 months.

Years of effort

The passage of the bill marks the end to three years of effort by both sides of parliament to get a data breach notification scheme in operation.

The government's newly-passed bill is almost identical to the Privacy Alerts bill introduced by Labor in 2013 and again in 2015.

The Coalition government refused to support the Labor bill at the time because of concerns about a lack of definition around terms like “serious breach” and “serious harm”.

The Liberals' own data breach legislation came as a result of recommendations made last year by the parliamentary joint committee tasked with reviewing the government's data retention bill.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
data breachgovernmentitsecurity

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
"We're seeing some good policy put in place, but that's the exception"
Partner Content "We're seeing some good policy put in place, but that's the exception"
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Allie Coyne
Feb 13 2017
1:18PM
0 Comments

Related Articles

  • Qld gov proposes mandatory data breach reporting for agencies
  • Australian gov data breach numbers slip out of public view
  • NSW Education had unknown vulnerability in breached system
  • TfNSW finds more customers, employees impacted by Accellion breach
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

SA Police ignores Adelaide council plea for facial recognition ban on CCTV

SA Police ignores Adelaide council plea for facial recognition ban on CCTV

NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

Digital Nation

IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.