The government has released the long-awaited exposure draft of legislation to create a mandatory data breach notification scheme.
The government had originally committed to legislating a scheme this year.
The introduction of a data breach notification regime formed part of the government’s response to the report of the parliamentary inquiry into the data retention scheme.
The report of that inquiry had recommended the creation of such a scheme.
The government has lived up to its commitment of a public consultation on the scheme. The Attorney-General’s Department is accepting submissions on the exposure draft until 4 March next year.
The scheme as currently drafted would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
A “serious breach” involves personal information, credit reporting information, or tax file information being subject to unauthorised access or disclosure and putting those individuals affected at “real risk of serious harm”.
Whether an individual was at risk of “serious harm” would depend on a number of factors, such as whether the information is encrypted (and how hard that encryption would be to break) and the sensitivity of the information.
All data kept to comply with the data retention scheme will be subject to the breach notification regime.
A discussion paper accompanying the exposure draft states that the government expects the Australian Information Commissioner will develop guidelines to help businesses identify “serious data breaches”.
The scheme would apply to organisations and data that are currently subject to the Privacy Act. That means it would cover most federal government agencies, and private sector and not-for-profit organisations with an annual turnover of more than $3 million.
Smaller organisations may also be subject to the scheme (health service providers, for example, and businesses that trade in personal information, employee associations, and credit reporting bodies).
If organisations are uncertain whether a serious breach has occurred, they will have up to 30 days to investigate. The Australian Information Commissioner can order an organisation to notify affected parties if they believe there has been a serious data breach.
The form of notification would depend on an organisation’s typical form of contact with an individual. In cases where it’s not possible to identify people affected by a breach, or if the cost would be excessive, an organisation may be allowed to use a public notice instead.
There are also some exceptions, such as secrecy provisions for law enforcement, and organisations can apply for an exemption from notification after a breach.
Not complying with the law would be subject to the range existing penalties under the Privacy Act.
“The government intends to consult extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact,” a statement issued by Attorney-General George Brandis said.
“Their feedback will be considered before the legislation is finalised for introduction into the parliament.”
The exposure draft and discussion paper are available from the website of the Attorney-General’s Department.