The Senate yesterday backed a motion introduced by Greens Senator Scott Ludlam that called on the government to explain delays in introducing a mandatory data breach notification scheme.
In December the government finally unveiled an exposure draft of a bill to implement such a scheme, after originally committing itself to pushing a breach notification law through parliament the end of 2015.
The introduction of a data breach notification regime formed part of the government’s response to the report of the parliamentary inquiry into the data retention.
The report of that inquiry had recommended the creation of such a scheme.
“When the government introduced its dramatically unpopular mandatory data retention laws last year it was a recommendation firstly of the Joint Committee on Intelligence and Security, and then it was a commitment of the Attorney-General, George Brandis, to introduce data breach notification laws,” Ludlam said.
Labor Senator Lisa Singh in 2014 introduced the Privacy Amendment (Privacy Alerts) Bill, which would implement a breach notification scheme, Ludlam noted.
That bill has remained stalled in the Senate since June 2014.
“After stuffing around for more than two years we got an exposure draft late last year,” Ludlam said.
“Why is this not already law? Why does the government not simply get on with it?”
Ludlam’s motion stated:
That the Senate—
(a) notes that:
(i) the Senate had begun debate on mandatory data breach notification legislation prior to the 2013 election;
(ii) the Attorney-General (Senator Brandis) committed to introduce data breach notification laws before the end of 2015 during the debate over the national data retention scheme;
(iii) the Attorney-General again committed to introduce such laws to the parliament before the end of 2015 in an answer to a question without notice on 13 October 2015;
(iv) contrary to these commitments, the bill has not been introduced; and
(b) calls on the government to make a statement to the Senate on 3 February 2016 explaining why such legislation has not been introduced, and clarifying the government's intentions.
The government is currently conducting a public consultation on its exposure draft. Submissions are being accepted by the Attorney-General’s Department until 4 March.
The scheme as currently drafted would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
A “serious breach” involves personal information, credit reporting information, or tax file information being subject to unauthorised access or disclosure and putting those individuals affected at “real risk of serious harm”.