Australia will finally get a mandatory data breach notification regime after a government bill was today passed by the Senate.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the House of Representatives last week.
The bill applies to organisations subject to the Privacy Act, making it mandatory for them to notify the Australian Information Commissioner and individuals whose data has been affected by an eligible data breach.
Under the legislation an eligible data breach is “is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity” where “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”.
The notification regime created by the legislation will cover most Australian government agencies, businesses with an annual turnover in excess of $3 million, and some smaller organisations (such those that handle health data).
Previous attempts to legislate a data breach notification scheme have failed.
The new bill formed part of the government’s response to a recommendation of a parliamentary inquiry into the data retention legislation.
The government originally committed itself to introducing and passing legislation for the scheme before the end of 2015, but it wasn’t until December 2015 that an exposure draft of a bill was released for public comment.
Greens communications spokesperson Senator Scott Ludlam unsuccessfully sought to amend the legislation in the Senate, including reducing from 30 to three days the period an organisation will have to notify affected parties of a breach.
The Senate also voted against a Greens motion that would have called on the government to extend the Privacy Act to cover political parties and businesses with an annual turnover below $3 million.