Australia’s mandatory data breach notification regime takes effect today.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 made its way through parliament in early February 2017. The legislation received royal assent later that month; 12 months on, the act’s provisions are now in force.
The federal government originally announced in March 2015 that it would introduce a data breach notification scheme. That announcement was in response to the recommendation of a parliamentary inquiry into the (at the time not-yet-passed) data retention legislation.
The Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) February 2015 report recommended the introduction of a notification scheme “by the end of 2015”.
(A 2013 report by the PJCIS had argued that any bill that introduced data retention should also include “a robust, mandatory data breach notification scheme”. A bill introduced in May 2013 to create a data breach notification scheme received bipartisan support but lapsed after parliament was prorogued prior to the election that year.)
The PJCIS in its data retention report acknowledged “the security risks associated with the proposed mandatory data retention scheme and the potential for increased unlawful access to personal information.” The report stated that in the committee’s view, “there must be a [mandatory breach notification] scheme in place prior to implementation of the [data retention] Bill”.
The government in August 2015 told Computerworld that it was still “committed to the introduction of a mandatory data breach notification scheme by the end of 2015”.
However, the government by the end of December 2015 had only released an exposure draft of a bill. The proposal drew mixed responses, with a number of organisations, including bodies representing the marketing and analytics sectors, arguing there was no need for the legislation. However, the push for mandatory notification received support from privacy advocates.
In parliament, the bill received bipartisan support (though the government’s tardiness was questioned).
NDB obligations
The new scheme applies to those organisations and government agencies subject to the Australian Privacy Principles outlined in the Privacy Act, including most federal agencies, businesses with annual turnover in excess of $3 million and some smaller organisations that handle sensitive data.
Under the legislation, an eligible data breach occurs if there is “unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity” or information is lost in circumstances where “unauthorised access to, or unauthorised disclosure of, the information is likely to occur” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.”
Organisations are obliged to notify, where possible, individuals affected by a breach or suspected breach as well as the Privacy Commissioner.
In most cases an organisation is required to issue a notification of an eligible breach as soon as practicable, though there are provisions for an investigation period if an organisation is not sure whether a breach has occurred.
There are other cases where a notification may be deferred; for example ASIO or the Australian Signals Directorate advising an organisation not to issue a notification on national security grounds.
The Office of the Australian Information Commissioner has produced a guide to help organisations manage their response to data breaches, including their obligations under the new notification regime.
Advocacy groupDigital Rights Watch welcomed the commencement of the new scheme.
“Real data breach obligations are long overdue,” the group’s chair, Tim Singleton Norton, said in a statement. “The public deserve to be told when the companies or government agencies that hold their data lose control over it.”
“This scheme goes some way towards addressing the huge mistrust that the public already have when it comes to the protection of their personal data,” Singleton Norton said.
“We do remain concerned that the sheer volume of data that is available to government agencies makes them the primary concern when it comes to protecting the individual privacy of Australian citizens.”