Eight years ago, Parliament voted to pass the stimulus package that would see us all receiving a nice little cheque in the post from the Hon Kevin Rudd. “Post?” you say? “And a cheque?” My, how life has changed.
Legislative history was made this week with the passage of a mandatory data breach notification law for Australia. After numerous incarnations, the bill that will require all entities bound by the Privacy Act 1988 to notify the regulator and consumers of their data breaches was passed by the Senate this week and pending Royal Assent, will become law. If not proclaimed to start earlier, the amendments will become effective on and apply from 12 months and one day after Royal Assent. Put simply, within a year, entities that experience data breaches will have to fess’ up.
Put simply, within a year, entities that experience data breaches will have to fess’ up. The Act implements recommendations of the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and the Australian Law Reform Commission’s report For Your Information: Australian Privacy Law and Practice by amending the Privacy Act to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach.
With this law, Australia joins 47 states of the USA, the European Union, New Zealand (which has announced plans to introduce a two-tier mandatory data breach notification scheme) and Canada in passing legislation to introduce a national mandatory data breach notication scheme.
Key aspects of the bill:
- Threshold: A noticable data breach will occur where there is unauthorised access to, or unauthorised disclosure of, the information and “a reasonable person” would believe that such data breach is “likely to be result in serious harm” to any of the relevant individuals. A breach will also be noticable if the information is lost in circumstances where it is likely to lead to unauthorized access or disclosure with serious harm to the relevant individuals a likely result.
- Timing: APP entities will be required to notify an eligible data breach as soon as practicable after becoming aware of it or that there are reasonable grounds to believe that there has been an eligible data breach. If they suspect a breach has occurred, APP entities must take reasonable steps to complete, within 30 days, a “reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach”.
- Who must be noticed? APP entities will be required to notify the Australian Information Commissioner and each of the relevant individuals affected by the breach. Where it is not practicable to communicate with each of the affected individuals, the entity must publish a statement on its website or take reasonable steps to publicise it.
- Penalties for non-compliance: Failure to comply with the key provisions of the law is an interference of privacy under the Privacy Act. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals ($360,000) and 10,000 penalty units for bodies corporate ($1.8million).
- Remedial action to overcome reporting obligation: Notication is not required if the entity takes action in relation to the loss of information or the unauthorized access or disclosure before serious harm to affected individuals has resulted and a reasonable person would conclude that serious harm to those individuals is no longer likely to occur.
- Importance of securing information: Elective security measures can mitigate the obligation to notify when information is lost. The law sets out a list of relevant factors in determining whether access or disclosure is likely to result in serious harm, including what security technology has been used to protect the information and the likelihood that the persons who have obtained it or could obtain it are likely to intend to cause harm and have the means to circumvent these measures.