New obligation to report breaches of data security
If the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 released in December goes through, most private sector entities with a turnover above $3 million and government agencies will be required to notify ‘serious data breaches’ to each affected individual and the Australian Information Commissioner. A ‘serious data breach’ is one that creates ‘a real risk of serious harm’ to the affected individuals — that can include harm to reputation, economic harm and financial harm, and also includes physical, psychological and emotional harm.
At present, companies, federal government agencies and various other Australian organisations are not required by law to disclose breaches. They can, however, voluntarily disclose a breach. The concern with voluntary reporting is that many organisations have had customer data stolen, yet very few companies reported breaches to the privacy commissioner or to affected individuals.
The bill arose from a 2015 inquiry of the Parliamentary Joint Committee on Intelligence and Security, which looked at the mischief that can arise, such as financial loss and identity theft, when data is stolen or compromised. Its aim is to ensure that individuals can take remedial steps in the event that their personal information is not secured.
If an entity suspects but is not certain a serious data breach has occurred, the entity has 30 days to assess if notification is required. The bill provides that where it would not be practicable to notify each affected individual, the entity must publish a notice about the data breach on its website and take reasonable steps to publicise the notice.
Exemptions are available, such as where notifications would be contrary to the public interest, and applications to the Commissioner are required if exemptions are sought.
Non-compliance risks enforcement action, and there are potential civil penalties for serious or repeated infringements included in the bill.
If the bill passes, entities will need to:
- identify all data that could be affected
- test systems, including how the entity gains an understanding if data has been breached
- instil a risk-aware culture around data, so that all employees understand the responsibilities to protect it
- review contracts with third party providers to assess risks.
Submissions are due 4 March.