Australia: 2016 Mandatory data breach notification bill – update

After much anticipation, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) was introduced into the Parliament on 19 October 2016. If passed, organisations and Commonwealth government agencies subject to the Privacy Act 1988 (Cth) will be required to notify affected individuals and the Australian Privacy Commissioner of 'eligible data breaches'. This affects Commonwealth government agencies and organisations that have a turnover of more than $3 million annually, as well as some small businesses such as private health service providers.

What's changed since the 2015 exposure draft?
As outlined in the Bill's accompanying explanatory memorandum, there have been a number of changes to the Bill since last year's exposure draft circulated by the Attorney-General's Department. Some of the key changes include:

• a change in terminology, with data breaches that are covered by the Bill now being referred to as 'eligible data breaches' rather than 'serious data breaches';
• a change to the notification requirement threshold, with eligible data breaches only covering situations where there is a 'likely risk of serious harm' (rather than the previous 'real risk of serious harm' wording in the exposure draft);
• the removal of a requirement to notify data breaches that an entity ought reasonably to have been aware of;
• the addition of a new exception to cover situations where remedial action is taken by the entity that suffers an eligible data breach, with the effect that data breaches will no longer be considered to be an eligible data breach (and therefore notification will not be required) if the remedial action would be considered by a reasonable person to mean that there is no longer a likely risk of serious harm;
• amendments to the factors that are stated in the Bill to be relevant to determining whether there is a likely risk of serious harm, including to recognise the use of security technologies in relation to that information;
• clarification of when a notification must be given to affected individuals (as opposed to publishing it on the entity's website);
• expansion of the factors which the Privacy Commissioner must take into account in assessing whether to exempt an entity from providing notification and; and
• clarification of the notification requirements where two or more entities jointly and simultaneously hold information the subject of the data breach.

While some of the more objectionable elements of the exposure draft have been removed or pared back, the essence of the Bill remains the same. Organisations and Commonwealth Government agencies will have an obligation to notify the Australian Privacy Commissioner and affected or at risk individuals if an eligible data breach occurs. A failure to do so will be deemed to be an interference with the privacy of the individual(s). Civil penalties of up to AUD360,000 for individuals and AUD1,800,000 for bodies corporate may apply for serious or repeated interferences of privacy.

What does this mean for you?
As the introduction of a mandatory data breach notification scheme has previously received bipartisan support, it is possible that the Bill could pass relatively quickly through the Parliament. Although the Government has previously committed to passing the Bill in the Spring 2016 Parliamentary session, it remains to be seen whether this occurs.

If passed, the Bill will likely commence 12 months after receiving royal assent (if not sooner). While this may seem like a long time away, entities should start preparing for the proposed notification requirements now.

In its current form, the Bill will require entities to act quickly in assessing whether notifications need to be made. Upon becoming aware of a suspected eligible data breach, entities will have 30 days to confirm whether an eligible data breach has occurred and if it has, entities will be required to notify as soon as practicable thereafter.

Given the fast paced and constantly evolving nature of data breaches (and other cyber-incidents), there is little opportunity for 'learning as you go'. Please contact us should your organisation require any assistance in preparing for, or responding to, a cyber incident.