On 29 May 2013, the Privacy Amendment (Privacy Alerts)
Bill 2013 (the Bill) to create a mandatory notification scheme
for serious data breaches was introduced into Parliament.
The Bill follows on from the Australian Government's
discussion paper, Australian Privacy Breach Notification,
which was released on 17 October 2012 (see our article Privacy breaches: mandatory notification a step
closer). The discussion paper, in turn, followed the
Office of the Australian Information Commissioner's (OAIC)
publication, Data Breach Notifications: A Guide to Handling
Personal Information Security Breaches (see our article, Privacy: the sands continue shifting).
The O"AIC publication strongly endorsed the recommendation
of the Australian Law Reform Commission's (ALRC) report on
privacy laws, published in 2008, that the Privacy Act 1988
(Cth) be amended to impose a mandatory breach notification
Who does the scheme apply to?
All agencies and organisations regulated by the Privacy Act will
be subject to the mandatory notification scheme. However, entities
that are already exempt from the operation of the Privacy Act, such
as intelligence agencies and small business operators, won't be
subject to the scheme.
Law enforcement bodies will not need to comply with the scheme
if notification is likely to prejudice law enforcement
When must you notify?
The Bill requires notification when there has been a serious
data breach. A serious data breach is where there:
has been unauthorised access to, or disclosure of, personal
information, where personal information is lost in circumstances
that could give rise to unauthorised loss or disclosure, and
is a real risk of serious harm to the individual affected by
Importantly "harm" includes physical and psychological
harm, as well as injury to feelings, humiliation, harm to
reputation and financial harm.
The Bill provides for the Commissioner to exempt an entity from
providing notification of a serious data breach where the
Commissioner is satisfied that it is in the public interest to do
What are the notification requirements?
If the entity believes there has been a serious data breach, it
must notify the Commissioner and affected individuals as soon as
practicable after forming that belief. The notice must include:
the identity and contact details of the entity
a description of the serious data breach
the kinds of information concerned
recommendations about the steps that individuals should take in
response to the serious data breach, and
any other information specified in the regulations.
The entity may give notice by any method that it normally uses
to communicate with the individual. Where there is no normal mode
of communication with the particular individual, the entity must
take reasonable steps to communicate with them, which could be via
email, telephone or mail.
The Commissioner may direct an entity to notify where they
believe that a serious data breach has occurred and no notification
has been given.
What if you fail to notify?
Failure to comply with the mandatory notification obligations is
an interference with the privacy of an individual for the purposes
of the Privacy Act.
The Commissioner has the power to investigate, make
determinations and provide remedies for non-compliance with the
Privacy Act, including:
initiating own motion investigations
seeking enforceable undertakings, and
pursuing civil penalties for serious or repeated interferences
with privacy of up to $1.7 million.
What happens next?
If passed by Parliament, the amendments will commence on 12
March 2014, at the same time as the Privacy Amendment
(Enhancing Privacy Protection) Act 2012.
Implications for agencies
Privacy remains a hot issue in the community and media, with
breaches of privacy posing an increasingly serious reputational
risk to agencies. The potential introduction of a mandatory
notification requirement, penalties and the intention of the
Privacy Commissioner to take a tougher approach means that agencies
will need to monitor developments carefully and review their
privacy practices to ensure that they comply with the developing
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The legal rights and wrongs of taking photos can be confusing, so what does the law say about photos in a public place?
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).