This privacy and data protection update is a brief summary of the lapsed Privacy Amendment (Privacy Alerts) Bill 2013 (Qld) (Bill) (colloquially the 'data notification Bill') which was the subject of our 4 June 2013 article (Proposed New Mandatory Data Breach Reporting: Major Implications for Managing your Privacy Law Compliance Risk) and the tips recently revealed by Information Privacy Commissioner that entities should action before commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Amendment Act) on 12 March 2014.

Data Notification Bill - Lapsed

The Bill initially introduced into the House of Representatives on 29 May 2013 has lapsed at the closing of the 43rd Parliament session.

The primary objective of the Bill introduced during the Gillard Government term was to require entities regulated by the Privacy Act 1988 (Cth) (Act) and later the Amendment Act to notify significantly affected individuals if a 'serious data breach' occurred in relation to personal information held by them. Under the Bill, if an entity failed to comply, the Commissioner may use his or her existing powers with respect to that failure, including but not limited to the imposition of significant penalties both severe in the form of $1.7m civil penalty and less severe in the form of a public or personal apology for non-compliance.

The lapsing of the Bill is not surprising given the Coalition's view that the Bill lacked any definition of the essential terms of 'serious breach' and 'serious harm'.

Perhaps the Federal Government will look to the European Union rules on personal data breach notification for telcos and internet service providers (ISPs), in force since 25 August 2013 (European Commission Regulation (EU) 611/2013 to the Directive 2002/58/EC). Generally the rules require these entities to keep personal data secure and confidential and to notify relevant national data protection authorities within 24 hours of a breach in which the individual's personal data is 'likely to be adversely impacted'. This may arise where data is stolen, lost or subject to unauthorised access of use. The impacted individual is also required to be notified without undue delay and provided with information about the breach.

Arguably concern regarding 'over regulation' of entities who hold and use personal data in the European Union is alleviated by the fact that such notifications are not required where the telco and ISPs can demonstrate that they implemented appropriate ICT protection.

It is unclear whether the Federal Government will adopt a similar approach in the future.

The Commissioner's tips to prepare for the new regime

In his 25 November 2013 speech delivered at the international association of privacy professionals (iapp) ANZ 'Privacy Unbound' summit in Sydney, the Commissioner provided the audience with some practical advice to ensure that those entities regulated by the Act are ready in time for the new privacy law regime. Briefly, this advice and reasoning imparted to relevant entities included:

  • Reviewing existing privacy policies and amending them to be 'APP' compliant;
  • Ensuring that ICT systems comply with information security requirements;
  • Preparing or reviewing existing data breach plans to ensure that entities act quickly and transparently to mitigate any damage to its reputation; and
  • Conducting privacy impact assessments for new projects or for existing projects that will be 'on foot' after commencement of the new regime.

Further information

The commencement of the Amendment Act on Wednesday 12 March 2014 marks the beginning of a new federal privacy law regime. Time is certainly 'ticking' to get your privacy houses in order (including your information and communications technology systems).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.