On 3 December 2015 the Attorney-General George Brandis released
a discussion paper, a consultation draft explanatory memorandum and
exposure draft legislation in relation to mandatory notification of
serious data breaches.
The current approach is similar to a number of overseas
jurisdictions and looks to balance the benefits of mandatory
reporting with the risk of "notification fatigue" that
may be experienced by individuals which would undermine the intent
of the law. The exposure draft very importantly defines what is a
serious data breach and then specifies what needs to be notified,
and who needs to be notified.
What is a serious data breach?
A serious data breach is defined as one that occurs in relation
to personal information including credit reporting information,
credit eligibility information, or tax file number information and
would put the individual to whom that information relates at
"real risk of serious harm". For this purpose a new
Section has been inserted into the Privacy Act which provides that
for the purposes of this legislation harm includes physical harm,
psychological harm, emotional harm, harm to reputation, economic
harm, and financial harm.
Similarly, real risk is defined to mean a risk that is not a
When does an organisation need to notify?
The draft legislation provides that notification is required
when an entity has reasonable grounds to believe that a serious
data breach has occurred. However, in the event that an entity is
uncertain they will have a period of 30 days in which to assess
whether there are reasonable grounds to consider a serious data
breach has occurred and to then make notification if it has.
If an organisation does not consider there has been a serious
data breach but the OAIC considers that there has by virtue of
complaints or other information provided to the OAIC, it may direct
the entity to report the data breach.
An objective or subjective test?
In determining whether a serious data breach has occurred, the
draft legislation provides relevant matters that might be taken
into consideration and these include persons or the kinds of
persons who have obtained, or who could obtain, the information and
it also includes, in considering whether the information is in a
form intelligible to an ordinary person, the assumption needs to be
made that the person has access to software or other technology
that is publicly available and commonly used. Accordingly, the
level of security encryption and whether it could easily be broken
is one of the relevant matters to take into consideration.
What must a notice include?
Throughout the commentary and in the legislation there is an
assumption that the OAIC will provide guidance to entities in
relation to this legislation. This is consistent with the way in
which the amendments to the Privacy Act were passed in 2012 but did
not come into operation until 2014.
The notification that an entity needs to make is specified in
Section 26WB and includes in relation to mitigating the harm to the
affected individuals, the nature of the steps being taken, how
quickly those steps have been taken or will be taken, and the
extent to which those steps will mitigate or are likely to mitigate
When is it likely to apply?
The first hurdle is for the legislation to retain its form after
the consultation period, open until 4 March 2016, ends.
Assuming that the legislation proceeds as outlined, the exposure
draft states it will commence on a date to be proclaimed or one
year from the date it is passed into law. Accordingly, it is
unlikely to apply before 2017.
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).