Australian businesses must now report if they’ve suffered a data breach

After being debated for years, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 finally went through the House of Representatives last week, and has now been passed by the Senate, making it legislation. All it needs is the royal sanction to become law – a step that’s basically just a formality.

The bill applies to organisations subject to the Privacy Act, so state governments, local councils and businesses with a turnover of less than $3 million a year are exempt. But other organisations and big businesses in Australia will soon be legally obliged to inform the Australian Information Commissioner and affected individuals of any ‘eligible’ data breach.

The legislation defines an eligible data breach as an “unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity” where “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”.

What needs to be reported

The legislation requires organisations to report any data breaches within 30 days, which the Greens argued ought to be brought down to just three days, but were ultimately thwarted. The Senate also vetoed a recommendation by the Greens to bring political parties and smaller organisations with an annual turnover of less than $3 million under the governance of the Privacy Act.

The bill goes on to explain that, “Examples of when data breach notification may be required could include a malicious breach of the secure storage and handling of information (eg. in a cyber security incident), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise, where the incident satisfies the applicable harm threshold (if any).”

Other than the description of the breach, notifications should include the kind of information accessed and details on how their customers are to deal with the incident.

The penalty for non-disclosure

The bill states that failure to comply with the mandatory notification scheme will be “deemed to be an interference with the privacy of an individual" and penalties including fines of up to $360,000 for individuals and $1.8 million for corporates.

But measures have been put in place where certain breaches will not have to be reported if an organisation takes action and is confident the incident has been dealt with. For example, if a staff member in a business has "mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request".

Another example cited for when the scheme does not apply involves data stored on stolen or lost devices. If that data can be wiped clean remotely before it can be accessed, the incident would not have to be reported as a breach.

A long battle

It has taken three years for both sides of Parliament to pass this bill. When the Labor Party first introduced the Privacy Alerts bill in 2013, the Coalition steamrolled the effort on the basis that there were no clear definitions for the terms “serious breach” and “serious harm”.

The new notification scheme has been welcomed by many and is being seen as an important step towards protecting Australian consumer data.