Express law No. 190

5 June 2013

Privacy reforms: introduction of Bill requiring notification of serious data breaches

The Privacy Amendment (Privacy Alerts) Bill 2013 has recently been introduced into Parliament. It sets out further proposed amendments to the Privacy Act 1988.

If enacted, these reforms relating to privacy alerts will commence immediately after the commencement of the significant privacy reforms made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 on 12 March 2014.

Main features of the Bill

This Bill requires Commonwealth agencies and businesses to notify individuals affected by certain 'serious data breaches'. They must also notify the Office of the Australian Information Commissioner of these breaches. Serious data breaches primarily involve instances where there is unauthorised access to, or unauthorised disclosure of, certain types of information, which results in a real risk of serious harm to individuals to whom the information relates. Affected individuals who must be notified are those at 'real risk of serious harm' from the data breach or those affected by a data breach involving prescribed personal information.

Information that, if accessed or disclosed, may require notification includes personal information, credit reporting information, credit eligibility information and tax file number information.

There are some exceptions to the notification obligations. These exceptions include where notification would be likely to prejudice an enforcement body's enforcement-related activities and where notification would be inconsistent with a secrecy provision.

Under the Bill the Australian Information Commissioner is given power to direct Commonwealth agencies and other entities to notify individuals in an appropriate manner about serious data breaches. Contravention of notification obligations will be taken to be an act that is an interference with the privacy of an individual, thereby triggering other powers of the Commissioner under the Privacy Act, including the powers to seek civil penalties.

Implications for Commonwealth agencies

If this Bill is passed into law, agencies will need to be alert to their notification requirements should any data breaches occur in relation to personal or any other relevant categories of information that they hold.

If such a breach occurs, agencies will need to consider whether it is a serious data breach and whether they are required to notify affected individuals.

AGS worked with the Attorney-General's Department and the Office of Parliamentary Counsel in the preparation of this Bill.

For further information please contact:

Jane Lye
Senior Executive Lawyer
T 07 3360 5736

Elena Arduca
Senior Executive Lawyer
T 03 9242 1473

Justin Davidson
Senior Executive Lawyer
T 02 6253 7240

Tara McNeilly
Senior General Counsel
T 02 6253 7374

Attorney-General's Department contact:
Richard Glenn
Assistant Secretary
Business and Information Law Branch
Attorney-General's Department
T 02 6141 3615

Important: The material in Express law is
provided to clients as an early, interim view for general
information only, and further analysis on the matter
may be prepared by AGS. The material should not be
relied upon for the purpose of a particular matter.
Please contact AGS before any action or decision is
taken on the basis of any of the material in this message.