Mandatory Serious Data Breach Notification

What is proposed? What will it mean?

The Australian Government has been consulting on what the proposed Bill to amend the Privacy Act 1988 to introduce mandatory notification reporting for serious data breaches should look like.

The Bill would require regulated Commonwealth government agencies and businesses, unless exempted, to notify the national privacy regulator and affected individuals following a serious data breach involving personal information, credit reporting, credit eligibility and tax file numbers.

The Proposed Bill in it’s current form does not clearly state a number of things which need clarification in order to meet the objectives it sets. These include:

– A threshold on notification based on ‘the real risk of serious harm’ — How do you assess seriousness of harm, since individuals impacted have varying tolerances for harm, and no uniformity between the usage of the leaked data. To use an example, if an individual impacted has recycled their password elsewhere, the risk of serious harm increases exponentially.

-Entities effected is somewhat governed by their size and turnover. This isn’t in the best interest of citizens, as many small enterprises collect sensitive information which may cause damage. It is our opinion that an entity should notify regardless of their size to protect their customers interests.

-The Proposed Bill effects the Australian Privacy Principles governed entities which ‘hold’ personal information, yet information may be both held and controlled by another outsourced entity or process by another entity. Some clarity around responsibilities is required.

We look forward to further information and updates about Data Breach notification in order to update our clientele.