March 21 — Companies operating in Australia would be required to notify the data protection authority and affected individuals of data breaches under legislation introduced March 20 in the Senate.
The bill would require companies, organizations and government agencies to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of personal data breaches.
The measure would amend the framework Privacy Act 1988, which just underwent other major revisions that took effect March 12.
The bill includes a risk of harm trigger to limit mandatory notice to breaches that pose a “real risk of serious harm to the individual.”
The bill would also authorize the OAIC to issue regulations that would require notice for breaches of particularly sensitive data, such as health information, regardless of a showing of specific serious harm.
In addition, the OAIC would be authorized to exempt a covered entity from the notice requirement on a case-by-case basis if it were “in the public interest.”
Violations of the new provisions would be enforceable under the same framework as the rest of the Privacy Act 1988, which favors attempts to resolve issues short of monetary penalties.
The proposed law would implement a call for a mandatory breach notification law proposed by the Australian Law Reform Commission (ALRC), according to a March 20 explanatory memorandum accompanying the bill.
The ALRC recommended mandatory breach notice in a 2007 draft of its recommendations for reform of the privacy regime in Australia. In August 2008, the commission formally recommended that breach notice be made mandatory.
The Office of the Privacy Commissioner drafted data breach voluntary guidelines in 2008. The guidelines were finalized in 2012.
In June 2013, the previous attempt to move from the voluntary guidelines to a mandatory breach notice law stalled in Parliament.
Full text of the Privacy Amendment (Privacy Alerts) Bill 2014 is available at http://op.bna.com/pl.nsf/r?Open=kjon-9hephw.
Full text of the explanatory memorandum on the bill is available at http://op.bna.com/pl.nsf/r?Open=kjon-9hepka.
To view additional stories from Privacy & Security Law Report® register for a free trial now