The Privacy Amendment (Privacy Alerts) Bill 2013 has received its first reading in Parliament by Attorney-General Mark Dreyfus.
If passed, the legislation will come into effect on 12 March 2014 alongside the Australian Privacy Principles (APPs).
The Bill will require government agencies and businesses to notify customers of serious data breaches in relation to personal, credit reporting, credit eligibility or tax file number information.
According to the amendments (PDF) contained in the Bill, the entity involved must give a data breach statement to the Privacy Commissioner, Timothy Pilgrim, publish a copy of the statement on its website and in at least one newspaper circulating in the state or territory.
However, the notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm.
Currently there is no legal requirement in Australia for government agencies or private sector organisations to notify individuals when a data breach occurs, except in limited circumstances under eHealth laws.
“With businesses and government agencies holding more information about Australians than ever before, it is essential that privacy is safeguarded,” said Dreyfus in a statement.
“The new laws will alert consumers to breaches of their privacy, so that they can change passwords, improve security settings and make other changes as they see fit.”
However, some organisations have voiced concerns about the Bill. The Australian Privacy Foundation argued in its April 22 response to the Attorney General that determining when an organisation should report a breach is too high. Any breach should be subject to notification when there is any risk of harm, the APF said.
Electronic Frontiers Australia (EFA) who also made a submission, welcomed the announcement by Dreyfus. In May 2012 the EFA voted unanimously to support the implementation of mandatory data breach notification regulation. At the time, board member Karen Higgins said it was “outrageous” that an organisation could have a million people's private details exposed due to slack security and do nothing about it.
Privacy Commissioner, Timothy Pilgrim, said he has supported the introduction of mandatory data breach notification laws in Australia since they were first proposed by the Australian Law Reform Commission in 2008.
“The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me, and research suggests that the frequency of data breaches in Australia has continued to grow over the past three years,” he said.
Despite this upward trend, the Office of the Australian Information Commissioner (OAIC) received 46 data breach notifications in the 2011–12 financial year, an 18 per cent decrease from the previous year.
“I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring,” Pilgrim said. “Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised.”
According to Pilgrim, there were “real incentives” for agencies and organisations to notify customers of a privacy breach.
“Apart from being good privacy practice, it can also engender consumer trust, reduce the cost of dealing with a data breach and mitigate against reputational damage,” he said.
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.