The government has indicated it intends to push ahead with legislation to create a mandatory data breach notification scheme.
The Department of Prime Minister and Cabinet’s list of legislation proposed for introduction in the new parliament includes the Privacy Amendment (Notifiable Data Breaches) Bill, with a note indicating the government’s intention to seek passage for the bill during the spring sittings of parliament.
The government's move to pass data breach notification legislation is in response to a recommendation of an inquiry into Australia’s data retention legislation. The government had originally committed to legislating a data breach notification scheme in 2015.
An exposure draft of the breach notification bill, made public in December, would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
A “serious breach” is defined as one that involves personal information, credit reporting information, or tax file information being subject to unauthorised access or disclosure and putting those individuals affected at “real risk of serious harm”.
The scheme would apply to organisations and data that are currently subject to the Privacy Act. That means it would cover most federal government agencies, and private sector and not-for-profit organisations with an annual turnover of more than $3 million.
Smaller organisations may also be subject to the scheme (health service providers, for example, and businesses that trade in personal information, employee associations, and credit reporting bodies).
All data retained as part of the data retention scheme would be subject to the regime.
Although mandatory data breach notification is supported by privacy advocates, it has had a mixed reception among business.
The Australian Industry Group (Ai Group) and the Association for Data-driven Marketing and Advertising (ADMA), as well as ADMA's associated organisations the Institute of Analytics Professionals of Australia (IAPA) and the Australian Interactive Media Industry Association of Australia (AIMIA), have argued that they do not see the need for such a scheme.
A number of businesses including Microsoft, Telstra and PayPal have given at least in-principle support to such a scheme.
Both houses of parliament are scheduled to sit on 30 August.