The government has finally introduced a long-awaited bill that will create a mandatory data breach notification scheme.
Justice minister Michael Keenan today introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 in the House of Representatives.
The government committed itself to legislating a data breach notification scheme in response to the parliamentary inquiry into data retention. The report of that inquiry was tabled in February 2015.
The government in December 2015 released an exposure draft of proposed legislation. (A breach notification scheme previously considered by parliament drew bipartisan support but was not passed before the 2013 election.)
The exposure draft received a mixed reception. Consultation on the draft finished in March. The Senate as recently as last week called on the government to legislate a mandatory data breach notification scheme “by the end of the 2016 sittings”.
The scheme outlined in the revised bill introduced into parliament this morning by Keenan requires an organisation subject Privacy Act obligations to notify the Australian Information Commissioner and affected individuals if it experiences a data breach of the kind specified in the bill (an “eligible data breach”).
The minister cited the US Office of Personnel Management and Ashley Madison breaches as demonstrating “the potential harm that can result to individuals following unauthorised access to or unauthorised disclosure of personal information”.
“If an individual is at likely risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm,” Keenan said. For example, an individual affected by a data breach may change a password or cancel a credit card, he said.
“Experiencing an eligible data breach under the bill will not necessarily mean that the entity concerned has breached the existing Privacy Act information security requirements,” the minister said.
“For example, it’s possible that despite having taken reasonable steps to secure personal information it holds, an entity may nonetheless experience a data breach due to human error or other circumstances that are not reasonably foreseeable.
“Where an entity has reason to suspect that an eligible data breach may have occurred, the entity is required to undertake a reasonable assessment of the circumstances. If an entity has reasonable grounds to believe they have experienced an eligible data breach, after an assessment or otherwise, the entity must notify the information commissioner and affected individuals.”
Organisations can notify individuals directly or if that is not practical publish a notice about a breach.
There are some exceptions to notification obligations. For example, if a notification could prejudice a police operation or breach legal secrecy obligations. There is also an exception if an entity “can determine with a high degree of confidence that it has taken action to remediate the harm arising from an eligible data breach before that harm has occurred,” Keenan said.
In addition, an organisation can apply to the Australian Information Commissioner for an exemption, either altogether or for a specific period. The Information Commissioner will have the power to investigate non-compliance with scheme and potentially apply for civil penalties to be levied.
The bill has undergone some changes since the exposure draft, for example changing “serious data breach” to “eligible data breach”.
Under the current version of the bill, a data breach is defined as unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals. In addition, a data breach occurs when personal information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
Serious harm, the bill’s explanatory memorandum states, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.
To give rise to an eligible data breach a reasonable person would need to be satisfied that the risk of serious harm occurring is more probable than not, the explanatory memorandum states. The bill outlines a list of relevant matters to help determine whether that is the case.
“It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of ‘notification fatigue’ on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation,” the explanatory memorandum states.