Important reforms to the Privacy Act 1988 (Privacy Act) will come into effect on 12 March 2014. Brief summaries of the pertinent changes can be found in our previous updates, New important reforms to the Privacy Act and Reforms to the Privacy Act.
The current reforms fail to address what happens when data breaches occur that may cause a “real risk of serious harm” to the affected individuals. The Office of the Australian Information Commissioner (OAIC) has issued guidelines for data breach notifications, recommending that entities notify affected individuals and the OAIC. Under the current reforms, such notification is entirely discretionary.
Mandatory reporting laws are already part of the privacy laws in a number of other jurisdictions around the world, such as the UK, EU and the majority of US. These laws mitigate the consequences of a breach; act as an incentive to holders of personal data to improve data security; provide better information to the government and public on the scope and frequency of data breaches; and maintain community confidence in legislative privacy protections. Mandatory reporting allows people affected by serious data breaches to take steps to protect their personal information, such as changing passwords or cancelling credit cards.
Australian Privacy Commissioner, Timothy Pilgrim, welcomed the proposed mandatory data breach notification laws under the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) (Bill). This was announced by the Attorney-General, the Hon. Mark Dreyfus QC MP on 28 May 2013. The Bill proposes that when an agency or organisation has suffered a serious data breach, it must notify the affected individuals and the Australian Privacy Commissioner.
Under the Bill, failure to comply with a notification requirement, the Australian Privacy Commissioner's enforcement powers to investigate and make determinations will be available. This could result in personal and private apologies, compensation payments and enforceable undertakings. In the case of serious or repeated non compliance with notification requirements, this could lead to a civil penalty being imposed by a court.
In parliament, the Attorney-General noted that privacy is an important human right and that Australia should be a global leader in privacy protection. Ultimately this will be an important measure to assist in combatting cybercrime. US studies have indicated that mandatory data breach notification laws have lowered identity theft rates, as they act as a real incentive for holders of personal data to a improve data security.
The Bill is intended to commence in March 2014, at the same time as the Privacy Act reforms.
Your organisation’s protocols will need to address its response to a reportable data breach.