Draft Mandatory Data Breach obligations

On 3 December 2015, the Australian Federal Government released its exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Draft) to introduce mandatory obligations to report a serious data breach.

The requirements are to apply to entities governed by the Privacy Act 1988 (Cth) as well credit reporting bodies, credit providers and file number recipients.

Industry participants and stakeholders will have until 4 March 2016 to make submissions on the Exposure Draft which contemplates that relevant entities must, as soon as practicable, report any ‘serious data breach’ to the Office of the Australian Information Commissioner and also take reasonable steps to notify the affected individual.

Where an entity suspects a serious data breach, it has up to 30 days from the incident to investigate whether a serious data breach has occurred.

‘Serious data breach’ is currently defined in the Exposure Draft to mean where there has been unauthorised access, disclosure or loss of the personal information, credit reporting information or tax file information of an individual, which places the individual at a ‘real risk of serious harm’.

The concept of ‘real risk of serious harm’ appears broad, including any risk of physical, psychological, emotional, reputational, economic and financial harm which is not remote. There is a list of non-exhaustive factors to be considered in deciding whether a real risk of harm exists, including:

  • the kind and sensitivity of information concerned;
  • whether the information is, or can be converted to, an intelligible form;
  • whether the information is protected by security measures, and if so, the level such protection;
  • the kind of person(s) who have obtained the information; and
  • the nature of the harm and whether the entity has taken steps to mitigate that harm.

Ash St. will be staying on top of developments.

Update 22 February 2018

Notifiable Data Breach Infographic