Australia Adopts Law on Mandatory Data Breach Notification

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed both Houses of Parliament on 13 February. Unless the Government fixes a date for commencement by Proclamation, the law will enter into force 12 months from the date the Bill receives Royal Assent. The following is the official statement from Australian Privacy and Information Commissioner, Timothy Pilgrim:

“I welcome the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which establishes a mandatory data breach notification scheme in Australia.

I look forward to working with government, business and consumer groups during transition to this new scheme; which will help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies.

This amendment will require government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm. My office will be advised of these breaches, and can determine if further action is required. The law also gives me the ability to direct an agency or business to notify individuals about a serious data breach.

The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.

In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach.

The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the mandatory notification scheme. The OAIC also has a comprehensive Guide to securing personal information.”

Timothy Pilgrim PSM
Australian Privacy and Information Commissioner

Background: In 2015–16, the Office of the Australian Information Commissioner received 107 voluntary data breach notifications. The top five sectors during the year were: