EFA welcomes yesterday’s announcement by the Attorney-General that legislation is to be introduced to Federal Parliament today to introduce mandatory reporting of data breaches affecting private data.
This legislation has been a long time coming, having first been recommended by the Australian Law Reform Commission back in 2008, and EFA has been a strong supporter of the principle of mandatory data breach notification for some time.
This legislation will require organisations to notify both affected individuals, and the Office of the Australian Information Commissioner, in cases where the breach is deemed to ‘give rise to a risk of serious harm’.
The Commissioner will have the power to seek civil penalties against organisations where there is ‘serious or repeated non-compliance’ with the requirements of this legislation. The maximum penalties will be $340,000 for individuals and $1.7 million for organisations.
The Privacy Commissioner, Timothy Pilgrim, has also welcomed the introduction of this legislation, saying that ‘All agencies and organisations must embed a culture that values and respects privacy. Mandatory data breach notification will go some way to achieving this. It will also compliment [sic] other privacy law reforms due to commence in March 2014 that will require agencies and organisations to implement new practices, procedures and systems to ensure compliance with the Privacy Act. ‘In my view, mandatory data breach notification will also lead to better public understanding of the scope and frequency of data breaches, and encourage greater privacy awareness,' Mr Pilgrim said.
EFA concurs with the Commissioner’s comments and is hopeful that the interpretation and enforcement of the definition of ‘risk of serious harm’ will be such that this legislation will ensure that organisations take the issue of protection of private data seriously and that all breaches of such data will be duly notified.
EFA understands that the specific types of information to be covered by this legislation are as follows:
- personal information
- credit reporting information
- credit eligibility information
- tax file number information
In addition, there are protections under existing legislation covering Health records.
This legislation is an important step in providing greater protection for Australians from the ever-increasing occurrence of breaches of private data from organisations of all sizes, as it will ensure individuals are given the opportunity to change passwords, cancel credit cards and take other actions to protect themselves once notified of a breach. It should also create a strong incentive for all organisations to make data security a core operational priority.
EFA appreciates the opportunities provided by the Attorney-General’s Department to provide input to the process of drafting this legislation and calls on all parties to support it.
If passed, this legislation will come into effect in March 2014, alongside the new Australian Privacy Principles [PDF].
You can review the bill at the Parliament House website.