Out-Law News | 15 Feb 2017 | 1:41 pm | 2 min. read
Under the new regime, confirmed in amendments to the country's Privacy Act, businesses will be obliged to report some data breaches to Australia's privacy commissioner and affected customers too.
Examples of instances where notification would be required include a malicious breach of the secure storage and handling of information, accidental loss of IT equipment or hard copy documents, or a negligent or improper disclosure of information, an explanatory memorandum issued by Australia's government said.
"It is not intended that every data breach be subject to a notification requirement," according to the memorandum. "It would not be appropriate for minor breaches to be notified, because of the administrative burden that may place on entities, the risk of 'notification fatigue' on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation."
Thresholds for determining when notification is required are set out in the new legislation. Notification of data breaches – a so-called 'eligible data breach' – is only required where the thresholds are met and none of the listed exceptions, including on secrecy grounds, are engaged.
"A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure," according to the memorandum. "A data breach is an eligible data breach where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred)."
"An eligible data breach is ‘notifiable’ … when no exceptions to notification apply," it said.
Breaches must be notified "as soon as practicable" after businesses become "aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies)", it said.
According to the memorandum, data breach notifications must contain the identity and contact details of the breached entity, a description of the serious data breach, confirmation of the type of data compromised, and recommendations about the steps that individuals should take in response to the serious data breach.
Australian privacy commissioner Timothy Pilgrim said:"My office will be advised of these breaches, and can determine if further action is required. The law also gives me the ability to direct an agency or business to notify individuals about a serious data breach," Pilgrim said.
The scheme will "strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches," Pilgrim said. He said it will also "give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information".
In 2015–2016, Pilgrim's office received 107 voluntary data breach notifications. The five sectors most likely to report breaches were the Australian government, finance, health providers, retail and online services.
A date for the new laws to take effect has not been confirmed, but the new notification requirements will come into force at the latest one year after the new laws receive Royal Assent.
A UK parliamentary watchdog recently said that data breach reporting within government is inconsistent and that new guidelines are needed.
The Public Accounts Committee (PAC) said there are "major and unexplained variations in the extent to which individual departments report security breaches" at the moment, and urged the government to work with the UK's data protection authority to develop new guidelines on the issue.
Most US states already have data breach notification laws in place, while in Europe the General Data Protection Regulation (GDPR) is set to introduce mandatory data breach reporting for all companies when it comes into force on 25 May 2018.