The Attorney-General’s Department has released for discussion, an exposure draft bill regarding mandatory reporting of serious data breaches. Notification requirements will apply to companies and information subject to the Privacy Act.
Under the proposal, a company would have up to 30 days after it is aware of a breach, or ought reasonably to be aware of a breach, to assess whether a data breach is a ‘serious data breach’. A serious data breach occurs if:
- there is unauthorised access or disclosure of information; and
- there is a real risk of serious harm to any of the individuals to whom the information relates.
When considering whether there is a real risk of serious harm to an individual the draft legislation lists a number of factors that should be considered including:
- the kind of information;
- whether the information is in a form that is intelligible to an ordinary person;
- whether the information is protected by security measures;
- the kinds of person who could obtain the information;
- the nature of the harm; and
- any mitigation steps taken by the company.
If the company determines that a serious data breach has occurred, it must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable. The draft legislation also gives the OAIC additional powers to direct companies to undertake notification.
The proposal has a number of differences from the previous attempts to legislate mandatory data breach reporting which were made in 2013 and 2014. Most notably, previously the trigger for notification involved a belief that there had been a data breach, the current draft requires a company to be aware, or when it ought reasonably to be aware, of a breach. Additional types of specific harm are included in the current draft, however, this is unlikely to have a major impact in practice.
Currently, data notification is only mandatory for unauthorised access to eHealth information under the My Health Records Act 2012. However, the OAIC operates a voluntary data breach notification scheme which also uses the real risk of serious harm notification threshold.
The exposure draft and accompanying discussion paper can be found here. Submissions are due by 4 March 2016.