The federal government has introduced legislation to make the reporting of data breaches mandatory, following complaints that businesses were not reporting breaches to affected customers.An amendment to the Privacy Act introduced into Parliament by the Attorney-General on Wednesday will, if passed, require businesses and government agencies to notify people when a "serious" data breach affecting their privacy occurs.The amendment also requires notification to the Office of the Australian Information Commissioner.Attorney-General Mark Dreyfus said in a statement: "The new law will alert consumers to breaches of their privacy, so that they can change passwords, improve security settings and make other changes as they see fit."If passed, the new law will take effect from March next year. The Australian Privacy Commissioner has criticised the current voluntary reporting system, saying that notifications have fallen despite an increase in the frequency of data breaches.The commissioner, Timothy Pilgrim, said in a statement: "The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me. Research suggests that the frequency of data breaches in Australia has grown."Despite this upward trend, the Office of the Australian Information Commissioner only received 46 data breach notifications in 2011/12, an 18 per cent decrease from the previous year."I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring."Another change to the law will give the OAIC enforcement powers, including the power to issue binding directions, the power to impose civil penalties of up to A$1.1 million, and the power to accept enforceable undertakings.As to what constitutes a "serious" data breach, the OAIC's guide to handing personal information security breaches, published in April last year, says it is appropriate to notify affected individuals where there is a risk of harm.The guide says: "For example, identifiers, such as Medicare numbers, driver's licences, health care numbers and financial account numbers, such as credit or debit card numbers, might pose greater risk of harm to an individual than their name or address."