Mandatory breach notification bill released
The Government has released draft legislation that will introduce mandatory breach notifications.The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 makes it compulsory for organisations regulated by the Privacy Act to notify the Office of the Australian Information Commissioner and affected individuals when certain types of security incidents compromise confidential information.The law would cover credit providers and credit reporting bodies.A data breach occurs where there has been unauthorised access of data, or unauthorised disclosure of personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access.Examples include a malicious breach of secure information, accidental loss of IT equipment or hard copy files, and negligent or improper disclosure of information.The amendment will cover serious breaches, where the data breach causes "a real risk of serious harm."Serious harm includes "physical, psychological, emotional, economic and financial harm, as well as harm to reputation."Notification will be compulsory unless it would affect a law enforcement investigation or is deemed by the regulator to be contrary to the public interest.Organisations reporting breaches will be required to assist affected individuals take remedial steps, such as issuing new passwords.The OAIC will have the power to issue directions to organisation to issue breach notifications in situations where it judges that a serious breach has occurred and no notification has been made.The government is taking submissions on the draft until March next year.