An amendment to the Privacy Act, which will make reporting of serious data breaches mandatory, was passed in the House of Representatives and is now headed for the Senate.If passed, the new law will take effect from March next year. It will require businesses, including banks and government agencies, to notify people when a serious data breach affecting their privacy occurs.A data breach is a serious breach where there is a real risk of serious harm to the individual to the information relates. The bill provides for regulations to specify particular situations that may also be serious breaches even if they do not reach the threshold of a real risk of serious harm.Serious harm includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm.The Government introduced the amendment in response to complaints that breaches were not being reported. The Australian Privacy Commissioner has criticised the current voluntary reporting system, saying that notifications have fallen despite an increase in the frequency of data breachesThe commissioner, Timothy Pilgrim, said in a statement: "The last couple of years have seen a number of high-profile data breaches and subsequent own-motion investigations initiated by me, and research suggests that the frequency of data breaches in Australia has grown."Despite this upward trend, the Office of the Australian Information Commissioner only received 46 data breach notifications in 2011/12, an 18 per cent decrease from the previous year."I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring."Another change to the law will give the OAIC enforcement powers, including the power to issue binding directions, the power to impose civil penalties of up to A$1.1 million and the power to accept enforceable undertakings.