An amendment to the Privacy Act, which will make the reporting of serious data breaches mandatory, has secured support from the Senate's Legal and Constitutional Affairs committee.If passed, the new law will take effect from March next year. It will require businesses, including banks and government agencies, to notify people when a serious data breach affecting their privacy occurs.A serious data breach is where there is a real risk of serious harm to the individual whose personal information has been exposed. The Government introduced the amendment in response to complaints that breaches were not being reported. The Australian Privacy Commissioner has criticised the current voluntary reporting system, saying that notifications have fallen despite an increase in the frequency of data breachesThe Senate recommended that organisations be forced to notify affected customers and the Privacy Commissioner when a breach of specified personal information occurs that gives rise to a "real risk of serious harm" to individuals."Real risk of harm", according to the committee, should also take into account whether the information was adequately encrypted or was acquired in good faith.The committee also recommended the definition of "specified personal information" be taken to include information such as a combination of name and address with a unique identifier like a Medicare or bank account number. The report noted that organisations would not be required to notify clients or customers if the Privacy Commissioner deemed it to not be in the public interest.