Australian businesses with an annual turnover of $3 million or more will have to disclose information breaches that involve individuals’ personal information, under new laws passed in Parliament.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced into Parliament on 19 October last year, and was passed into law after debate in the Senate on 13 February.
The passing of the long-awaited legislation puts into motion new laws that will see local organisations that are subject to regulation by the Privacy Act required to notify the Australian Information Commissioner and affected individuals of an eligible serious data breach.
In instances where it is not certain that a breach has occurred, the new laws give organisations up to 30 days to investigate whether a breach notification is needed.
According to the Bill’s explanatory memorandum, an eligible data breach will occur in situations where unauthorised access to, or unauthorised disclosure of, information would be likely to result in serious harm to any of the individuals to whom the information relates.
The explanatory memorandum also notes that breaches are not limited to malicious actions, such as theft or “hacking”, but may arise from internal errors or failure to follow information-handling policies that cause accidental loss or disclosure of individuals’ personal information.
However, in order not to impose an “unreasonable compliance” burden on local businesses, and to avoid the risk of “notification fatigue” among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement.
As it stands, the legislation relates to personal information, tax file number information, credit card information, and credit eligibility information deemed to pose “real risk of personal harm”.
Prior to the new legislation, mandatory data breach notification requirements applied only in the event of unauthorised access to certain eHealth information under the My Health Records Act 2012.
Until now, such reporting has been voluntary under the existing laws.
The proposed scheme is expected to apply to around six per cent of Australian businesses, as the Privacy Act exempts small businesses – entities with an annual turnover of $3 million or less.
The legislation passed without amendment, despite attempts by Greens Senator, Scott Ludlam, to move a motion that would have seen the legislation apply to organisations with a turnover of less than $3 million, and a motion to shorten the 30-day investigation window.