Mandatory data breach notification laws and your business

Organisations in Australia will soon be legally obliged to disclose data breaches following the passing of a new bill by Federal Parliament.

After going through the House of Representatives last week, The Privacy Amendment (Notifiable Data Breaches) Bill 2016 made it to the Senate and was passed by the Government.

The bill applies to organisations that have responsibilities under the Privacy Act.

NIBA is currently preparing information for members on these matter. CEO, Dallas Booth says: “It will be important for brokers to understand who will be covered by the new laws (including whether the laws apply to their own businesses), and what steps will need to be taken to comply with the laws if there is a data breach.  Brokers will also need to be able to explain how cyber and related products will help clients respond when a data breach occurs.”

Companies that are affected by the legislation included businesses with over $3 million in turnover, smaller firms that handle sensitive information and most government agencies. Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records are also covered under the new data breach notification scheme.

The laws will come into effect within the next 12 months. Once the mandatory data breach notification scheme starts, your business will need to report any ‘eligible’ data breaches to the Australian Privacy and Information Commissioner, Timothy Pilgrim, and notify customers who may have been affected as soon as possible.

According to the bill, a data breach is classified as an instance where there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.

As detailed in the bill, failure to comply with the new notification scheme will be “deemed to be an interference with the privacy of an individual” and there will be consequences: “A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.”