The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“Privacy Data Breaches Bill”) has been introduced to Parliament and is currently before the House of Representatives.
The Bill implements recommendations to amend the Privacy Act 1988 by introducing mandatory data breach notification scheme on the basis that it will result in improved network and data security.
The Privacy Data Breaches Bill apply to entities that are regulated under the Privacy Act.
The requirements will not apply to those that are exempt from the Privacy Act requirements, such as a small business with annual turnover of $3 million or less. At this stage no new penalty provisions are proposed as part of the Privacy Data Breaches Bill.
The Govt have (finally) introduced a bill to notify of data breaches. But it’s not a silver bullet. https://t.co/rrfRPRKRI4 @DrMoniqueMann pic.twitter.com/uUmdDQTDtJ
— Digital Rights Watch (@DRWaus) October 20, 2016
The key objectives of the Privacy Data Breaches Bill are to:
- implement a mandatory data breach notification scheme to promote the protection of privacy of individuals, and provide certainty and consistency to organisations and agencies when responding to data breaches;
- allow individuals whose personal information has been compromised in a data breach to take remedial steps to lessen the adverse impact that might arise from the breach;
- encourage consumers to more fully engage in e-commerce, thereby boosting Australia’s digital economy by providing greater assurance about the safety of personal information;
- provide the OAIC with information about trends in data breaches that may assist in the development of useful guidance material for entities about information security; and
- improve compliance with privacy obligations – the reputational damage that can follow a high-profile data breach, and the commercial consequences of such a breach, can provide powerful incentives to improve security.
How this affects brokers and their clients?
Entities that are regulated under the Privacy Act will need to review and consider the following:
• agreements with third parties to whom the entity may disclose personal information, in order to ensure that there are requirements for the third party providers to notify the entity of any suspected data breaches;
• its processes for reviewing any suspected data breaches and implementing procedures to notify any eligible data breaches to the OAIC and affected individuals;
• current procedures and processes relating to the security and safety of data, including employee access and use of such information; and
• IT security procedures and mechanisms to prevent a breach arising.
Radford Lawyers Principal and NIBA Legal Counsel Mark Radford has provided a helpful general guidance article that you can access on the NIBA website in the resources section.