Australian businesses must now report if they’ve suffered a data breach – Notifiable Data Breaches passed

In February this year, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of ‘eligible’ data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, amends Australia’s Privacy Act 1988 and is slated to take effect on February 22, 2018 if no earlier date is proclaimed.

The new Notifiable Data Breach Bill covers most Australian Government departments and agencies – except for intelligence agencies, as well as all private sector and not-for-profit organisations with annual revenue of AU$3 million (US$2.3 million) or greater.

It also applies to some organisations with annual revenue under AU$3 million, including private hospitals, doctors, pharmacists, chiropractors, other health professionals, gyms, weight loss centres; child and day care centres; private schools; organisations selling or purchasing personal information; credit reporting organisations; and even individuals handling personal information – such as personal credit information, tax filers, personal property information, health records holders, conviction records, etc. – as a business.

The new law introduces a data breach notification scheme that obligates all agencies and businesses that are regulated by the Privacy Act to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of certain data breaches that are ‘likely’ to result in ‘serious harm’.

But, data breaches are not only limited to nefarious actions, like thefts or hacks. It can also apply to any accidental loss or disclosure of someone’s personal information caused by an organisation’s failure to apply ‘reasonable’ care in the handling of personal information.

Although ‘serious harm’ is not defined, the explanatory memorandum states that serious physical, psychological, emotional, economic, reputational or financial harm may qualify, as well as other types of serious harm that reasonably could result from the breach.

A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act may result in a fine of up to AU$360,000 for individuals or AU$1.8 million for organisations.

It has taken three years for both sides of Parliament to pass this bill. The new notification scheme has been welcomed and is being seen as an important step towards protecting Australian consumer data.