Developments for data breaches17 August 2017
New mandatory data breach notification provisions are to be introduced for agencies, organisations and certain other entities that are regulated by the Privacy Act 1988 under the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill). This is an inevitable and (for some) welcome change that has been a long time coming.
The Australian Law Reform Commission notes in its Report 108 that advances in technology mean entities are increasingly holding vast amounts of sensitive information in digital form. The Bill's Explanatory Memorandum says in s 3 that this raises "the risk that a security breach around this information could result in others using the information for identity theft and identity fraud".
Part F, Section 51 of Report 108 says the amendments require that notification be given to those whose privacy has been infringed by a data breach that has caused "a real risk of serious harm". This will allow affected individuals to change their passwords or take other remedial steps to minimise the adverse effects of the breach. But, notification of cyber threats and data breaches will be mandatory...unless it would (a) impact upon a law enforcement investigation or (b) was determined by the regulator to be contrary to the public interest.
This development is the latest in a string of recommendations made by the Parliamentary Joint Committee on Intelligence and Security, and the Australian Law Reform Commission to combat cyber threats and critical data breaches, such as those faced by Medicare recently, in a perpetually evolving technological landscape.