Mandatory breach notification—Time runs out again21 June 2016
Once again, time has run out for the introduction of a mandatory notification scheme for serious data breaches.
In similar circumstances to the previous attempt, the Commonwealth Government was unable to introduce and pass the proposed Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 before it went into caretaker mode.
As a result, the scheme's future will depend upon the policy objectives of the next government and its ability to progress the legislation through the new parliament.
Assuming the new government's intention is to continue with the current approach (as has been the case with the current and previous governments), it will have to contend with the industry and government agency feedback received in response to the consultation process that criticised the scope and lack of clarity of the key concepts contained in the legislative package.
In particular, feedback highlighted concerns with:
- the uncertainty and impracticality of a test involving the "ought to reasonably be aware" threshold
- how organisations could be expected to assess the harm to an individual—which has been expanded by the proposed legislation to include physical, psychological, economic and reputational harm
- practical difficulties when contractors have access to an entity's data and the potential for multiple notification obligations in respect of the same breach, and
- whether there is a need for immediate notification to the OAIC.
It will be interesting to see how any government with the intention of introducing a mandatory notification scheme addresses these concerns, while also balancing the OAIC and Australian Law Reform Commission's (whose recommendation the proposed legislation was based on) support for the legislation as currently drafted.
We will continue to monitor this area after the new government is formed and keep you up-to-date on any developments.