The Exposure Bill proposes to amend the Privacy Act to introduce an obligation for organisations and Commonwealth Government agencies that are subject to the Privacy Act to notify the Australian Information Commissioner (Commissioner) and affected members of the public of the occurrence of a data breach in certain circumstances. In brief, if:
- an organisation or agency holds personal information, credit reporting information, credit eligibility information or tax file number information; and
- there is unauthorised access to, or unauthorised disclosure of, the information (or the information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur, or the information is of a particular type specified in the regulations) that will result in “a real risk of serious harm” to any of the individuals to whom the information relates,
then this will be regarded as a “serious data breach”. For the purposes of this definition, the Exposure Bill clarifies that “harm” includes physical, psychological, emotional, economic, reputational and financial harm and that a “real risk” means a risk that is not a remote risk.
If an organisation or agency is aware, or ought reasonably be aware, that there are reasonable grounds to believe that there has been a serious data breach, then the organisation or agency must:
- prepare a statement (Notification Statement) that sets out the identity and contact details of the organisation or agency, a description of the serious data breach that the entity has reasonable grounds to believe has occurred, the kinds of information that were affected and recommendations about the steps that individuals should take in response;
- provide a copy of that Notification Statement to the Commissioner; and
- notify the contents of the Notification Statement to each of the affected individuals; or
- if that is not practicable, publish a copy of the Notification Statement on its website and take reasonable steps to publicise the contents of the Notification Statement.
Organisations and agencies are allowed up to 30 days to assess whether there are reasonable grounds to believe that the relevant circumstances amount to a serious data breach.
The Commissioner will also be granted additional powers to:
- direct an organisation or agency to prepare and publicise a Notification Statement if the Commissioner believes on reasonable grounds that there has been a serious data breach in relation to that organisation or agency; and
- exempt an organisation or agency from having to prepare and publicise a Notification Statement (either on the Commissioner’s own initiative or if the affected organisation or agency applies for an exemption from this requirement).
A failure to notify a serious data breach (either when required by the relevant provision or when directed to do so by the Commissioner) is deemed to be an interference with the privacy of an individual. This deeming provision activates the complaints regime and also the civil penalty regime that exists in the Privacy Act, with the potential for serious or repeated interferences with privacy to be subject to civil penalties of up to AU$1.8 million in the case of body corporates.