Data Protection Report - Norton Rose Fulbright

The Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks likely to change soon.

The Department of Prime Minister and Cabinet has proposed introducing and passing the Privacy Amendment (Notifiable Data Breaches) Bill (“Data Breaches Bill”) in the Spring 2016 parliamentary session. That session runs until December 1, 2016, so the Government is aiming to have the Data Breaches Bill passed by the end of the year. Although this deadline may seem optimistic, both the Labor Party and the Greens have supported a previous mandatory data breach notification scheme.

It is unclear if the Government has made any substantive changes to the exposure draft of the legislation that was released in December 2015 (“Exposure Draft”) because the text of the Data Breaches Bill has not yet been formally introduced in Parliament. As we mentioned in our December 2015 and April 2016 updates, 45 separate organisations, including industry and consumer groups, major companies, and other government bodies, submitted comments on the Exposure Draft.

Our Take

Under the Exposure Draft, data breach notification obligations would come into effect 12 months after the bill received royal assent. It is likely a similar period will apply for the Data Breaches Bill. Accordingly, it is possible that data breach notification obligations could become part of privacy compliance obligations under the Australian Privacy Act by the end of 2017. We will continue to monitor the introduction and passage of the Data Breaches Bill.

While still some time away, organisations and agencies need to be proactive and should start preparing for the introduction of mandatory data breach notification obligations now. Not only should internal data breach response plans and processes be updated, but contracts with external service providers who handle personal information should be updated to include an obligation to notify in the event of a data breach.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.