Revealed: draft Australian data breach laws

Details of potential data breach notification laws in Australia were revealed last week, after SC magazine obtained a copy of confidential draft legislation.

The Federal Attorney-General’s Department shared its Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 with a small number of key stakeholders.

Such mandatory data breach notification schemes typically require organisations to notify authorities and/or customers when private data is exposed to unauthorised entities.

SC said that under the Bill, “serious” breaches would require the affected organisation to notify the Privacy Commissioner of the incident, and provide details of the breach, the compromised information and steps that victims should take.

The bill would also require the affected organisation to inform customers whose information had been exposed. The Privacy Commissioner would have the ability to force the organisation to post a public statement on its website and also inform media outlets of the incident.

The notion of a serious breach appears to have very specific definitions in the Bill. A breach would be considered serious if the organisation in question did not take “reasonable” steps to secure customers’ personal data.

The data in question would need to expose customers to a “real risk of serious harm” and could be subject to unauthorised access or disclosure.

SC notes that the paper did not define what “reasonable” steps were required to secure customers’ personal data.

Individuals may face fines of up to $340,000 for serious breaches, while organisations may be fined up to $1.7 million.

Law enforcement agencies would be exempt under the Bill, ostensibly to avoid the public losing faith in the public service should an agency be breached and to hide any possible vulnerabilities from potential attackers.

The Privacy Commissioner could also exempt an organisation from public notification of a breach if such exemption was deemed to be in the public interest.

SC reported that the scheme could come into effect as early as July this year.

A more detailed breakdown is available here.

However, according to Stilgherrian, the law would not only apply to political parties, charities, national security agencies or organisations with a turnover of less than $3 million a year.

Stilgherrian’s analysis also examines the Bill’s requirement of “real risk of serious harm” before a breach must be disclosed. He says the bill actually requires “Mandatory Lite” disclosing of data breaches.

Roger Clarke, chairman of the Australian Privacy Foundation (APF), said the draft Bill could be stronger and that “there’s a number of things that need to be changed”.