Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Mandatory Data Breach Reporting Bill Introduced Into Parliament

27 June 2013
Practice Group(s):
Financial Services
Mandatory Data Breach Reporting Bill
Introduced Into Parliament
By Andrea Beatty, Cameron Abbott, Jim Bulling, Mark Feetham and Jason Vongratsavai
The Privacy Amendment (Privacy Alerts) Bill 2013 was introduced into Parliament on 29 May 2013.
Having been recommended by the Senate Committee report tabled on 24 June, it appears that
Parliament intends to pass the Bill before the winter break despite concerns from industry about the
Bill and the rushed consultation process. If passed, the Bill introduces mandatory data breach
notification provisions for agencies and organisations (entities) that are regulated by the Privacy Act
1988 (Privacy Act) and will commence on the same day that the operative provisions of the Privacy
Amendment (Enhancing Privacy Protection) Act 2012 commence (12 March 2014).
From 12 March 2014, failure to comply with the mandatory breach reporting regime may result in
enforcement action by the Privacy Commissioner. The Commissioner may, among other things,
conduct investigations, make determinations and obtain enforceable undertakings from an entity. In
situations of serious or repeated noncompliance, the Privacy Commissioner may also apply for civil
penalties of up to AUD1.7 million for corporations and AUD340,000 for individuals. Now that breach
reporting is a compulsory requirement, data breaches will potentially impact on your reputation and
brand name.
K&L Gates can help you prepare for the upcoming changes by assisting you with your data breach
policies, staff training and identification of potential risks for your business.
What is Mandatory Breach Reporting?
Under the mandatory data breach notification framework, an entity must notify the Australian
Information Commissioner and individuals (or in some circumstances the general public by
publication on its website and a newspaper circulating in each state) of serious data breaches that
significantly affect an individual as soon as practicable.
What is a Serious Data Breach?
A serious data breach includes the unauthorised access to or disclosure of personal information that
will result in a real risk of serious harm to an individual that the personal information relates to. A
prominent example of this is when an entity's systems have been hacked into but may also include
inadvertent disclosures of personal information, for example, lost or stolen electronic devices such as
laptops or mobile phones, removable storage devices or paper records containing personal
information. However, minor data breaches will not need to be reported.
In addition, future regulations may stipulate other circumstances that may constitute a serious data
breach.
20041677v1 JHAD
Mandatory Data Breach reporting bill introduced into
Parliament
What is Serious Harm?
Serious harm may include physical and psychological harm to an individual as well as injury to
feelings, humiliation, harm to reputation and financial or economic harm.1 Prior to reporting, entities
need to assess whether the risk of harm is real and not too remote.
Notice to Commissioner and Individuals
The Bill will make it compulsory to report serious data breaches to the Privacy Commissioner and
affected individuals. The notice provided to the Australian Information Commissioner and individuals
must include the following information:

the identity and contact details of the entity

a description of the serious data breach that the entity believes has happened

the kinds of information concerned

recommendations about the steps that individuals should take in response to the serious data
breach

any additional information specified by regulations.
Rationale for Mandatory Breach Reporting
Data breach notification allows individuals that have been affected by a breach to take steps to reduce
the impact of data breaches, for example, by changing passwords or notifying their financial
institutions.
Currently, entities may report data breaches to the Australian Information Commissioner and affected
individuals voluntarily under the voluntary breach reporting framework. The Australian Information
Commissioner has issued a guide (Data breach notification: A guide to handling personal information
security breaches) in relation to this. However, there is currently no requirement under the Privacy Act
to notify the Australian Information Commissioner or any other individual in the event of a data
breach. In the 2011-2012 financial year, under the current voluntary breach reporting framework, 46
data breaches were reported. This represents a decrease of 18%2 from the previous financial year
despite a general belief that breach incidents are increasing, entities are holding larger amounts of
personal information and hacking incidents are increasing.3
What Should You Do?
You should ensure that you are prepared for mandatory breach reporting by taking the steps below.

Creating a breach reporting policy. The policy should include processes for identifying
data breaches, timeframes for actioning privacy breach responses and notification procedures.

Training appropriate staff. Staff should be trained in identifying data breaches, reducing the
impact of data breaches and reporting data breaches.
1
Explanatory Memorandum, Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) 2.
Office of Australian Information Commissioner (Cth), 'Privacy Commissioner supports the release of mandatory data
breach notification discussion paper' (Media Release, 17 October 2012).
3
Explanatory Memorandum, Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) 11.
2
2
Mandatory Data Breach reporting bill introduced into
Parliament

Identification of risks. It may also be prudent to identify any potential risks and
vulnerabilities within your business to data breaches.
K&L Gates can assist with your privacy needs.
Authors:
Andrea Beatty
Partner
andrea.beatty@klgates.com
+61 2 9513 2333
Cameron Abbott
Partner
cameron.abbott @klgates.com
+61 3 9640 4261
Jim Bulling
Partner
jim.bulling@klgates.com
+61 3 9640 4338
Mark Feetham
Partner
mark.feetham@klgates.com
+61 2 9513 2540
Jason Vongratsavai
Lawyer
jason.vongratsavai@klgates.com
+61 2 9513 2363
3
Mandatory Data Breach reporting bill introduced into
Parliament
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the
Middle East and South America and represents leading global corporations, growth and middle-market companies,
capital markets participants and entrepreneurs in every major industry group as well as public sector entities,
educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its
locations, practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
©2013 K&L Gates LLP. All Rights Reserved.
4
Related documents
The legal obligations for leaders - Marta Tomlinson
The legal obligations for leaders - Marta Tomlinson
Implications of the European Data Protection
Implications of the European Data Protection
High Court case Citation Court Procedural History Facts Issue
High Court case Citation Court Procedural History Facts Issue
4-Step Program to HIPAA Compliance
4-Step Program to HIPAA Compliance
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Download