Data breach notification to be mandatory for Commonwealth privacy laws

Crown Law usually recommends that agencies take into account a range of factors when considering whether to notify an individual that their personal information may have been affected by a security breach.

The Commonwealth Parliament has decided to remove that decision from organisations that are subject to the Privacy Act 1988.

Last week, a Bill was passed that will amend the Privacy Act to introduce a mandatory data breach notification regime. It will require organisations to provide notification to the Australian information Commissioner and affected individuals where there has been an ‘eligible data breach’.

Essentially, notification will be required where there has been unauthorised access to personal information and a reasonable person would conclude that there is a likely risk of serious harm to affected individuals. The concept of ‘serious harm’ is not defined and consideration of all the circumstances will be required.

There will be a period of time in which to implement notification systems and protocols before commencement of the requirement.

While Queensland departments and agencies will not be bound by the new notification requirement, it is useful to have policies about steps to take in the case of a data breach. Crown Law can help you to develop an appropriate policy.