Government agencies and organisations that fall under the Privacy Act (we're talking businesses with a turnover of more than $3 million a year) will need to, by law, notify both the privacy commissioner and affected individuals of 'eligible' data breaches.
That's right, the Privacy Amendment (Notifiable Data Breaches) Bill 2016, AKA Mandatory Data Breach Notification finally passed the senate yesterday, and will be in place within the next 12 months.
State government organisations, local councils and businesses with a turnover less than $3 million a year aren't considered 'eligible' and won't be beholden to the new law.
The definition of an "eligible data breach" under the new law is:
- If there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Individuals will have to be notified if:
- The entity reasonable grounds to believe that an eligible data breach has happened; or
- It is directed to do so by the Commissioner
Full details of the legislation can be found here.
Under the act, when the organisation is aware of the breach, it will need to prepare a statement.
The entity must:
- prepare a statement
- give a copy of the statement to the Commissioner, and
- do so as soon as practicable after the entity becomes so aware
The statement will need to include:
- the identity and contact details of the entity; and
- a description of the eligible data breach that the entity has reasonable grounds to believe has happened; and
- the kind or kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.
If these steps are not followed, fines of $360,000 for individuals and $1.8 million apply, according to ITNews.
The exact date the law will come into effect is not detailed as yet, but it will be within the next 12 months.