CHAPTER 1
INTRODUCTION
1.1
On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill)
was introduced into the House of Representatives by the Attorney‑General,
the Hon. Mark Dreyfus QC MP.[1]
On 17 June 2013, the Bill was introduced into the Senate and was referred on 18
June 2013 to the Legal and Constitutional Affairs Legislation Committee
(committee) for inquiry and report by 24 June 2013.[2]
Background to the Bill
1.2
In his second reading speech, the Attorney-General described the Bill as
'the next key step in the government's major reform of Australia's privacy
laws' and a 'long overdue measure' recommended by the Australian Law Reform
Commission (ALRC) in its 2008 report, For Your Information: Australian
Privacy Law and Practice.[3]
That recommendation reads:
Recommendation 51-1 The Privacy Act should be amended
to include a new Part on data breach notification, to provide as follows:
(a) An agency or organisation is required to notify the
Privacy Commissioner and affected individuals when specified personal
information has been, or is reasonably believed to have been, acquired by an
unauthorised person and the agency, organisation or Privacy Commissioner
believes that the unauthorised acquisition may give rise to a real risk of
serious harm to any affected individual.
(b) The definition of 'specified personal information' should
include both personal information and sensitive personal information, such as
information that combines a person's name and address with a unique identifier,
such as a Medicare or account number.
(c) In determining whether the acquisition may give rise to a
real risk of serious harm to any affected individual, the following factors
should be taken into account:
(i) whether the personal
information was encrypted adequately; and
(ii) whether the personal
information was acquired in good faith by an employee or agent of the agency or
organisation where the agency or organisation was otherwise acting for a
purpose permitted by the Privacy Act (provided that the personal information is
not used or subject to further unauthorised disclosure).
(d) An agency or organisation is not required to notify an
affected individual where the Privacy Commissioner considers that notification
would not be in the public interest or in the interests of the affected
individual.
(e) Failure to notify the Privacy Commissioner of a data
breach as required by the Act may attract a civil penalty.[4]
Purpose of the Bill
1.3
The Bill seeks to amend the Privacy Act 1988 (Cth) (Privacy Act),
as amended by the Privacy Amendment (Enhancing Privacy Protection) Act
2012 (Cth), to introduce mandatory data breach notification provisions
for Commonwealth government agencies and certain private sector organisations (defined
as 'APP entities' in the Privacy Act).[5]
1.4
The Explanatory Memorandum (EM) explains that a mandatory data breach
notification is a legal requirement to notify affected persons and the relevant
regulator, in this case the Australian Information Commissioner (Commissioner),[6]
when certain types of personal information are accessed, obtained, used,
disclosed, copied, or modified by unauthorised persons.[7]
1.5
The Attorney-General summarised the Bill's intended effect:
It will introduce a new consumer privacy protection for
Australians that will keep their personal information more secure in the
digital age. It will also encourage agencies and private sector organisations
to improve their data security practices.[8]
Structure and key provisions of the Bill
1.6
The Bill will amend the Privacy Act by inserting new Part IIIC – Data
breach notification into the Act (item 4 of Schedule 1). The new Part IIIC
contains the substantive elements of the proposed mandatory data breach
notification provisions, which are set out in two Divisions:
- Division 1 – Serious data breach sets out the circumstances in
which APP entities, credit reporting bodies, credit providers and file
number recipients will have committed a 'serious data breach';[9]
and
- Division 2 – Notifying serious data breaches sets out the
circumstances in which an entity must notify a 'serious data breach' and to
whom notice must be given, subject to limited exceptions.
1.7
The Bill also provides that an entity which fails to comply with its
notification obligations will have interfered with the privacy of an individual
(item 3 of Schedule 1).
Conduct of the inquiry
1.8
Details of the inquiry, including links to the Bill and associated
documents, were placed on the committee's website at www.aph.gov.au/senate_legalcon.
The committee also wrote to 44 organisations and individuals, inviting
submissions by 20 June 2013.
1.9
The committee received 21 submissions, which are listed at Appendix 1.
All submissions were published on the committee's website. The committee
thanks those organisations and individuals who made submissions. No public
hearings were held for the inquiry.
Navigation: Previous Page | Contents | Next Page