CHAPTER 1


CHAPTER 1

INTRODUCTION

1.1        On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) was introduced into the House of Representatives by the Attorney‑General, the Hon. Mark Dreyfus QC MP.[1] On 17 June 2013, the Bill was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee (committee) for inquiry and report by 24 June 2013.[2]

Background to the Bill

1.2        In his second reading speech, the Attorney-General described the Bill as 'the next key step in the government's major reform of Australia's privacy laws' and a 'long overdue measure' recommended by the Australian Law Reform Commission (ALRC) in its 2008 report, For Your Information: Australian Privacy Law and Practice.[3] That recommendation reads:

Recommendation 51-1 The Privacy Act should be amended to include a new Part on data breach notification, to provide as follows:

(a) An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

(b) The definition of 'specified personal information' should include both personal information and sensitive personal information, such as information that combines a person's name and address with a unique identifier, such as a Medicare or account number.

(c) In determining whether the acquisition may give rise to a real risk of serious harm to any affected individual, the following factors should be taken into account:

(i) whether the personal information was encrypted adequately; and

(ii) whether the personal information was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the Privacy Act (provided that the personal information is not used or subject to further unauthorised disclosure).

(d) An agency or organisation is not required to notify an affected individual where the Privacy Commissioner considers that notification would not be in the public interest or in the interests of the affected individual.

(e) Failure to notify the Privacy Commissioner of a data breach as required by the Act may attract a civil penalty.[4]

Purpose of the Bill

1.3        The Bill seeks to amend the Privacy Act 1988 (Cth) (Privacy Act), as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), to introduce mandatory data breach notification provisions for Commonwealth government agencies and certain private sector organisations (defined as 'APP entities' in the Privacy Act).[5]

1.4        The Explanatory Memorandum (EM) explains that a mandatory data breach notification is a legal requirement to notify affected persons and the relevant regulator, in this case the Australian Information Commissioner (Commissioner),[6] when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons.[7]  

1.5        The Attorney-General summarised the Bill's intended effect:

It will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices.[8]

Structure and key provisions of the Bill

1.6        The Bill will amend the Privacy Act by inserting new Part IIIC – Data breach notification into the Act (item 4 of Schedule 1). The new Part IIIC contains the substantive elements of the proposed mandatory data breach notification provisions, which are set out in two Divisions:

  • Division 1 – Serious data breach sets out the circumstances in which APP entities, credit reporting bodies, credit providers and file number recipients will have committed a 'serious data breach';[9] and
  • Division 2 – Notifying serious data breaches sets out the circumstances in which an entity must notify a 'serious data breach' and to whom notice must be given, subject to limited exceptions.

1.7        The Bill also provides that an entity which fails to comply with its notification obligations will have interfered with the privacy of an individual (item 3 of Schedule 1).

Conduct of the inquiry

1.8        Details of the inquiry, including links to the Bill and associated documents, were placed on the committee's website at www.aph.gov.au/senate_legalcon. The committee also wrote to 44 organisations and individuals, inviting submissions by 20 June 2013.

1.9        The committee received 21 submissions, which are listed at Appendix 1. All submissions were published on the committee's website. The committee thanks those organisations and individuals who made submissions. No public hearings were held for the inquiry.

Navigation: Previous Page | Contents | Next Page