© James Thew/Dollar Photo Club
notify the affected individuals and the
debt, banking and insurance law - gave
Office of the Australian Information
the Bill high praise.
Commissioner (OAIC). • Notification would only be required if a breach was “serious”.
“A mandatory reporting requirement such as the one set out in the Bill would ensure
• A breach notification would have to
that consumers receive the necessary in-
include a description of the breach, the
formation about how their personal credit
kinds of information involved, recom-
reporting information is being protected.
mendations about steps that affected
The mandatory notification requirement is
individuals should take in response to
long overdue, and represents a significant
the breach, and contact details of the
benefit to consumers. We strongly encour-
breached organisation.
age the Senate Committee to endorse the
• The commissioner could direct an organi-
Bill,” the organisation’s submission read.
sation to provide affected individuals with notification of a data breach.
The Australian Communications Con-
• Law enforcement agencies could be ex-
sumer Action Network (ACCAN) wrote
empt from notification if they felt it could
that it “encourages the Senate Committee
impede some enforcement related activity.
to endorse the Bill”.
“The Bill should be passed rather than rejected, but if passed should be substantially amended to address some of its shortcomings.” - Cyberspace Law and Policy Centre
the Privacy Amendment (Privacy Alerts)
• The commissioner could excuse an
Liberty Victoria, a human rights and civil
Bill 2013 to the House of Representatives.
organisation from notification if he/she
liberties organisation, wrote, “The purpose
The Bill made it to the Senate, but lapsed
felt it was in the public interest to do so.
of the legislation is commendable” but
at the end of parliament last year, before it
• The commissioner could investigate fail-
complained that “a large part of the Bill
was able to receive the Senate’s approval.
ures to notify, and such an investigation
is dedicated to exceptions, the breadth of
could lead to compensation payments
which […] Liberty opposes”.
On 20 March this year, Labor Senator Lisa
and enforceable undertakings.
Singh reintroduced the Bill to the Senate
• Serious or repeated non-compliance
The legislation “exempts enforcement bod-
as the Privacy Amendment (Privacy Alerts)
with notification requirements could
ies from notifying individuals or publish-
Bill 2014. It may have a different year in its
lead to a civil penalty being imposed
ing serious data breaches if it believes on
title, but the core text is identical to that of
by a court.
reasonable grounds that it would prejudice
the 2013 Bill.
one or more enforcement-related activities
Consultation
conducted by it (or on its behalf). Whilst
If you want a full rundown of the Bill,
The 2014 Bill has not had any public
it is foreseeable that in some limited
head to www.aph.gov.au, search for “Privacy
consultation. But a Senate Committee did
circumstances enforcement bodies would
Amendment (Privacy Alerts) Bill 2014”
take submissions on the previous incar-
have need of this, it is also foreseeable that
(without inverted commas), and track down
nation of the Bill - it attracted support
it could be used to avoid disclosing almost
the Bill’s first reading. If you don’t want
from some corners and criticism from a
any breach by those bodies,” Liberty said.
to wade through 4000+ words of legalese,
variety of privacy and business groups.
here’s a summary of what the Bill would
The Cyberspace Law and Policy Centre,
mean if passed:
The Consumer Credit Legal Centre
part of the University of New South Wales’
• Agencies or organisations that suffer
(NSW) - a consumer advice and advocacy
Faculty of Law, wrote that while a manda-
a serious data breach would have to
service specialising in personal credit,
tory data breach notification scheme is
This issue is sponsored by — Informatica — http://now.informatica.com/14Q3-Smr-APJ-AU-INFAWorldTourSYD-Reg.html?Source=techd
5