A bill to be introduced into Federal Parliament to require businesses and government agencies of dta breaches affecting individuals’ privacy

May 28, 2013 |

The Attorney General held a press conference and issued a press release announcing the introduction into the Parliament of legislation requiring mandatory notification of data breaches which affect privacy.

The press release states:



New laws to be introduced in Parliament tomorrow will require businesses and government agencies to notify people when a data breach affecting their privacy occurs.

“With businesses and government agencies holding more information about Australians than ever before, it is essential that privacy is safeguarded,” Attorney-General Mark Dreyfus QC said.

 “The new laws will alert consumers to breaches of their privacy, so that they can change passwords, improve security settings and make other changes as they see fit.”

 Data breaches can be the result of hacking, poor security and sometimes carelessness.  

 “Some data breaches have exposed the personal information of tens of thousands of Australians,” Mr Dreyfus said.

 “The laws are good for consumers because they protect privacy, and are good for business because they will help create openness and trust.”

 The new laws will also require notification of data breaches to the Office of the Australian Information Commissioner.

 “To make sure that the new laws have teeth, the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches,” Mr Dreyfus said.

 “Last year the Government made the biggest changes to the Privacy Act 1988 since it began in 1989.

 “The Government is serious about privacy and these new laws demonstrate our continuing commitment.”

 The laws will apply to all entities covered by the Privacy Act 1988 including many businesses, but they will not impose an unreasonable burden on business.

 The notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm.

 The Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements. 

As always the devil is in the detail.  The press release makes it clear that not all dtaa breaches will be covered, only those that give rise to serious harm (whatever that means).

Leave a Reply