New legislation makes it mandatory for Aussie businesses to report data breaches
IT AWAITS THE ROYAL NOD TO BECOME LAW.
AFTER BEING DEBATED for years, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 has finally gone through the House of Representatives and has been passed by the Senate, making it legislation. All it needs is the royal sanction to become law.
The bill applies to organisations subject to the Privacy Act, so state governments, local councils and businesses with a turnover of less than $3 million a year are exempt. But other organisations in Australia will be legally obliged to inform the Australian Information Commissioner and affected individuals of any ‘eligible’ data breach.
Organisations will have to report breaches within 30 days, with notifications requiring a full description of the breach along with details on the kind of information accessed and how their customers are to deal with the incident. Failure to comply with the mandatory notification scheme will be “deemed to be an interference with the privacy of an individual” and will incur penalties including fines of up to $360,000 for individuals and $1.8 million for corporates.