We’d not be the first to observe that contemporary society is characterised both by extreme sensitivity to the release of personal information and wild over-sharing of information about ourselves.
At the sensitive end, the government has released a discussion paper and draft legislation relating to the situations in which it would become mandatory for government agencies and for private organisations that are subject to the Privacy Act to notify individuals that the privacy of their personal information has been breached.
Mandatory notification – both to the Office of the Australian Information Commissioner (OAIC) and to the affected individuals – would not be required in every situation in which there is a breach of security, but would apply if (for example) the breach was a “serious data breach” that put an individual to whom the data relates “at real risk of serious harm”.
The draft bill proposes identifying matters that entities would take into account when assessing if a “real risk of serious harm” exists:
- the kind of information that has been accessed or released;
- the sensitivity of that information;
- whether the information is in a form that is intelligible to an ordinary person (or might be converted into such a form);
- whether the information was protected by security measures;
- who has accessed (or might access) the information;
- the nature of the harm that would result from the breach; and
- steps taken to mitigate the harm.
Any other relevant matters could also be taken into account.
One suspects that, at least until the courts consider the legislation or the OAIC begins to publish guidance, views may differ widely as to how serious the harm has to be before it is “serious” for the purposes of the legislation.
The draft bill follows the government’s commitment to introduce a mandatory data breach notification scheme and to consult on draft legislation in response to the February 2015 inquiry by the Parliamentary Joint Committee on Intelligence and Security into another bill (relating to data retention).
The discussion paper notes that mandatory data breach notification laws apply in the EU (including the UK) and forty seven US states. Canada has a mandatory data breach notification law that is yet to comment, while NZ and the US at the federal level have announced their intention to introduce such laws.
Further information (and access to the discussion paper, the draft legislation, the explanatory memorandum and the regulatory impact statement) are available at:
Submissions to the government on the draft bill are requested by 4 March 2016.
If you have concerns about how the proposed legislation might impact on you or your organisation, or if you would like assistance in drafting a submission, contact Adam Simpson or Ian McDonald at Simpsons Solicitors.