On Monday 13 February, the Privacy Amendment (Notifiable Data Breaches) Bill 2016, passed in the Senate with support from both sides of the aisle. It will be sent to the Governor General shortly for Assent – the final formality before a bill becomes law in the next 12 months.
Widely known as the Mandatory Reporting Bill, its passing into law will have a direct impact on all businesses in Australia with a turnover higher than $3m who collect and use consumer data to provide insights and deliver better products and services to their customers.
The new law requires organisations to inform customers and individuals when the they suspect that a data breach has occurred and there is a real risk of serious harm to the individual as a result of the breach.
The new legislation will cause challenges to many organisations as it does not define the term ‘suspect’ nor provide a guideline of when there is a real risk of serious harm’.
There is an exemption allowing organisations that have taken pre-emptive action before serious harm has occurred to avoid the need for notification.
With this Bill replacing the current voluntary reporting regime, it makes the reporting of a data breach now compulsory, along with sizeable fines of up to $360,000 for individuals and $1.8 million for organisations. It makes a compelling case for those who choose to disregard the seriousness of their data security.
Much better clarity is required around the responsibility of business under this legislation and when obligations apply. In the coming weeks, DGA will deliver a number of member tools to assist in understanding the impact of the legislation. These will include a Webinar on March 1st, a new Podcast and other supporting materials as we continue to monitor the passage of the Bill into law.
Further, DGA will develop a comprehensive set of guidelines for members that will be published in April 2017.
To discover more about the legislation and requirements, watch our webinar recording from 1 March here.