With many Australian organisations still coming to grips with recent changes to their privacy laws, legislation to mandate notification of privacy breaches is back on the agenda. Amongst other aspects, the recent changes introduced significant fines and increased the scope for liability if personal information is exported. This has forced organisations to review their privacy policies, internal processes and their contractual relationships with those they share personal information.
The changes, which will likely receive bipartisan support, mandate the reporting of privacy breaches to the Office of the Australian Information Commissioner (OAIC) if there is a “real risk of serious harm” to the affected individuals. A notification to the OAIC will need to include various details regarding the privacy breach, such as the personal information that was accessed and steps that individuals should take in response to the breach. In addition, in some circumstances it will be necessary to notify the affected individuals or publish public notices. Obviously those notifications could potentially cause significant commercial and reputational damage.
The timing as to when these changes might become a law is somewhat problematical at the present time, but it is possible that they will be in force in the current year.