Mandatory reporting of data breaches is a step closer after the Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed the House of Representatives on Tuesday evening.
The bill would make it law for public and private entities to report any data breaches to the Office of the Australian Information Commissioner, if the breach is ‘likely to result in serious harm’.
The Australian Computer Society (ACS) welcomed the bill, saying that in the era of big data, the protection of personal information must be a primary consideration, not an afterthought.
"Given the growing problem of cyber crime, the ACS strongly supports initiatives which demand both the public and private sectors act to prevent cyber threats and address their consequences," said President Anthony Wong.
"Once passed, this legislation will be a critical step forward in the elevation of data protection and cybersecurity issues on the C-suite agenda."
The ACS released its report ‘Cybersecurity – Threats, Challenges, Opportunities’ last November.
The Hon Mark Dreyfus QC MP, Deputy Manager of Opposition Business, said companies will no longer be allowed to hide breaches where sensitive information -- such as credit card or Medicare numbers -- has been accessed, in order to protect their reputation.
“Corporations, or indeed, public service departments, must not be allowed to delay reporting of a serious breach of personal data because of the fear of the damage it might cause to the reputation of the company or organisation,” he said.
Rebekha Sharkie MP, of the Nick Xenophon Team, said the bill is important because it “contributes to increased accountability and transparency,” highlighting the case of the Australian Red Cross Blood Service which was breached in 2016, affecting 550,000 donors. “The Red Cross acted appropriately under the current voluntary code; it informed individuals and set up an information site.”
However, not all companies are as open with their breaches of customer information. “A prime example is the Catch of the Day case, where personal data of some or all of its two million customers was hacked and stolen in 2011, but the customers were not told until 2014,” said Dreyfus. “This, rightly, caused outrage when it came to light.”
This would become even more important with the “worrying trend” of the government outsourcing the handling of personal data from the public sector to the private sector, he added.
Last November, the Hon Dan Tehan MP, the minister assisting the Prime Minister for Cyber Security, said that business and government need to work together, sharing information about breaches, and staying as informed as possible.
“One of the things that Government wants to do is lead when it comes to transparency in this area, and we think that if we can do that, that hopefully will lead to business doing the same,” he said.
“What we have to do, where it is safe and secure to do so, is encourage business and encourage individuals to be prepared to come out and say, okay, this is what has happened to me.”
Sharkie said that members of the public must be advised when there is a privacy breach involving their personal data so that they can assess what action they need to take to minimise harm to themselves.
“When individuals provide data to companies, they expect those companies to protect the privacy of that data,” she said.
The bill is still to pass the Senate. This is expected to happen within weeks.
UPDATE 14/02/2017: This bill was passed in the Senate on 13 February 2017.