2004‑2005‑2006‑2007
The Parliament of the
Commonwealth of Australia
THE SENATE
Presented and read a first time
Privacy (Data Security Breach Notification) Amendment Bill 2007
No. , 2007
(Senator Stott Despoja)
A Bill for an Act to amend the Privacy Act 1988 to require organisations and agencies to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes
A Bill for an Act to amend the Privacy Act 1988 to require organisations and agencies to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes
The Parliament of Australia enacts:
1 Short title
This Act may be cited as the Privacy (Data Security Breach Notification) Amendment Act 2007.
2 Commencement
This Act commences on the day after the day on which it receives the Royal Assent.
3 Object of Act
The object of this Act is to require agencies and organisations to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person.
Schedule 1—Amendment of the Privacy Act 1988
1 Subsection 6(1)
Insert:
breach of data security or data security breach means interference with privacy in accordance with section 13, including any unauthorised acquisition, transmission, disclosure or use of personal information involving an unauthorised party.
unauthorised party means:
(a) a person, agency or organisation that is not employed or contracted by the agency or organisation that is authorised to hold, disclose or use the personal information in accordance with the Information Privacy Principles in Division 2 of Part III;
(b) an employee of the agency or organisation who:
(i) exceeds his or her authority to access personal information; or
(ii) uses the information for purposes unrelated to his or her professional duties, or outside the scope of authorised use under the Information Privacy Principles.
2 After section 13A
Insert:
13AB Notification to a person of a breach of their data security
(1) An agency or organisation that holds personal information shall notify any person, in accordance with subsections (2) and (3), when there has been a confirmed or reasonably suspected breach of data security involving that person’s personal information following the discovery of the breach.
(2) The notification of the data security breach shall be made as soon as possible following detection, and at no cost to the person.
(3) The agency or organisation responsible for disclosing personal information shall maintain a register of notifications made and attempted in accordance with subsections (1) and (2), and of actions taken as required under subsection (4).
(4) The agency or organisation responsible for the data security breach is to co‑operate with the person, without infringing the Information Privacy Principles in relation to unauthorised parties, including:
(a) by providing copies of the information disclosed or suspected of having been disclosed;
(b) by providing a description of the data security breach;
(c) by advising of known or likely recipients of the information disclosed;
(d) the action taken by the agency or organisation to recover or attempt to recover the information disclosed;
(e) notification of any measures taken to prevent a re‑occurrence of the breach.