Federal Register of Legislation - Australian Government

Primary content

A Bill for an Act to amend the Privacy Act 1988 to require organisation and agencies to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes
For authoritative information on the progress of bills and on amendments proposed to them, please see the House of Representatives Votes and Proceedings, and the Journals of the Senate as available on the Parliament House website.
Registered 23 Aug 2007
Introduced Senate 16 Aug 2007

 

 

2004‑2005‑2006‑2007

 

The Parliament of the

Commonwealth of Australia

 

THE SENATE

 

 

 

 

Presented and read a first time

 

 

 

 

 

 

 

Privacy (Data Security Breach Notification) Amendment Bill 2007

 

No.      , 2007

 

(Senator Stott Despoja)

 

 

 

A Bill for an Act to amend the Privacy Act 1988 to require organisations and agencies to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes

  

  

  


Contents

1............ Short title............................................................................................ 1

2............ Commencement.................................................................................. 1

3............ Object of Act...................................................................................... 1

Schedule 1—Amendment of the Privacy Act 1988                                               2

 


A Bill for an Act to amend the Privacy Act 1988 to require organisations and agencies to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes

The Parliament of Australia enacts:

 

1  Short title

                   This Act may be cited as the Privacy (Data Security Breach Notification) Amendment Act 2007.

2  Commencement

                   This Act commences on the day after the day on which it receives the Royal Assent.

3  Object of Act

                   The object of this Act is to require agencies and organisations to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person.


 

Schedule 1Amendment of the Privacy Act 1988

  

1  Subsection 6(1)

Insert:

breach of data security or data security breach means interference with privacy in accordance with section 13, including any unauthorised acquisition, transmission, disclosure or use of personal information involving an unauthorised party.

unauthorised party means:

                     (a)  a person, agency or organisation that is not employed or contracted by the agency or organisation that is authorised to hold, disclose or use the personal information in accordance with the Information Privacy Principles in Division 2 of Part III;

                     (b)  an employee of the agency or organisation who:

                              (i)  exceeds his or her authority to access personal information; or

                             (ii)  uses the information for purposes unrelated to his or her professional duties, or outside the scope of authorised use under the Information Privacy Principles.

2  After section 13A

Insert:

13AB  Notification to a person of a breach of their data security

             (1)  An agency or organisation that holds personal information shall notify any person, in accordance with subsections (2) and (3), when there has been a confirmed or reasonably suspected breach of data security involving that person’s personal information following the discovery of the breach.

             (2)  The notification of the data security breach shall be made as soon as possible following detection, and at no cost to the person.

             (3)  The agency or organisation responsible for disclosing personal information shall maintain a register of notifications made and attempted in accordance with subsections (1) and (2), and of actions taken as required under subsection (4).

             (4)  The agency or organisation responsible for the data security breach is to co‑operate with the person, without infringing the Information Privacy Principles in relation to unauthorised parties, including:

                     (a)  by providing copies of the information disclosed or suspected of having been disclosed;

                     (b)  by providing a description of the data security breach;

                     (c)  by advising of known or likely recipients of the information disclosed;

                     (d)  the action taken by the agency or organisation to recover or attempt to recover the information disclosed;

                     (e)  notification of any measures taken to prevent a re‑occurrence of the breach.