Federal Register of Legislation - Australian Government

Primary content

A Bill for an Act to amend the Privacy Act 1988 to require organisations and agencies to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes
For authoritative information on the progress of bills and on amendments proposed to them, please see the House of Representatives Votes and Proceedings, and the Journals of the Senate as available on the Parliament House website.
Registered 15 Feb 2008
Introduced Senate 16 Aug 2007



Privacy (Data Security Breach Notification) Amendment Bill 2007

Explanatory Memorandum


Circulated with authority by Senator Natasha Stott Despoja

This Bill would require organisations and Commonwealth Government agencies to notify affected individuals of a data security breach involving their personal information. Organisation is specified in section 6C of the Privacy Act 1988 to mean an individual, body corporate, partnership, any other incorporated association or trust that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.

Policy rationale

Organisations and government agencies have statutory obligations to maintain the security of personal information. Even the most security conscious organisation or agency can become the victim of information theft. However, existing privacy laws do not specifically require an organisation or Government agency to notify affected individuals if the personal information in their control is disclosed to an unauthorised person.


Over recent years, media reporting has highlighted growing concerns among the public about increased losses, infiltrations and unauthorised disclosures of personal information held by various organisations and agencies. The Sydney Morning Herald reported in an article titled 'A sensitive issue', the results of research conducted by the IT Policy Compliance Group, which showed that more than two-thirds of Australian organisations experience six losses of sensitive data each year.  Further, the report stated one in five organisations lose sensitive data 22 or more times a year. These breaches reportedly include customer, financial, corporate employee and IT security data, which is stolen, leaked or destroyed. In May 2006 an Australian Computer Crime and Security Survey reported that in Australia the average annual losses from electronic attacks, computer crime, and computer access misuse or abuse rose 63 per cent over a 12 month period, reaching AUD$241,150 per organisation in 2006.


The data security breaches are occurring at a time when the Government is considering several proposals to rationalise, centralise and streamline many government services and databases, including the billion dollar Access Card project. This activity is creating several databases that contain delicate personal information, which is a target for criminals. Such large databases also have the potential to magnify the data breaches and harm, which can be suffered by individuals where there are security breaches. There have also been several high profile reports of Commonwealth employees losing personal information including a senior officer leaving a compact disc containing the report into the death of Private Jake Kovko at Melbourne airport, where it was found and handed to broadcaster Derryn Hinch.


These reports of data security breaches and losses of personal information have coincided with an increase in identity theft, which has implications for affected persons' finances, harassment by debt collectors, credit denials and law enforcement scrutiny for crimes committed by another individual. The incidence and severity of identity theft can be ameliorated through greater awareness and pre-warning when sensitive information is obtained by or disclosed to an unauthorised party.


Data security breaches are a product of globalisation, technological change and increasing use of the internet for communication and electronic media for information storage. Use of electronic data is increasingly becoming the norm for all sectors of society including schools, hospitals, government agencies, private sector organisations and charities. Consequently, data security breaches are a global problem affecting all aspects of society that pose implications for privacy but also impose additional costs on consumers and industry. For example, the US Federal Trade Commission claimed that identity-related offences cost US consumers and businesses around US$53 billion in 2002. Over a similar time-frame, estimates of the cost in Australia vary from around $2 billion to $6 billion. The Australian Institute of Criminology estimated the overall cost of fraud in Australia as more than $5 billion per year, almost a third of the $19 billion 'total cost of crime'. Similar problems have been experienced in various parts of the world with a 2006 study highlighting that 94 per cent of European Union companies experienced a data security breach in the preceding three years.

However, many overseas governments have responded by implementing legislative requirements for organisations and agencies to notify affected persons of data security breaches regarding their personal information. Such requirements are common in the United States and the European Commission is expected to pass the European Directive on Data Protection later in 2007 to impose similar obligations.


In order to give individuals more control over their personal information and to satisfy public expectations, Parliament must legislate to require Commonwealth agencies and organisations to tell individuals when their personal information has been compromised, so that they can take steps themselves to remedy the effects of the breach. Measures can be implemented to lessen the impact of identity theft, but only if persons are aware of the loss of their information. Such notification requirements could also facilitate greater awareness of data security breach issues and improve security practices, as has occurred in other countries.

The object of this Bill is to amend the Privacy Act 1988 to provide a procedure for the notification of a breach of security involving personal or health information where an organisation or agency discovers a data security breach.

Provisions of the Bill

Notes on clauses

Clause 1 – Short title

1. This clause is a formal provision that would provide for the Act to be cited as the Data Security Breach Notification Act 2007.

Clause 2 – Commencement

2. This clause would provide that the Act come into operation on the day after the day it receives Royal Assent.

Clause 3 – Object of Act

3. This clause would set out the broad policy aims of the amendments contained in the Act. The main object of the Act would be to require organisations and Commonwealth Government agencies to notify affected individuals of a data security breach involving their personal information.

Schedule 1—Amendment of the Privacy Act 1988

This schedule provides for amendments to the Privacy Act 1988.

Item 1 – Subsection 6(1)

Item 1 would insert additional definitions in subsection 6(1) of the Privacy Act 1988:

·         breach of data security; and

·         unauthorised party.

The definition of a breach of data security would clarify that this is an aspect of the broader issue of interferences with privacy, which is outlined in Division 1.

Item 2 – After section 13A, Insert 13AB Notification to a person of a breach of their data security

Item 2 provides the principal operational provisions of the bill, notably stipulating the requirement that notification be made to affected persons of any disclosure of their personal information to an unauthorised party. Affected persons are those whose personal information is the subject of a data security breach.

Breaches of data security can arise where an organisation or agency loses personal information or where there has been unauthorised access to individuals' personal information.

This notification requirement would be to ensure that, as far as practicable and appropriate, organisations and agencies are open, responsible and transparent in their information handling practices. It would stem from National Privacy Principle 4 (Data security), which requires organisations to take reasonable steps to safeguard individuals' personal information held by them. It also would be drawn from Information Privacy Principle 4 (Storage and security of personal information), which provides similar requirements for Commonwealth agencies.

The requirement would create an incentive for organisations to invest in security. It would also promote the responsible and transparent handling of personal information. By making individuals aware of the circumstances surrounding a data security breach involving their personal information, the affected individuals are then able to take steps to minimise harm such as cancelling credit cards, alerting credit reporting agencies, changing contact details, upgrading security measures or contacting law enforcement agencies.


Subsection (1) would contain the principal notification requirement, notably obligating organisations and agencies to notify individuals of any breach of data security involving that individual’s personal information following the discovery of the breach.


Subsection (2) would require that notification be made as soon as possible and that, in recognition of the responsibility of the holding organisation or agency for the security of the information, any administrative costs incurred should not be transferred to the affected person. In some cases, an organisation or agency may suspect but be unable to confirm that a data security breach has taken place. In such circumstances, the affected person should be notified of the possibility to ensure that they have sufficient notice and warning to take necessary security precautions, considering the potentially significant consequences of identity theft. This simply imposes the same requirements for caution and vigilance on organisations or agencies holding other people's personal information that is exercised by the persons themselves in protecting their information and responding to potential losses of that information.


Subsection (3) would provide an accountability and tracking measure designed to protect both the organisation or agency holding the information and the person whose information was disclosed to an unauthorised party. This would allow verification that reasonable efforts have been made to achieve compliance with the obligations under the bill. Notification could be via a variety of communication methods, noting that organisations and agencies may possess only certain contact details for affected persons. However, there should be an emphasis on providing verifiable written communication where possible. Also, there should be sensitivity to the possibilities that a data security breach could be compounded or notification may not be received if out-of-date contact details are used or unsecured methods employed.


Subsection (4) would provide the requirement for cooperation by organisations and agencies holding personal information about affected persons. This subsection would ensure that organisations and agencies entrusted with personal information provide sufficient cooperation to exercise the duty of care for holding such data and allow affected persons to take appropriate self-protection measures.  However, such cooperation must ensure that the privacy rights of unauthorised parties are also respected.