Australian businesses will no longer be allowed to keep quiet in the event that the organisation sustains a data security breach. The new Notifiable Data Breaches Bill, which passed on Monday, will require any organisation that is accountable to the Privacy Act to inform their Information Commissioner and the public if their data becomes compromised.
Most other countries have had the same kind of requirement for years, and Australia will finally be joining the list. However, the changes will not come into effect immediately. It is expected they will do so within a year’s time.
Mike Burgess, an independent data security adviser, thinks the new changes will make the organisations put more thought into securing sensitive customer information.
David Tudehope, CEO of Macquarie Telecom Group, believes the new legislation is a big step in the right direction. He said that customers need to be notified when their data may have been lost in a breach. That way, they can undertake their own steps to remedy the situation.
In order for a breach to qualify for the new requirement, the unauthorised access needs to be likely to result in “serious harm to any of the individuals to whom the information relates”. However, “serious harm” is a bit loosely defined, and Burgess even said the definition could vary between businesses and customers.
In 2015-16, the Australian Information Commissioner received 107 breach notifications that were sent voluntarily. However, the total number of breaches in that year remains unknown, since the organisations were not legally obliged to report them.