Organisations will face fines of up to $1.8m for failing to comply

Data breach

Australia will have a mandatory data breach notification scheme in place within 12 months, after a government bill was passed by the Senate this week.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 will make it mandatory for organisations that have been breached or have lost data to report the incident to the Australian Information Commissioner and notify affected customers as soon as they become aware of the incident.

The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.

Those that fail to comply will face penalties, including fines of $360,000 for individuals and $1.8m for organisations.

The bill applies only to organisations governed by the Privacy Act, meaning state government organisations and local councils, plus organisations with a turnover less than $3m a year are not in scope.

The legislation considers a serious breach to have occurred when there is unauthorised access to, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to individuals involved.

Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.

The government originally committed to introducing and passing legislation for the scheme before the end of 2015, but it wasn’t until December of that year that a draft of a bill was released for public comment.