Updated: Draft proposal for mandatory data breach notifications up for consultation

Government releases draft and discussion paper on Privacy Amendment (Notification of Serious Data Breaches) Bill 2015

The Australian Government has released a new draft of its mandatory serious data breach notification bill for public consultation. And it’s already raising concerns for one industry association, which claims the legislation could actually harm consumers in the long run.

The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is set to make it mandatory for Australian organisations to report data breaches that create a ‘risk of serious harm’ to affected individuals.

At present, Australian organisations are expected to take reasonable steps to secure personal information they hold under the Australian Privacy Principles (APP), but there’s no legal requirement to notify individuals or the wider industry and community following a data breach. The APP applies to all organisations with more than $3 million in annual turnover, with a limited number of exceptions.

In addition, a voluntary data breach reporting scheme is overseen by the Office of the Australian information Commissioner (OAIC). This asks organisations to both describe the nature of a breach, and the steps taken to contain the breach, mitigate harm to affected individuals, and improve security practices in future.

However, the OAIC currently cannot enforce data breach reporting or impose fines on those organisations that don’t report such a breach. A previous bill proposed in 2013 to make data breach reporting mandatory also failed to pass.

Under the newly proposed scheme, organisations would be required to notify the Australian Information Commissioner and affected individuals following a ‘serious data breach’. This encompasses data about individuals such as personal information, credit report information, credit eligibility information or tax file number information. Notification would have to be made through operating channels such as email, post and phone where practical.

A serious data breach would also occur if the loss of that information could lead to unauthorised access or disclosure putting individuals at real risk of serious harm, such as physical, psychological or financial.

The latest mandatory breach reporting draft has raised concerns at the Association for Data-driven Marketing and Advertising (ADMA), which continues to advocate self-regulation and existing policies over introducing mandatory ones.

The association’s director of legal and regulatory affairs, Jeanette Scott, told CMO mandatory reporting will impact every marketing department, and could ultimately end up hurting consumers,.

While the latest version of the proposed bill included a better outline of what ‘serious harm’ actually meant, Scott suggested the definition remained vague and could lead to organisations over-reporting data breaches to compensate for nervousness about risk. This could, in turn, trigger an increase in costs to businesses, ultimately born by the consumer, along with add regulatory burden, she said.

Without a clear definition of ‘serious harm’ and over-reporting, Scott also argued messaging to consumers could become white noise and lose impact.

“Consumers could start ignoring these messages, which are designed to be sent to consumers to give them a chance to mitigate any risk that may have been posed to them. If those messages don’t have cut-through, then potentially you’re going to increase the risk to consumers, rather than reduce it,” she said.

“Ultimately, it’s the consumer who is going to suffer from this.”

According to Scott, the industry has a working program in the OAIC’s guidelines on breach reporting. In addition, the Privacy Laws introduced last year have raised awareness of the obligation to be vigilant around customer data, she said.

According to the OAIC, 110 voluntary data breach notifications were reported in 2014-2015, up from 67 notifications in 2013-2014 and 61 in 2012-2013.

“We have asked the government to explain why they feel they need to put this bill out and what is the urgency and impetus for this,” Scott said. “It seems ironic that a government with an agenda to reduce red tape and increase productivity is looking to introduce a piece of legislation in a regime that already seems to be working.

“Reputation is a key driver behind compliant behaviour: Businesses understand it’s their brand that’s at stake, and we have seen really compliant behaviour in businesses, in that they’re going out to the regulator and consumers when these breaches occur.”

For director of legal and regulatory affairs for the Interactive Advertising Bureau (IAB) Australia, Daad Soufi, the problem with the new mandatory data breach reporting is it's too generic in focus and implementation.

"It has already been accepted by the Australian Law Reform Commission, and the previous government, that Data Protection laws require flexibility given that we have principal-based legislation," he commented. "This policy should therefore thread into the Mandatory Breach Reporting dialogue, rather than taking the more blanket style approach currently articulated in the proposed draft legislation.

"We cannot lose sight of the fact that the digital industry has a diverse range of participants with differing 'nature, scale and complexity' and we need to work with industry in such a way that we reach a commercial and practicable outcome that is consistent with the APPs while protecting core personal information."

Soufi and the IAB also prefer self-regulation, supported by the voluntary data breach reporting guidelines issued by the Privacy Commissioner. The association will now work with Government on taking a deeper look to identify core pieces of information centric that require protection.

"These insights will provide a framework to work together to define the self-regulatory, commercial and practical measures that will complement the existing data security compliance obligations of APP 11 [Australian Privacy Principle: The need to take reasonable steps to protect personal information from misuse, interference or loss, unauthorised access, modification or disclosure]," Soufi added.

What to do to improve your data breach plans

For those looking to improve their data reporting, Scott recommended having the Privacy Commissioner’s current breach notification guidelines part of their privacy compliance programs internally. She also said ADMA will continue to report on the current draft breach response plan, a tandem piece to the guidelines that already exist.

“And make sure you do respond in a timely manner as soon as you think a breach has occurred. The worst thing you can do, as a brand, is try and ignore a potential breach,” she said. “The second you suspect something is afoot, you should be investigating so you can contain the risk and notify those who may be impacted.

“Often the worst reputational harm doesn’t come necessarily from the breach itself, but the way the breach is handled.”

Consultation on the exposure draft of the bill, along with discussion paper and Explanatory Memorandum, will be open until 4 March 2016.

Background to the latest Bill

The recommendation to introduce mandatory report was made following a February 2015 inquiry by the Parliamentary Joint Committee on Intelligence and Security into the telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.

Australia's Privacy Laws were introduced in March 2014.

In cases where an organisation suspected a data breach, the draft bill allows 30 days to assess if notification is needed. In addition, in instances where the commissioner believed a serious data breach had occurred, but has not been notified, the commissioner could also pursue further action.

Failure to comply with these proposed obligations could result in penalties and infringement notices.

Notably, the draft offers up a clause supporting leniency for businesses unable to notify affected individuals because they do not hold contact details, or if the cost of justifying each individual would be excessive in all the circumstances. In these cases, public notices may need to be published through an entity’s website or via external media channels, the draft states.

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+: google.com/+CmoAu

Join the CMO newsletter!

Error: Please check your email address.
Show Comments

Supporting Association

Blog Posts

Un-complicating multi-channel marketing: 5 actionable steps

There’s so much choice available that customers can pick and choose who they buy from and where, when, and how it happens. They want to discover, research, evaluate, and purchase on their preferred channel. Give them that option, and they’re more likely to choose you. That’s the whole point behind the multi-channel approach.

Aaron Agius

Co-founder and managing director, Louder Online

People in vegan houses shouldn't throw bacon

Picture this. You’re at a Gourmerican burger joint chomping a cheeseburger, when an outspoken vegan friend starts preaching that you’re killing the planet. Last week, that same vegan downed a pricey glass of pinot before their flight to a far-flung destination, armed with their strongest mossie repellant and first aid kit. Anything amiss?

Abbie Love

Strategist, Ikon Communications

The role of the CMO is evolving: Are you keeping up?

My (amazing) vacation in the Galapagos Islands earlier in the year got me thinking about Charles Darwin and his theory of evolution. What does this have to do with the role of today’s CMO, you ask? Plenty.

Sheryl Pattek

Vice-president, executive partner

It’s excellent aiming to resurrect the complete within the hearts and minds of connected customers, moreover because the terribly relevan...


CMO Interview: How Kodak’s global CMO is bringing the brand back from the brink

Read more

Great to see ActiveCampaign's growth funded with some serious money.As a platform, it's up there with the usual suspects in terms of feat...

Lawrence Ladomery

CMO's top 10 martech stories for the week - 13 October

Read more


Kerry Edwards

Open Colleges taps into social for better student interaction

Read more

Or just go to sites like www.shopsthatshiptoaustralia.c... and others and be sure that the stores will send to where you live :-)


Why online shopping is like dating – RedBalloon CEO

Read more

Personalisation is the key. Customers demand a very relatable and well defined CX where the sincerity and understanding of their disposit...

Hitesh Parekh

In pictures: Improving cutomer experiences through smart personalisation

Read more

Latest Podcast

More podcasts

Sign in