Commonwealth of Australia Bills

[Index] [Search] [Download] [Related Items] [Help]


This is a Bill, not an Act. For current law, see the Acts databases.


PRIVACY AMENDMENT (PRIVACY ALERTS) BILL 2014

 

 

 

2013-2014 

 

The Parliament of the 

Commonwealth of Australia 

 

THE SENATE 

 

 

 

 

Presented and read a first time 

 

 

 

 

Privacy Amendment (Privacy Alerts) Bill 

2014 

 

No.      , 2014 

 

(Senator Singh) 

 

 

 

A Bill for an Act to amend the Privacy Act 1988

and for related purposes 

   

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

i 

 

Contents 

Short title ........................................................................................... 1

 

Commencement ................................................................................. 1

 

Schedule(s) ........................................................................................ 2

 

Schedule 1--Amendments

 

3

 

Privacy Act 1988

 

3

 

 

 

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

1 

 

A Bill for an Act to amend the Privacy Act 1988

and for related purposes 

The Parliament of Australia enacts: 

1  Short title 

 

  This Act may be cited as the Privacy Amendment (Privacy Alerts) 

Act 2014

2  Commencement 

 

(1)  Each provision of this Act specified in column 1 of the table 

commences, or is taken to have commenced, in accordance with 

column 2 of the table. Any other statement in column 2 has effect 

10 

according to its terms. 

11 

 

12 

   

   

 

 

2 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

Commencement information 

Column 1 

Column 2 

Column 3 

Provision(s) 

Commencement 

Date/Details 

1.  Sections 1 to 3 

and anything in 

this Act not 

elsewhere covered 

by this table 

The day this Act receives the Royal Assent. 

 

2.  Schedule 1 

A single day to be fixed by Proclamation. 

However, if the provision(s) do not 

commence within the period of 6 months 

beginning on the day this Act receives the 

Royal Assent, they commence on the day 

after the end of that period. 

 

Note:  

This table relates only to the provisions of this Act as originally 

enacted. It will not be amended to deal with any later amendments of 

this Act. 

 

(2)  Any information in column 3 of the table is not part of this Act. 

Information may be inserted in this column, or information in it 

may be edited, in any published version of this Act. 

3  Schedule(s) 

 

  Each Act that is specified in a Schedule to this Act is amended or 

repealed as set out in the applicable items in the Schedule 

concerned, and any other item in a Schedule to this Act has effect 

10 

according to its terms. 

11 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

3 

 

Schedule 1

--Amendments 

   

Privacy Act 1988 

1  Subsection 6(1) 

Insert: 

serious data breach has the meaning given by section 26X, 26Y, 

26Z or 26ZA. 

2  Subsection 6(1) 

Insert: 

significantly affected, in relation to an individual and in relation to 

10 

a serious data breach, has the meaning given by section 26X, 26Y, 

11 

26Z or 26ZA. 

12 

3  After subsection 13(4) 

13 

Insert: 

14 

Data breach notification 

15 

 

(4A)  If an entity (within the meaning of Part IIIC) contravenes 

16 

section 26ZB or 26ZC, the contravention is taken to be an act that 

17 

is an interference with the privacy of an individual

18 

4  After Part IIIB 

19 

Insert: 

20 

Part IIIC--Data breach notification 

21 

Division 1--Serious data breach 

22 

26X  Serious data breach--APP entities 

23 

Unauthorised access or disclosure of personal information 

24 

 

(1)  For the purposes of this Act, if: 

25 

Schedule 1  Amendments 

   

 

 

4 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

 

(a)  an APP entity holds personal information relating to one or 

more individuals; and 

 

(b)  the APP entity is required under section 15 not to do an act, 

or engage in a practice, that breaches Australian Privacy 

Principle 11.1 in relation to the personal information; and 

 

(c)  there is unauthorised access to, or unauthorised disclosure of, 

the personal information; and 

 

(d)  either: 

 

(i)  the access or disclosure will result in a real risk of 

serious harm to any of the individuals to whom the 

10 

personal information relates; or 

11 

 

(ii)  any of the personal information is of a kind specified in 

12 

the regulations; 

13 

then: 

14 

 

(e)  the access or disclosure is a serious data breach of the APP 

15 

entity in relation to the personal information; and 

16 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

17 

affected by the serious data breach if, and only if, the 

18 

individual is an individual to whom the risk mentioned in that 

19 

subparagraph relates; and 

20 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

21 

affected by the serious data breach if, and only if, the 

22 

individual is: 

23 

 

(i)  an individual to whom the personal information relates; 

24 

and 

25 

 

(ii)  an individual who, under the regulations, is taken to be 

26 

significantly affected by the serious data breach. 

27 

Note 1: 

For harm, see section 26ZE. 

28 

Note 2: 

For real risk, see section 26ZF. 

29 

Loss of personal information 

30 

 

(2)  For the purposes of this Act, if: 

31 

 

(a)  an APP entity holds personal information relating to one or 

32 

more individuals; and 

33 

 

(b)  the APP entity is required under section 15 not to do an act, 

34 

or engage in a practice, that breaches Australian Privacy 

35 

Principle 11.1 in relation to the personal information; and 

36 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

5 

 

 

(c)  the personal information is lost in circumstances where 

unauthorised access to, or unauthorised disclosure of, the 

personal information may occur; and 

 

(d)  either: 

 

(i)  assuming that unauthorised access to, or unauthorised 

disclosure of, the personal information were to occur, 

the access or disclosure will result in a real risk of 

serious harm to any of the individuals to whom the 

personal information relates; or 

 

(ii)  any of the personal information is of a kind specified in 

10 

the regulations; 

11 

then: 

12 

 

(e)  the loss is a serious data breach of the APP entity in relation 

13 

to the personal information; and 

14 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

15 

affected by the serious data breach if, and only if, the 

16 

individual is an individual to whom the risk mentioned in that 

17 

subparagraph relates; and 

18 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

19 

affected by the serious data breach if, and only if, the 

20 

individual is: 

21 

 

(i)  an individual to whom the personal information relates; 

22 

and 

23 

 

(ii)  an individual who, under the regulations, is taken to be 

24 

significantly affected by the serious data breach. 

25 

Note 1: 

For harm, see section 26ZE. 

26 

Note 2: 

For real risk, see section 26ZF. 

27 

Overseas recipients 

28 

 

(3)  If: 

29 

 

(a)  an APP entity has disclosed personal information about one 

30 

or more individuals to an overseas recipient; and 

31 

 

(b)  Australian Privacy Principle 8.1 applied to the disclosure of 

32 

the personal information; and 

33 

 

(c)  the overseas recipient holds the personal information; 

34 

this section has effect as if: 

35 

 

(d)  the personal information were held by the APP entity; and 

36 

Schedule 1  Amendments 

   

 

 

6 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

 

(e)  the APP entity were required under section 15 not to do an 

act, or engage in a practice, that breaches Australian Privacy 

Principle 11.1 in relation to the personal information. 

26Y  Serious data breach--credit reporting bodies 

Unauthorised access or disclosure of credit reporting information 

 

(1)  For the purposes of this Act, if: 

 

(a)  a credit reporting body holds credit reporting information 

relating to one or more individuals; and 

 

(b)  the credit reporting body is required to comply with 

section 20Q in relation to the credit reporting information; 

10 

and 

11 

 

(c)  there is unauthorised access to, or unauthorised disclosure of, 

12 

the credit reporting information; and 

13 

 

(d)  either: 

14 

 

(i)  the access or disclosure will result in a real risk of 

15 

serious harm to any of the individuals to whom the 

16 

credit reporting information relates; or 

17 

 

(ii)  any of the credit reporting information is of a kind 

18 

specified in the regulations; 

19 

then: 

20 

 

(e)  the access or disclosure is a serious data breach of the credit 

21 

reporting body in relation to the credit reporting information; 

22 

and 

23 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

24 

affected by the serious data breach if, and only if, the 

25 

individual is an individual to whom the risk mentioned in that 

26 

subparagraph relates; and 

27 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

28 

affected by the serious data breach if, and only if, the 

29 

individual is: 

30 

 

(i)  an individual to whom the credit reporting information 

31 

relates; and 

32 

 

(ii)  an individual who, under the regulations, is taken to be 

33 

significantly affected by the serious data breach. 

34 

Note 1: 

For harm, see section 26ZE. 

35 

Note 2: 

For real risk, see section 26ZF. 

36 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

7 

 

Loss of credit reporting information 

 

(2)  For the purposes of this Act, if: 

 

(a)  a credit reporting body holds credit reporting information 

relating to one or more individuals; and 

 

(b)  the credit reporting body is required to comply with 

section 20Q in relation to the credit reporting information; 

and 

 

(c)  the credit reporting information is lost in circumstances 

where unauthorised access to, or unauthorised disclosure of, 

the credit reporting information may occur; and 

10 

 

(d)  either: 

11 

 

(i)  assuming that unauthorised access to, or unauthorised 

12 

disclosure of, the credit reporting information were to 

13 

occur, the access or disclosure will result in a real risk 

14 

of serious harm to any of the individuals to whom the 

15 

credit reporting information relates; or 

16 

 

(ii)  any of the credit reporting information is of a kind 

17 

specified in the regulations; 

18 

then: 

19 

 

(e)  the loss is a serious data breach of the credit reporting body 

20 

in relation to the credit reporting information; and 

21 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

22 

affected by the serious data breach if, and only if, the 

23 

individual is an individual to whom the risk mentioned in that 

24 

subparagraph relates; and 

25 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

26 

affected by the serious data breach if, and only if, the 

27 

individual is: 

28 

 

(i)  an individual to whom the credit reporting information 

29 

relates; and 

30 

 

(ii)  an individual who, under the regulations, is taken to be 

31 

significantly affected by the serious data breach. 

32 

Note 1: 

For harm, see section 26ZE. 

33 

Note 2: 

For real risk, see section 26ZF. 

34 

Schedule 1  Amendments 

   

 

 

8 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

26Z  Serious data breach--credit providers 

Unauthorised access or disclosure of credit eligibility information 

 

(1)  For the purposes of this Act, if: 

 

(a)  a credit provider holds credit eligibility information relating 

to one or more individuals; and 

 

(b)  the credit provider is required to comply with 

subsection 21S(1) in relation to the credit eligibility 

information; and 

 

(c)  there is unauthorised access to, or unauthorised disclosure of, 

the credit eligibility information; and 

10 

 

(d)  either: 

11 

 

(i)  the access or disclosure will result in a real risk of 

12 

serious harm to any of the individuals to whom the 

13 

credit eligibility information relates; or 

14 

 

(ii)  any of the credit eligibility information is of a kind 

15 

specified in the regulations; 

16 

then: 

17 

 

(e)  the access or disclosure is a serious data breach of the credit 

18 

provider in relation to the credit eligibility information; and 

19 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

20 

affected by the serious data breach if, and only if, the 

21 

individual is an individual to whom the risk mentioned in that 

22 

subparagraph relates; and 

23 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

24 

affected by the serious data breach if, and only if, the 

25 

individual is: 

26 

 

(i)  an individual to whom the credit eligibility information 

27 

relates; and 

28 

 

(ii)  an individual who, under the regulations, is taken to be 

29 

significantly affected by the serious data breach. 

30 

Note 1: 

For harm, see section 26ZE. 

31 

Note 2: 

For real risk, see section 26ZF. 

32 

Loss of credit eligibility information 

33 

 

(2)  For the purposes of this Act, if: 

34 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

9 

 

 

(a)  a credit provider holds credit eligibility information relating 

to one or more individuals; and 

 

(b)  the credit provider is required to comply with 

subsection 21S(1) in relation to the credit eligibility 

information; and 

 

(c)  the credit eligibility information is lost in circumstances 

where unauthorised access to, or unauthorised disclosure of, 

the credit eligibility information may occur; and 

 

(d)  either: 

 

(i)  assuming that unauthorised access to, or unauthorised 

10 

disclosure of, the credit eligibility information were to 

11 

occur, the access or disclosure will result in a real risk 

12 

of serious harm to any of the individuals to whom the 

13 

credit eligibility information relates; or 

14 

 

(ii)  any of the credit eligibility information is of a kind 

15 

specified in the regulations; 

16 

then: 

17 

 

(e)  the loss is a serious data breach of the credit provider in 

18 

relation to the credit eligibility information; and 

19 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

20 

affected by the serious data breach if, and only if, the 

21 

individual is an individual to whom the risk mentioned in that 

22 

subparagraph relates; and 

23 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

24 

affected by the serious data breach if, and only if, the 

25 

individual is: 

26 

 

(i)  an individual to whom the credit eligibility information 

27 

relates; and 

28 

 

(ii)  an individual who, under the regulations, is taken to be 

29 

significantly affected by the serious data breach. 

30 

Note 1: 

For harm, see section 26ZE. 

31 

Note 2: 

For real risk, see section 26ZF. 

32 

Bodies or persons with no Australian link 

33 

 

(3)  If: 

34 

 

(a)  either: 

35 

 

(i)  a credit provider has disclosed, under 

36 

paragraph 21G(3)(b) or (c), credit eligibility information 

37 

Schedule 1  Amendments 

   

 

 

10 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

about one or more individuals to a related body 

corporate, or person, that does not have an Australian 

link; or 

 

(ii)  a credit provider has disclosed, under 

subsection 21M(1), credit eligibility information about 

one or more individuals to a body or person that does 

not have an Australian link; and 

 

(b)  the related body corporate, body or person holds the credit 

eligibility information; 

this section has effect as if: 

10 

 

(c)  the credit eligibility information were held by the credit 

11 

provider; and 

12 

 

(d)  the credit provider were required to comply with 

13 

subsection 21S(1) in relation to the credit eligibility 

14 

information. 

15 

Note: 

See section 21NA. 

16 

26ZA  Serious data breach--file number recipients 

17 

Unauthorised access or disclosure of tax file number information 

18 

 

(1)  For the purposes of this Act, if: 

19 

 

(a)  a file number recipient holds tax file number information 

20 

relating to one or more individuals; and 

21 

 

(b)  the file number recipient is required under section 18 not to 

22 

do an act, or engage in a practice, that breaches a section 17 

23 

rule that relates to the tax file number information; and 

24 

 

(c)  there is unauthorised access to, or unauthorised disclosure of, 

25 

the tax file number information; and 

26 

 

(d)  either: 

27 

 

(i)  the access or disclosure will result in a real risk of 

28 

serious harm to any of the individuals to whom the tax 

29 

file number information relates; or 

30 

 

(ii)  any of the tax file number information is of a kind 

31 

specified in the regulations; 

32 

then: 

33 

 

(e)  the access or disclosure is a serious data breach of the file 

34 

number recipient in relation to the tax file number 

35 

information; and 

36 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

11 

 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

affected by the serious data breach if, and only if, the 

individual is an individual to whom the risk mentioned in that 

subparagraph relates; and 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

affected by the serious data breach if, and only if, the 

individual is: 

 

(i)  an individual to whom the tax file number information 

relates; and 

 

(ii)  an individual who, under the regulations, is taken to be 

10 

significantly affected by the serious data breach. 

11 

Note 1: 

For harm, see section 26ZE. 

12 

Note 2: 

For real risk, see section 26ZF. 

13 

Loss of tax file number information 

14 

 

(2)  For the purposes of this Act, if: 

15 

 

(a)  a file number recipient holds tax file number information 

16 

relating to one or more individuals; and 

17 

 

(b)  the file number recipient is required under section 18 not to 

18 

do an act, or engage in a practice, that breaches a section 17 

19 

rule that relates to the tax file number information; and 

20 

 

(c)  the tax file number information is lost in circumstances 

21 

where unauthorised access to, or unauthorised disclosure of, 

22 

the tax file number information may occur; and 

23 

 

(d)  either: 

24 

 

(i)  assuming that unauthorised access to, or unauthorised 

25 

disclosure of, the tax file number information were to 

26 

occur, the access or disclosure will result in a real risk 

27 

of serious harm to any of the individuals to whom the 

28 

tax file number information relates; or 

29 

 

(ii)  any of the tax file number information is of a kind 

30 

specified in the regulations; 

31 

then: 

32 

 

(e)  the loss is a serious data breach of the file number recipient 

33 

in relation to the tax file number information; and 

34 

 

(f)  if subparagraph (d)(i) applies--an individual is significantly 

35 

affected by the serious data breach if, and only if, the 

36 

Schedule 1  Amendments 

   

 

 

12 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

individual is an individual to whom the risk mentioned in that 

subparagraph relates; and 

 

(g)  if subparagraph (d)(ii) applies--an individual is significantly 

affected by the serious data breach if, and only if, the 

individual is: 

 

(i)  an individual to whom the tax file number information 

relates; and 

 

(ii)  an individual who, under the regulations, is taken to be 

significantly affected by the serious data breach. 

Note 1: 

For harm, see section 26ZE. 

10 

Note 2: 

For real risk, see section 26ZF. 

11 

Division 2--Notifying serious data breaches 

12 

26ZB  Entity must notify serious data breach 

13 

 

(1)  If an entity believes on reasonable grounds that there has been a 

14 

serious data breach of the entity in relation to: 

15 

 

(a)  personal information; or 

16 

 

(b)  credit reporting information; or 

17 

 

(c)  credit eligibility information; or 

18 

 

(d)  tax file number information; 

19 

the entity must, as soon as practicable after forming that belief: 

20 

 

(e)  prepare a statement that complies with subsection (2); and 

21 

 

(f)  give a copy of the statement to the Commissioner; and 

22 

 

(g)  if the general publication conditions are not satisfied--take 

23 

such steps as are reasonable in the circumstances to notify the 

24 

contents of the statement to each of the individuals 

25 

significantly affected by the serious data breach that the 

26 

entity believes has happened; and 

27 

 

(h)  if the general publication conditions are satisfied: 

28 

 

(i)  publish a copy of the statement on the entity's website 

29 

(if any); and 

30 

 

(ii)  cause a copy of the statement to be published in each 

31 

State by being published in at least one newspaper 

32 

circulating generally in that State. 

33 

Note: 

For general publication conditions, see subsection (12). 

34 

 

(2)  The statement referred to in paragraph (1)(e) must set out: 

35 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

13 

 

 

(a)  the identity and contact details of the entity; and 

 

(b)  a description of the serious data breach that the entity 

believes has happened; and 

 

(c)  the kinds of information concerned; and 

 

(d)  recommendations about the steps that individuals should take 

in response to the serious data breach that the entity believes 

has happened; and 

 

(e)  such other information (if any) as specified in the regulations. 

Method of providing the statement to an individual 

 

(3)  If the entity normally communicates with an individual using a 

10 

particular method, the notification to the individual under 

11 

paragraph (1)(g) may use that method. This subsection does not 

12 

limit paragraph (1)(g). 

13 

Exception--enforcement related activities 

14 

 

(4)  Paragraphs (1)(g) and (h) do not apply if: 

15 

 

(a)  the entity is an enforcement body; and 

16 

 

(b)  the enforcement body believes on reasonable grounds that 

17 

compliance with those paragraphs would be likely to 

18 

prejudice one or more enforcement related activities 

19 

conducted by, or on behalf of, the enforcement body. 

20 

Exception--Commissioner's notice 

21 

 

(5)  The Commissioner may, by written notice given to an entity, 

22 

exempt the entity from subsection (1) in such circumstances as are 

23 

specified in the notice. 

24 

 

(6)  The Commissioner must not give a notice under subsection (5) 

25 

unless the Commissioner is satisfied that it is in the public interest 

26 

to do so. 

27 

 

(7)  The Commissioner may give a notice under subsection (5) to an 

28 

entity: 

29 

 

(a)  on the Commissioner's own initiative; or 

30 

 

(b)  on application made to the Commissioner by the entity. 

31 

 

(8)  If: 

32 

Schedule 1  Amendments 

   

 

 

14 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

 

(a)  an entity applies to the Commissioner under 

paragraph (7)(b); and 

 

(b)  the Commissioner decides to refuse the application; 

the Commissioner must give written notice of the refusal to the 

entity. 

 

(9)  If: 

 

(a)  an entity forms a belief about a serious data breach as 

mentioned in subsection (1); and 

 

(b)  as soon as practicable after forming that belief, the entity 

applies to the Commissioner for a notice under subsection (5) 

10 

in relation to the serious data breach; 

11 

then: 

12 

 

(c)  subsection (1) does not apply to the entity in relation to the 

13 

serious data breach during the period: 

14 

 

(i)  beginning when the entity formed the belief; and 

15 

 

(ii)  ending when the Commissioner makes a decision in 

16 

relation to the application for the notice; and 

17 

 

(d)  if the Commissioner makes a decision to refuse to give the 

18 

notice--subsection (1) has effect as if the entity had formed 

19 

the belief when the Commissioner made the decision. 

20 

Exception--inconsistency with secrecy provisions 

21 

 

(10)  If compliance by an entity with paragraph (1)(f), (g) or (h) would, 

22 

to any extent, be inconsistent with a provision of a law of the 

23 

Commonwealth (other than a provision of this Act) that prohibits 

24 

or regulates the use or disclosure of information, subsection (1) 

25 

does not apply to the entity to the extent of the inconsistency. 

26 

Exception--data breach notified under the Personally Controlled 

27 

Electronic Health Records Act 2012 

28 

 

(11)  Subsection (1) does not apply to a serious data breach if the breach 

29 

has been notified under section 75 of the Personally Controlled 

30 

Electronic Health Records Act 2012

31 

General publication conditions 

32 

 

(12)  The regulations may declare that one or more specified conditions 

33 

are general publication conditions for the purposes of this section. 

34 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

15 

 

26ZC  Commissioner may direct entity to notify serious data breach 

 

(1)  If the Commissioner believes on reasonable grounds that there has 

been a serious data breach of an entity in relation to: 

 

(a)  personal information; or 

 

(b)  credit reporting information; or 

 

(c)  credit eligibility information; or 

 

(d)  tax file number information; 

the Commissioner may, by written notice given to the entity, direct 

the entity to: 

 

(e)  prepare a statement that complies with subsection (2); and 

10 

 

(f)  give a copy of the statement to the Commissioner; and 

11 

 

(g)  if the general publication conditions are not satisfied--take 

12 

such steps as are reasonable in the circumstances to notify the 

13 

contents of the statement to each of the individuals 

14 

significantly affected by the serious data breach that the 

15 

Commissioner believes has happened; and 

16 

 

(h)  if the general publication conditions are satisfied: 

17 

 

(i)  publish a copy of the statement on the entity's website 

18 

(if any); and 

19 

 

(ii)  cause a copy of the statement to be published in each 

20 

State by being published in at least one newspaper 

21 

circulating generally in that State. 

22 

Note: 

For general publication conditions, see subsection (8). 

23 

 

(2)  The statement referred to in paragraph (1)(e) must set out: 

24 

 

(a)  the identity and contact details of the entity; and 

25 

 

(b)  a description of the serious data breach that the 

26 

Commissioner believes has happened; and 

27 

 

(c)  the kinds of information concerned; and 

28 

 

(d)  recommendations about the steps that individuals should take 

29 

in response to the serious data breach that the Commissioner 

30 

believes has happened; and 

31 

 

(e)  such other information (if any) as specified in the regulations. 

32 

Method of providing the statement to an individual 

33 

 

(3)  If the entity normally communicates with an individual using a 

34 

particular method, the notification to the individual mentioned in 

35 

Schedule 1  Amendments 

   

 

 

16 

Privacy Amendment (Privacy Alerts) Bill 2014 

No.      , 2014 

 

paragraph (1)(g) may use that method. This subsection does not 

limit paragraph (1)(g). 

Compliance with direction 

 

(4)  An entity must comply with a direction under subsection (1) as 

soon as practicable after the direction is given. 

Exception--enforcement related activities 

 

(5)  The Commissioner must not give a direction under subsection (1) 

to an entity if: 

 

(a)  the entity is an enforcement body; and 

 

(b)  the chief executive officer of the enforcement body has given 

10 

the Commissioner a certificate stating that the enforcement 

11 

body believes on reasonable grounds that compliance with 

12 

the direction would be likely to prejudice one or more 

13 

enforcement related activities conducted by, or on behalf of, 

14 

the enforcement body. 

15 

Exception--inconsistency with secrecy provisions 

16 

 

(6)  If compliance by an entity with so much of a direction under 

17 

subsection (1) as is covered by paragraph (1)(f), (g) or (h) would, 

18 

to any extent, be inconsistent with a provision of a law of the 

19 

Commonwealth (other than a provision of this Act) that prohibits 

20 

or regulates the use or disclosure of information, paragraph (1)(f), 

21 

(g) or (h), as the case may be, does not apply to the entity to the 

22 

extent of the inconsistency. 

23 

Exception--data breach notified under the Personally Controlled 

24 

Electronic Health Records Act 2012 

25 

 

(7)  The Commissioner must not give a direction under subsection (1) 

26 

in relation to a serious data breach if the breach has been notified 

27 

under section 75 of the Personally Controlled Electronic Health 

28 

Records Act 2012

29 

General publication conditions 

30 

 

(8)  The regulations may declare that one or more specified conditions 

31 

are general publication conditions for the purposes of this section. 

32 

Amendments  Schedule 1 

   

 

 

No.      , 2014 

Privacy Amendment (Privacy Alerts) Bill 2014 

17 

 

Division 3--General 

26ZD  Entity 

 

  For the purposes of this Part, entity includes a person who is a file 

number recipient. 

26ZE  Harm 

 

  For the purposes of this Part, harm includes: 

 

(a)  harm to reputation; and 

 

(b)  economic harm; and 

 

(c)  financial harm. 

26ZF  Real risk 

10 

 

  For the purposes of this Part, real risk means a risk that is not a 

11 

remote risk. 

12 

5  After paragraph 96(1)(b) 

13 

Insert: 

14 

 

(ba)  a decision under section 26ZB to refuse to give a notice 

15 

under subsection 26ZB(5); 

16 

 

(bb)  a decision under subsection 26ZC(1) to give a direction; 

17 

6  Application of amendments

--serious data breaches 

18 

(1) 

Paragraphs 26X(1)(c), 26Y(1)(c), 26Z(1)(c) and 26ZA(1)(c) of the 

19 

Privacy Act 1988 (as amended by this Schedule) apply to an access or 

20 

disclosure that happens after the commencement of this item. 

21 

(2) 

Paragraphs 26X(2)(c), 26Y(2)(c), 26Z(2)(c) and 26ZA(2)(c) of the 

22 

Privacy Act 1988 (as amended by this Schedule) apply to a loss that 

23 

happens after the commencement of this item. 

24 

 


[Index] [Search] [Download] [Related Items] [Help]