Commonwealth of Australia Bills Commonwealth of Australia Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2016
The Parliament of the
Commonwealth of Australia
HOUSE OF REPRESENTATIVES
Presented and read a first time
Privacy Amendment (Notifiable Data
Breaches) Bill 2016
No. , 2016
(Attorney-General)
A Bill for an Act to amend the Privacy Act 1988,
and for related purposes
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
i
Contents
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 1
3
Schedules ........................................................................................... 2
Schedule 1--Amendments
3
Privacy Act 1988
3
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
1
A Bill for an Act to amend the Privacy Act 1988,
1
and for related purposes
2
The Parliament of Australia enacts:
3
1 Short title
4
This Act is the Privacy Amendment (Notifiable Data Breaches) Act
5
2016.
6
2 Commencement
7
(1) Each provision of this Act specified in column 1 of the table
8
commences, or is taken to have commenced, in accordance with
9
column 2 of the table. Any other statement in column 2 has effect
10
according to its terms.
11
12
2
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. Sections 1 to 3
and anything in
this Act not
elsewhere covered
by this table
The day this Act receives the Royal Assent.
2. Schedule 1
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 12 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
Note:
This table relates only to the provisions of this Act as originally
1
enacted. It will not be amended to deal with any later amendments of
2
this Act.
3
(2) Any information in column 3 of the table is not part of this Act.
4
Information may be inserted in this column, or information in it
5
may be edited, in any published version of this Act.
6
3 Schedules
7
Legislation that is specified in a Schedule to this Act is amended or
8
repealed as set out in the applicable items in the Schedule
9
concerned, and any other item in a Schedule to this Act has effect
10
according to its terms.
11
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
3
Schedule 1--Amendments
1
2
Privacy Act 1988
3
1 Subsection 6(1)
4
Insert:
5
at risk from an eligible data breach has the meaning given by
6
section 26WE.
7
eligible data breach has the meaning given by Division 2 of
8
Part IIIC.
9
2 After subsection 13(4)
10
Insert:
11
Notification of eligible data breaches etc.
12
(4A) If an entity (within the meaning of Part IIIC) contravenes
13
subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), the
14
contravention is taken to be an act that is an interference with the
15
privacy of an individual.
16
3 After Part IIIB
17
Insert:
18
Part IIIC--Notification of eligible data breaches
19
Division 1--Introduction
20
26WA Simplified outline of this Part
21
•
This Part sets up a scheme for notification of eligible data
22
breaches.
23
•
An eligible data breach happens if:
24
(a)
there is unauthorised access to, unauthorised disclosure
25
of, or loss of, personal information held by an entity;
26
and
27
Schedule 1 Amendments
4
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
(b)
the access, disclosure or loss is likely to result in serious
1
harm to any of the individuals to whom the information
2
relates.
3
•
An entity must give a notification if:
4
(a)
it has reasonable grounds to believe that an eligible data
5
breach has happened; or
6
(b)
it is directed to do so by the Commissioner.
7
26WB Entity
8
For the purposes of this Part, entity includes a person who is a file
9
number recipient.
10
26WC Deemed holding of information
11
Overseas recipients
12
(1) If:
13
(a) an APP entity has disclosed personal information about one
14
or more individuals to an overseas recipient; and
15
(b) Australian Privacy Principle 8.1 applied to the disclosure of
16
the personal information; and
17
(c) the overseas recipient holds the personal information;
18
this Part has effect as if:
19
(d) the personal information were held by the APP entity; and
20
(e) the APP entity were required under section 15 not to do an
21
act, or engage in a practice, that breaches Australian Privacy
22
Principle 11.1 in relation to the personal information.
23
Bodies or persons with no Australian link
24
(2) If:
25
(a) either:
26
(i) a credit provider has disclosed, under
27
paragraph 21G(3)(b) or (c), credit eligibility information
28
about one or more individuals to a related body
29
corporate, or person, that does not have an Australian
30
link; or
31
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
5
(ii) a credit provider has disclosed, under
1
subsection 21M(1), credit eligibility information about
2
one or more individuals to a body or person that does
3
not have an Australian link; and
4
(b) the related body corporate, body or person holds the credit
5
eligibility information;
6
this Part has effect as if:
7
(c) the credit eligibility information were held by the credit
8
provider; and
9
(d) the credit provider were required to comply with
10
subsection 21S(1) in relation to the credit eligibility
11
information.
12
Note:
See section 21NA.
13
26WD Exception--notification under the My Health Records Act
14
2012
15
If:
16
(a) an unauthorised access to information; or
17
(b) an unauthorised disclosure of information; or
18
(c) a loss of information;
19
has been, or is required to be, notified under section 75 of the My
20
Health Records Act 2012, this Part does not apply in relation to the
21
access, disclosure or loss.
22
Division 2--Eligible data breach
23
26WE Eligible data breach
24
Scope
25
(1) This section applies if:
26
(a) both:
27
(i) an APP entity holds personal information relating to one
28
or more individuals; and
29
(ii) the APP entity is required under section 15 not to do an
30
act, or engage in a practice, that breaches Australian
31
Privacy Principle 11.1 in relation to the personal
32
information; or
33
Schedule 1 Amendments
6
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
(b) both:
1
(i) a credit reporting body holds credit reporting
2
information relating to one or more individuals; and
3
(ii) the credit reporting body is required to comply with
4
section 20Q in relation to the credit reporting
5
information; or
6
(c) both:
7
(i) a credit provider holds credit eligibility information
8
relating to one or more individuals; and
9
(ii) the credit provider is required to comply with
10
subsection 21S(1) in relation to the credit eligibility
11
information; or
12
(d) both:
13
(i) a file number recipient holds tax file number
14
information relating to one or more individuals; and
15
(ii) the file number recipient is required under section 18
16
not to do an act, or engage in a practice, that breaches a
17
section 17 rule that relates to the tax file number
18
information.
19
Eligible data breach
20
(2) For the purposes of this Act, if:
21
(a) both of the following conditions are satisfied:
22
(i) there is unauthorised access to, or unauthorised
23
disclosure of, the information;
24
(ii) a reasonable person would conclude that the access or
25
disclosure would be likely to result in serious harm to
26
any of the individuals to whom the information relates;
27
or
28
(b) the information is lost in circumstances where:
29
(i) unauthorised access to, or unauthorised disclosure of,
30
the information is likely to occur; and
31
(ii) assuming that unauthorised access to, or unauthorised
32
disclosure of, the information were to occur, a
33
reasonable person would conclude that the access or
34
disclosure would be likely to result in serious harm to
35
any of the individuals to whom the information relates;
36
then:
37
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
7
(c) the access or disclosure covered by paragraph (a), or the loss
1
covered by paragraph (b), is an eligible data breach of the
2
APP entity, credit reporting body, credit provider or file
3
number recipient, as the case may be; and
4
(d) an individual covered by subparagraph (a)(ii) or (b)(ii) is at
5
risk from the eligible data breach.
6
(3) Subsection (2) has effect subject to section 26WF.
7
26WF Exception--remedial action
8
Access to, or disclosure of, information
9
(1) If:
10
(a) an access to, or disclosure of, information is covered by
11
paragraph 26WE(2)(a); and
12
(b) the APP entity, credit reporting body, credit provider or file
13
number recipient, as the case may be, takes action in relation
14
to the access or disclosure; and
15
(c) the APP entity, credit reporting body, credit provider or file
16
number recipient, as the case may be, does so before the
17
access or disclosure results in serious harm to any of the
18
individuals to whom the information relates; and
19
(d) as a result of the action, a reasonable person would conclude
20
that the access or disclosure would not be likely to result in
21
serious harm to any of those individuals;
22
the access or disclosure is not, and is taken never to have been:
23
(e) an eligible data breach of the APP entity, credit reporting
24
body, credit provider or file number recipient, as the case
25
may be; or
26
(f) an eligible data breach of any other entity.
27
(2) If:
28
(a) an access to, or disclosure of, information is covered by
29
paragraph 26WE(2)(a); and
30
(b) the APP entity, credit reporting body, credit provider or file
31
number recipient, as the case may be, takes action in relation
32
to the access or disclosure; and
33
(c) the APP entity, credit reporting body, credit provider or file
34
number recipient, as the case may be, does so before the
35
Schedule 1 Amendments
8
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
access or disclosure results in serious harm to a particular
1
individual to whom the information relates; and
2
(d) as a result of the action, a reasonable person would conclude
3
that the access or disclosure would not be likely to result in
4
serious harm to the individual;
5
this Part does not require:
6
(e) the APP entity, credit reporting body, credit provider or file
7
number recipient, as the case may be; or
8
(f) any other entity;
9
to take steps to notify the individual of the contents of a statement
10
that relates to the access or disclosure.
11
Loss of information
12
(3) If:
13
(a) a loss of information is covered by paragraph 26WE(2)(b);
14
and
15
(b) the APP entity, credit reporting body, credit provider or file
16
number recipient, as the case may be, takes action in relation
17
to the loss; and
18
(c) the APP entity, credit reporting body, credit provider or file
19
number recipient, as the case may be, does so before there is
20
unauthorised access to, or unauthorised disclosure of, the
21
information; and
22
(d) as a result of the action, there is no unauthorised access to, or
23
unauthorised disclosure of, the information;
24
the loss is not, and is taken never to have been:
25
(e) an eligible data breach of the APP entity, credit reporting
26
body, credit provider or file number recipient, as the case
27
may be; or
28
(f) an eligible data breach of any other entity.
29
(4) If:
30
(a) a loss of information is covered by paragraph 26WE(2)(b);
31
and
32
(b) the APP entity, credit reporting body, credit provider or file
33
number recipient, as the case may be, takes action in relation
34
to the loss; and
35
(c) the APP entity, credit reporting body, credit provider or file
36
number recipient, as the case may be, does so:
37
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
9
(i) after there is unauthorised access to, or unauthorised
1
disclosure of, the information; and
2
(ii) before the access or disclosure results in serious harm to
3
any of the individuals to whom the information relates;
4
and
5
(d) as a result of the action, a reasonable person would conclude
6
that the access or disclosure would not be likely to result in
7
serious harm to any of those individuals;
8
the loss is not, and is taken never to have been:
9
(e) an eligible data breach of the APP entity, credit reporting
10
body, credit provider or file number recipient, as the case
11
may be; or
12
(f) an eligible data breach of any other entity.
13
(5) If:
14
(a) a loss of information is covered by paragraph 26WE(2)(b);
15
and
16
(b) the APP entity, credit reporting body, credit provider or file
17
number recipient, as the case may be, takes action in relation
18
to the loss; and
19
(c) the APP entity, credit reporting body, credit provider or file
20
number recipient, as the case may be, does so:
21
(i) after there is unauthorised access to, or unauthorised
22
disclosure of, the information; and
23
(ii) before the access or disclosure results in serious harm to
24
a particular individual to whom the information relates;
25
and
26
(d) as a result of the action, a reasonable person would conclude
27
that the access or disclosure would not be likely to result in
28
serious harm to the individual;
29
this Part does not require:
30
(e) the APP entity, credit reporting body, credit provider or file
31
number recipient, as the case may be; or
32
(f) any other entity;
33
to take steps to notify the individual of the contents of a statement
34
that relates to the loss.
35
Schedule 1 Amendments
10
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
26WG Whether access or disclosure would be likely, or would not be
1
likely, to result in serious harm--relevant matters
2
For the purposes of this Division, in determining whether a
3
reasonable person would conclude that an access to, or a disclosure
4
of, information:
5
(a) would be likely; or
6
(b) would not be likely;
7
to result in serious harm to any of the individuals to whom the
8
information relates, have regard to the following:
9
(c) the kind or kinds of information;
10
(d) the sensitivity of the information;
11
(e) whether the information is protected by one or more security
12
measures;
13
(f) if the information is protected by one or more security
14
measures--the likelihood that any of those security measures
15
could be overcome;
16
(g) the persons, or the kinds of persons, who have obtained, or
17
who could obtain, the information;
18
(h) if a security technology or methodology:
19
(i) was used in relation to the information; and
20
(ii) was designed to make the information unintelligible or
21
meaningless to persons who are not authorised to obtain
22
the information;
23
the likelihood that the persons, or the kinds of persons, who:
24
(iii) have obtained, or who could obtain, the information;
25
and
26
(iv) have, or are likely to have, the intention of causing harm
27
to any of the individuals to whom the information
28
relates;
29
have obtained, or could obtain, information or knowledge
30
required to circumvent the security technology or
31
methodology;
32
(i) the nature of the harm;
33
(j) any other relevant matters.
34
Note:
If the security technology or methodology mentioned in paragraph (h)
35
is encryption, an encryption key is an example of information required
36
to circumvent the security technology or methodology.
37
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
11
Division 3--Notification of eligible data breaches
1
Subdivision A--Suspected eligible data breaches
2
26WH Assessment of suspected eligible data breach
3
Scope
4
(1) This section applies if:
5
(a) an entity is aware that there are reasonable grounds to suspect
6
that there may have been an eligible data breach of the entity;
7
and
8
(b) the entity is not aware that there are reasonable grounds to
9
believe that the relevant circumstances amount to an eligible
10
data breach of the entity.
11
Assessment
12
(2) The entity must:
13
(a) carry out a reasonable and expeditious assessment of whether
14
there are reasonable grounds to believe that the relevant
15
circumstances amount to an eligible data breach of the entity;
16
and
17
(b) take all reasonable steps to ensure that the assessment is
18
completed within 30 days after the entity becomes aware as
19
mentioned in paragraph (1)(a).
20
Note:
Section 26WK applies if an entity is aware that there are reasonable
21
grounds to believe that there has been an eligible data breach of the
22
entity.
23
26WJ Exception--eligible data breaches of other entities
24
If:
25
(a) an entity complies with section 26WH in relation to an
26
eligible data breach of the entity; and
27
(b) the access, disclosure or loss that constituted the eligible data
28
breach of the entity is an eligible data breach of one or more
29
other entities;
30
that section does not apply in relation to those eligible data
31
breaches of those other entities.
32
Schedule 1 Amendments
12
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
Subdivision B--General notification obligations
1
26WK Statement about eligible data breach
2
Scope
3
(1) This section applies if an entity is aware that there are reasonable
4
grounds to believe that there has been an eligible data breach of the
5
entity.
6
Statement
7
(2) The entity must:
8
(a) both:
9
(i) prepare a statement that complies with subsection (3);
10
and
11
(ii) give a copy of the statement to the Commissioner; and
12
(b) do so as soon as practicable after the entity becomes so
13
aware.
14
(3) The statement referred to in subparagraph (2)(a)(i) must set out:
15
(a) the identity and contact details of the entity; and
16
(b) a description of the eligible data breach that the entity has
17
reasonable grounds to believe has happened; and
18
(c) the kind or kinds of information concerned; and
19
(d) recommendations about the steps that individuals should take
20
in response to the eligible data breach that the entity has
21
reasonable grounds to believe has happened.
22
(4) If the entity has reasonable grounds to believe that the access,
23
disclosure or loss that constituted the eligible data breach of the
24
entity is an eligible data breach of one or more other entities, the
25
statement referred to in subparagraph (2)(a)(i) may also set out the
26
identity and contact details of those other entities.
27
26WL Entity must notify eligible data breach
28
Scope
29
(1) This section applies if:
30
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
13
(a) an entity is aware that there are reasonable grounds to believe
1
that there has been an eligible data breach of the entity; and
2
(b) the entity has prepared a statement that:
3
(i) complies with subsection 26WK(3); and
4
(ii) relates to the eligible data breach that the entity has
5
reasonable grounds to believe has happened.
6
Notification
7
(2) The entity must:
8
(a) if it is practicable for the entity to notify the contents of the
9
statement to each of the individuals to whom the relevant
10
information relates--take such steps as are reasonable in the
11
circumstances to notify the contents of the statement to each
12
of the individuals to whom the relevant information relates;
13
or
14
(b) if it is practicable for the entity to notify the contents of the
15
statement to each of the individuals who are at risk from the
16
eligible data breach--take such steps as are reasonable in the
17
circumstances to notify the contents of the statement to each
18
of the individuals who are at risk from the eligible data
19
breach; or
20
(c) if neither paragraph (a) nor (b) applies:
21
(i) publish a copy of the statement on the entity's website
22
(if any); and
23
(ii) take reasonable steps to publicise the contents of the
24
statement.
25
Note:
See also subsections 26WF(2) and (5), which deal with remedial
26
action.
27
(3) The entity must comply with subsection (2) as soon as practicable
28
after the completion of the preparation of the statement.
29
Method of providing a statement to an individual
30
(4) If the entity normally communicates with a particular individual
31
using a particular method, the notification to the individual under
32
paragraph (2)(a) or (b) may use that method. This subsection does
33
not limit paragraph (2)(a) or (b).
34
Schedule 1 Amendments
14
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
26WM Exception--eligible data breaches of other entities
1
If:
2
(a) an entity complies with sections 26WK and 26WL in relation
3
to an eligible data breach of the entity; and
4
(b) the access, disclosure or loss that constituted the eligible data
5
breach of the entity is an eligible data breach of one or more
6
other entities;
7
those sections do not apply in relation to those eligible data
8
breaches of those other entities.
9
26WN Exception--enforcement related activities
10
If:
11
(a) an entity is an enforcement body; and
12
(b) the chief executive officer of the enforcement body believes
13
on reasonable grounds that there has been an eligible data
14
breach of the entity; and
15
(c) the chief executive officer of the enforcement body believes
16
on reasonable grounds that compliance with section 26WL in
17
relation to the eligible data breach would be likely to
18
prejudice one or more enforcement related activities
19
conducted by, or on behalf of, the enforcement body;
20
paragraph 26WK(3)(d) and section 26WL do not apply in relation
21
to:
22
(d) the eligible data breach of the entity; and
23
(e) if the access, disclosure or loss that constituted the eligible
24
data breach of the entity is an eligible data breach of one or
25
more other entities--such an eligible data breach of those
26
other entities.
27
26WP Exception--inconsistency with secrecy provisions
28
Secrecy provisions
29
(1) For the purposes of this section, secrecy provision means a
30
provision that:
31
(a) is a provision of a law of the Commonwealth (other than this
32
Act); and
33
(b) prohibits or regulates the use or disclosure of information.
34
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
15
(2) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in
1
relation to a statement would, to any extent, be inconsistent with a
2
secrecy provision (other than a prescribed secrecy provision),
3
subsection 26WK(2) does not apply to the entity, in relation to the
4
statement, to the extent of the inconsistency.
5
(3) If compliance by an entity with section 26WL in relation to a
6
statement would, to any extent, be inconsistent with a secrecy
7
provision (other than a prescribed secrecy provision),
8
section 26WL does not apply to the entity, in relation to the
9
statement, to the extent of the inconsistency.
10
Prescribed secrecy provisions
11
(4) For the purposes of this section, prescribed secrecy provision
12
means a secrecy provision that is specified in the regulations.
13
(5) For the purposes of a prescribed secrecy provision:
14
(a) subparagraph 26WK(2)(a)(ii); and
15
(b) section 26WL;
16
are taken not to be provisions that require or authorise the use or
17
disclosure of information.
18
(6) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in
19
relation to a statement would, to any extent, be inconsistent with a
20
prescribed secrecy provision, subsection 26WK(2) does not apply
21
to the entity in relation to the statement.
22
(7) If compliance by an entity with section 26WL in relation to a
23
statement would, to any extent, be inconsistent with a prescribed
24
secrecy provision, section 26WL does not apply to the entity in
25
relation to the statement.
26
26WQ Exception--declaration by Commissioner
27
(1) If the Commissioner:
28
(a) is aware that there are reasonable grounds to believe that
29
there has been an eligible data breach of an entity; or
30
(b) is informed by an entity that the entity is aware that there are
31
reasonable grounds to believe that there has been an eligible
32
data breach of the entity;
33
the Commissioner may, by written notice given to the entity:
34
Schedule 1 Amendments
16
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
(c) declare that sections 26WK and 26WL do not apply in
1
relation to:
2
(i) the eligible data breach of the entity; and
3
(ii) if the access, disclosure or loss that constituted the
4
eligible data breach of the entity is an eligible data
5
breach of one or more other entities--such an eligible
6
data breach of those other entities; or
7
(d) declare that subsection 26WL(3) has effect in relation to:
8
(i) the eligible data breach of the entity; and
9
(ii) if the access, disclosure or loss that constituted the
10
eligible data breach of the entity is an eligible data
11
breach of one or more other entities--such an eligible
12
data breach of those other entities;
13
as if that subsection required compliance with
14
subsection 26WL(2) before the end of a period specified in
15
the declaration.
16
(2) The Commissioner's power in paragraph (1)(d) may only be used
17
to extend the time for compliance with subsection 26WL(2) to the
18
end of a period that the Commissioner is satisfied is reasonable in
19
the circumstances.
20
(3) The Commissioner must not make a declaration under
21
subsection (1) unless the Commissioner is satisfied that it is
22
reasonable in the circumstances to do so, having regard to the
23
following:
24
(a) the public interest;
25
(b) any relevant advice given to the Commissioner by:
26
(i) an enforcement body; or
27
(ii) the Australian Signals Directorate of the Defence
28
Department;
29
(c) such other matters (if any) as the Commissioner considers
30
relevant.
31
(4) Paragraph (3)(b) does not limit the advice to which the
32
Commissioner may have regard.
33
(5) The Commissioner may give a notice of a declaration to an entity
34
under subsection (1):
35
(a) on the Commissioner's own initiative; or
36
(b) on application made to the Commissioner by the entity.
37
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
17
Applications
1
(6) An application by an entity under paragraph (5)(b) may be
2
expressed to be:
3
(a) an application for a paragraph (1)(c) declaration; or
4
(b) an application for a paragraph (1)(d) declaration; or
5
(c) an application for:
6
(i) a paragraph (1)(c) declaration; or
7
(ii) in the event that the Commissioner is not disposed to
8
make such a declaration--a paragraph (1)(d)
9
declaration.
10
(7) If an entity applies to the Commissioner under paragraph (5)(b):
11
(a) the Commissioner may refuse the application; and
12
(b) if the Commissioner does so--the Commissioner must give
13
written notice of the refusal to the entity.
14
(8) If:
15
(a) an application for a paragraph (1)(d) declaration nominates a
16
period to be specified in the declaration; and
17
(b) the Commissioner makes the declaration, but specifies a
18
different period in the declaration;
19
the Commissioner is taken not to have refused the application.
20
(9) If an entity applies to the Commissioner under paragraph (5)(b) for
21
a declaration that, to any extent, relates to an eligible data breach of
22
the entity, sections 26WK and 26WL do not apply in relation to:
23
(a) the eligible data breach; or
24
(b) if the access, disclosure or loss that constituted the eligible
25
data breach of the entity is an eligible data breach of one or
26
more other entities--such an eligible data breach of those
27
other entities;
28
until the Commissioner makes a decision in response to the
29
application for the declaration.
30
(10) An entity is not entitled to make an application under
31
paragraph (5)(b) in relation to an eligible data breach of the entity
32
if:
33
(a) the access, disclosure or loss that constituted the eligible data
34
breach of the entity is an eligible data breach of one or more
35
other entities; and
36
Schedule 1 Amendments
18
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
(b) one of those other entities has already made an application
1
under paragraph (5)(b) in relation to the eligible data breach
2
of the other entity.
3
Extension of specified period
4
(11) If notice of a paragraph (1)(d) declaration has been given to an
5
entity, the Commissioner may, by written notice given to the
6
entity, extend the period specified in the declaration.
7
Subdivision C--Commissioner may direct entity to notify
8
eligible data breach
9
26WR Commissioner may direct entity to notify eligible data breach
10
(1) If the Commissioner is aware that there are reasonable grounds to
11
believe that there has been an eligible data breach of an entity, the
12
Commissioner may, by written notice given to the entity, direct the
13
entity to:
14
(a) prepare a statement that complies with subsection (4); and
15
(b) give a copy of the statement to the Commissioner.
16
(2) The direction must also require the entity to:
17
(a) if it is practicable for the entity to notify the contents of the
18
statement to each of the individuals to whom the relevant
19
information relates--take such steps as are reasonable in the
20
circumstances to notify the contents of the statement to each
21
of the individuals to whom the relevant information relates;
22
or
23
(b) if it is practicable for the entity to notify the contents of the
24
statement to each of the individuals who are at risk from the
25
eligible data breach--take such steps as are reasonable in the
26
circumstances to notify the contents of the statement to each
27
of the individuals who are at risk from the eligible data
28
breach; or
29
(c) if neither paragraph (a) nor (b) applies:
30
(i) publish a copy of the statement on the entity's website
31
(if any); and
32
(ii) take reasonable steps to publicise the contents of the
33
statement.
34
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
19
Note:
See also subsections 26WF(2) and (5), which deal with remedial
1
action.
2
(3) Before giving a direction to an entity under subsection (1), the
3
Commissioner must invite the entity to make a submission to the
4
Commissioner in relation to the direction within the period
5
specified in the invitation.
6
(4) The statement referred to in paragraph (1)(a) must set out:
7
(a) the identity and contact details of the entity; and
8
(b) a description of the eligible data breach that the
9
Commissioner has reasonable grounds to believe has
10
happened; and
11
(c) the kind or kinds of information concerned; and
12
(d) recommendations about the steps that individuals should take
13
in response to the eligible data breach that the Commissioner
14
has reasonable grounds to believe has happened.
15
(5) A direction under subsection (1) may also require the statement
16
referred to in paragraph (1)(a) to set out specified information that
17
relates to the eligible data breach that the Commissioner has
18
reasonable grounds to believe has happened.
19
(6) In deciding whether to give a direction to an entity under
20
subsection (1), the Commissioner must have regard to the
21
following:
22
(a) any relevant advice given to the Commissioner by:
23
(i) an enforcement body; or
24
(ii) the Australian Signals Directorate of the Defence
25
Department;
26
(b) any relevant submission that was made by the entity:
27
(i) in response to an invitation under subsection (3); and
28
(ii) within the period specified in the invitation;
29
(c) such other matters (if any) as the Commissioner considers
30
relevant.
31
(7) Paragraph (6)(a) does not limit the advice to which the
32
Commissioner may have regard.
33
(8) If the Commissioner is aware that there are reasonable grounds to
34
believe that the access, disclosure or loss that constituted the
35
eligible data breach of the entity is an eligible data breach of one or
36
Schedule 1 Amendments
20
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
more other entities, a direction under subsection (1) may also
1
require the statement referred to in paragraph (1)(a) to set out the
2
identity and contact details of those other entities.
3
Method of providing a statement to an individual
4
(9) If an entity normally communicates with a particular individual
5
using a particular method, the notification to the individual
6
mentioned in paragraph (2)(a) or (b) may use that method. This
7
subsection does not limit paragraph (2)(a) or (b).
8
Compliance with direction
9
(10) An entity must comply with a direction under subsection (1) as
10
soon as practicable after the direction is given.
11
26WS Exception--enforcement related activities
12
An entity is not required to comply with a direction under
13
subsection 26WR(1) if:
14
(a) the entity is an enforcement body; and
15
(b) the chief executive officer of the enforcement body believes
16
on reasonable grounds that compliance with the direction
17
would be likely to prejudice one or more enforcement related
18
activities conducted by, or on behalf of, the enforcement
19
body.
20
26WT Exception--inconsistency with secrecy provisions
21
Secrecy provisions
22
(1) For the purposes of this section, secrecy provision means a
23
provision that:
24
(a) is a provision of a law of the Commonwealth (other than this
25
Act); and
26
(b) prohibits or regulates the use or disclosure of information.
27
(2) If compliance by an entity with paragraph 26WR(1)(b) or
28
subsection 26WR(2) in relation to a statement would, to any extent,
29
be inconsistent with a secrecy provision (other than a prescribed
30
secrecy provision), paragraph 26WR(1)(b) or subsection 26WR(2),
31
Amendments Schedule 1
No. , 2016
Privacy Amendment (Notifiable Data Breaches) Bill 2016
21
as the case may be, does not apply to the entity, in relation to the
1
statement, to the extent of the inconsistency.
2
Prescribed secrecy provisions
3
(3) For the purposes of this section, prescribed secrecy provision
4
means a secrecy provision that is specified in the regulations.
5
(4) For the purposes of a prescribed secrecy provision:
6
(a) paragraph 26WR(1)(b); and
7
(b) subsection 26WR(2);
8
are taken not to be provisions that require or authorise the use or
9
disclosure of information.
10
(5) If compliance by an entity with paragraph 26WR(1)(b) or
11
subsection 26WR(2) in relation to a statement would, to any extent,
12
be inconsistent with a prescribed secrecy provision,
13
paragraph 26WR(1)(b) or subsection 26WR(2), as the case may be,
14
does not apply to the entity in relation to the statement.
15
4 After paragraph 96(1)(b)
16
Insert:
17
(ba) a decision under subsection 26WQ(7) to refuse an application
18
for a declaration;
19
(bb) a decision to make a declaration under
20
paragraph 26WQ(1)(d);
21
(bc) a decision under subsection 26WR(1) to give a direction;
22
5 After subsection 96(2)
23
Insert:
24
(2A) An application under paragraph (1)(ba) may only be made by:
25
(a) the entity that made the application for a declaration; or
26
(b) if another entity's compliance with subsection 26WL(2) is
27
affected by the decision to refuse the application for a
28
declaration--that other entity.
29
(2B) An application under paragraph (1)(bb) may only be made by:
30
(a) the entity to whom notice of the declaration was given; or
31
(b) if another entity's compliance with subsection 26WL(2) is
32
affected by the declaration--that other entity.
33
Schedule 1 Amendments
22
Privacy Amendment (Notifiable Data Breaches) Bill 2016
No. , 2016
(2C) An application under paragraph (1)(bc) may only be made by the
1
entity to whom the direction was given.
2
(2D) For the purposes of subsections (2A), (2B) and (2C), entity has the
3
same meaning as in Part IIIC.
4
6 Application of amendments
--eligible data breaches
5
(1)
Paragraph 26WE(2)(a) of the Privacy Act 1988 (as amended by this
6
Schedule) applies to an access or disclosure that happens after the
7
commencement of this item.
8
(2)
Paragraph 26WE(2)(b) of the Privacy Act 1988 (as amended by this
9
Schedule) applies to a loss that happens after the commencement of this
10
item.
11