2004-2005-2006-2007 The Parliament of the Commonwealth of Australia THE SENATE Presented and read a first time Privacy (Data Security Breach Notification) Amendment Bill 2007 No. , 2007 (Senator Stott Despoja) A Bill for an Act to amend the Privacy Act 1988 to require organisations and agencies to notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes [Page Break] 1 Short title ........................................................................................... 1 2 Commencement ................................................................................. 1 3 Object of Act ..................................................................................... 1 Schedule 1--Amendment of the Privacy Act 1988 2 [Page Break] 2 require organisations and agencies to notify 3 affected individuals of a breach of data security 4 where their personal information is accessed by, or 5 disclosed to, an unauthorised person, and for 6 related purposes 7 The Parliament of Australia enacts: 8 9 1 Short title 10 This Act may be cited as the Privacy (Data Security Breach 11 Notification) Amendment Act 2007. 12 2 Commencement 13 This Act commences on the day after the day on which it receives 14 the Royal Assent. 15 3 Object of Act 16 The object of this Act is to require agencies and organisations to 17 notify affected individuals of a breach of data security where their 18 personal information is accessed by, or disclosed to, an 19 unauthorised person. Privacy (Data Security Breach Notification) Amendment Bill 2007 No. , 2007 1 [Page Break] 2 Schedule 1--Amendment of the Privacy Act 3 1988 4 5 1 Subsection 6(1) 6 Insert: 7 breach of data security or data security breach means interference 8 with privacy in accordance with section 13, including any 9 unauthorised acquisition, transmission, disclosure or use of 10 personal information involving an unauthorised party. 11 unauthorised party means: 12 (a) a person, agency or organisation that is not employed or 13 contracted by the agency or organisation that is authorised to 14 hold, disclose or use the personal information in accordance 15 with the Information Privacy Principles in Division 2 of 16 Part III; 17 (b) an employee of the agency or organisation who: 18 (i) exceeds his or her authority to access personal 19 information; or 20 (ii) uses the information for purposes unrelated to his or her 21 professional duties, or outside the scope of authorised 22 use under the Information Privacy Principles. 23 2 After section 13A 24 Insert: 25 13AB Notification to a person of a breach of their data security 26 (1) An agency or organisation that holds personal information shall 27 notify any person, in accordance with subsections (2) and (3), 28 when there has been a confirmed or reasonably suspected breach of 29 data security involving that person's personal information 30 following the discovery of the breach. 31 (2) The notification of the data security breach shall be made as soon 32 as possible following detection, and at no cost to the person. 33 (3) The agency or organisation responsible for disclosing personal 34 information shall maintain a register of notifications made and [Page Break] 2 actions taken as required under subsection (4). 3 (4) The agency or organisation responsible for the data security breach 4 is to co-operate with the person, without infringing the Information 5 Privacy Principles in relation to unauthorised parties, including: 6 (a) by providing copies of the information disclosed or suspected 7 of having been disclosed; 8 (b) by providing a description of the data security breach; 9 (c) by advising of known or likely recipients of the information 10 disclosed; 11 (d) the action taken by the agency or organisation to recover or 12 attempt to recover the information disclosed; 13 (e) notification of any measures taken to prevent a re-occurrence 14 of the breach.