Another Australian parliamentary year ends without data breach notification laws

Labor lashes out at Coalition for failing to pass a bill that it failed to pass in 2013.
Written by Chris Duckett, Contributor

With Australian Parliament risen for 2016 and members headed towards their summer breaks, Australia appears set to be without a working data breach notification scheme until sometime in 2018.

If it feels like Australia has been through this before, you'd be right.

Parliament is currently undertaking its third attempt to pass data breach notification laws, following previous attempts being stranded in the Senate by both Labor and Coalition governments.

Due to commencement provisions in the legislation, unless otherwise proclaimed, any laws passed would take effect 12 months after gaining Royal Assent, which is likely to rule out 2017 for a working notification scheme.

With little acknowledgement of such laws being stranded in the Senate on its watch, Labor hit out at the Coalition for failing to bring on a vote on the Bills, and said tens of thousands of Australians have had their private data stolen in the past three years

"Today Australians were on the brink of finally being given a basic privacy protection which they have waited three years for, but the government has squibbed it yet again," Shadow Attorney-General Mark Dreyfus and Shadow Assistant Minister For Cyber Security & Defence Gai Brodtmann said in a statement on Thursday.

"It was due to be passed today, and now the government has pulled it."

"The only reason this protection is not in place today is because the Turnbull government couldn't be bothered to pass it."

The legislation currently before Parliament would only apply to incidents involving personal information, credit card information, credit eligibility, or tax file number information that would put individuals at "real risk of serious harm" that occur at companies covered by the Privacy Act -- which exempts intelligence agencies, small businesses with turnover of less than AU$3 million, and political parties from needing to disclose breaches.

E-health providers remain subject to the mandatory data breach notification scheme under the My Health Records Act.

Last month, the Office of the Australian Information Commissioner said it had received 16 mandatory data breach notifications, which recorded 94 separate breaches related to e-health.

Dreyfus said during the recent election campaign that an incoming Labor government would have introduced the laws as soon as practicable, with the expectation of Coalition support.

"Mandatory data breach legislation was a Labor commitment, and it is one that we maintain," Dreyfus told ZDNet in April.

Editorial standards