Australian Information and Privacy Commissioner Timothy Pilgrim has welcomed the passage of a bill on mandatory notification of data breaches by the federal Parliament.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Senate on Monday night.
Pilgrim said he looked forward to working with government, business and consumer groups as the new scheme came into place. He said it would "help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies".
He said the amendment would require government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that was likely to result in serious harm.
{loadposition sam08}"My office will be advised of these breaches, and can determine if further action is required. The law also gives me the ability to direct an agency or business to notify individuals about a serious data breach."
In the interim, Pilgrim said agencies and businesses should take reasonable steps to ensure personal information was held securely and be prepared with a plan in the event of a data breach.
"The OAIC’s Data breach notification – a guide to handling personal information security and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the mandatory notification scheme. The OAIC also has a comprehensive Guide to securing personal information," he said.
Rajiv Shah, director, Cyber, Intelligence and Security of BAE Systems, said: "The passing of the Notifiable Data Breaches Bill by the Senate provides much needed clarity on the responsibilities of organisations and should kick-start a culture of information sharing needed to defend against cyber criminals.
"The Notifiable Data Breaches Bill shows clear leadership, crucial to breaking down an existing culture of denial as to the scope and scale of cyber-attacks, which is hampering efforts to combat the activities of cyber criminals.
"The new laws balance the need for consumers and businesses to know if their data has been compromised by a breach in a timely and clear way, while also not over-burdening organisations.
"Ultimately, what we have is a well-balanced privacy framework which provides a more transparent environment for Australians to entrust their personal information to organisations.
"There’s a significant trust benefit to be gained from mandatory notification. By preserving public confidence and participation in the digital economy, the nation will continue to benefit from the associated economic growth and prosperity."
Another security professional, Fergus Brooks, cyber national practice leader of global risk management firm Aon, said: "We welcome the Senate's decision to pass the legislation as it highlights the need for organisations to have a cyber incident response plan – now.
"The implications of a data breach can be financially crippling and can cause severe brand and reputational damage if not acted upon.
"It's due to come into effect within 12 months and organisations must act proactively now to manage their cyber risks to reduce the frequency and severity of a breach, and the reputational fallout."
The privacy commissioner's office was notified of 107 data breaches in 2015-16. The top five sectors affected were the federal government, the finance industry (including superannuation providers), health service providers, retail outlets and online services.