Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy (Data Security Breach Notification) Amendment Bill 2007 [2008]

Schedule 1 Amendment of the Privacy Act 1988


1  Subsection 6(1)


breach of data security or data security breach means interference with privacy in accordance with section 13, including any unauthorised acquisition, transmission, disclosure or use of personal information involving an unauthorised party.

unauthorised party means:

                     (a)  a person, agency or organisation that is not employed or contracted by the agency or organisation that is authorised to hold, disclose or use the personal information in accordance with the Information Privacy Principles in Division 2 of Part III;

                     (b)  an employee of the agency or organisation who:

                              (i)  exceeds his or her authority to access personal information; or

                             (ii)  uses the information for purposes unrelated to his or her professional duties, or outside the scope of authorised use under the Information Privacy Principles.

2  After section 13A


13AB   Notification to a person of a breach of their data security

             (1)  An agency or organisation that holds personal information shall notify any person, in accordance with subsections (2) and (3), when there has been a confirmed or reasonably suspected breach of data security involving that person’s personal information following the discovery of the breach.

             (2)  The notification of the data security breach shall be made as soon as possible following detection, and at no cost to the person.

             (3)  The agency or organisation responsible for disclosing personal information shall maintain a register of notifications made and attempted in accordance with subsections (1) and (2), and of actions taken as required under subsection (4).

             (4)  The agency or organisation responsible for the data security breach is to co-operate with the person, without infringing the Information Privacy Principles in relation to unauthorised parties, including:

                     (a)  by providing copies of the information disclosed or suspected of having been disclosed;

                     (b)  by providing a description of the data security breach;

                     (c)  by advising of known or likely recipients of the information disclosed;

                     (d)  the action taken by the agency or organisation to recover or attempt to recover the information disclosed;

                     (e)  notification of any measures taken to prevent a re-occurrence of the breach.