In response to recommendations relating to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Data Retention Bill), the government indicated its support for the introduction of a mandatory data breach notification scheme by the end of 2015. It is yet unclear whether the proposed scheme will apply only to holders of telecommunications data, or whether it is intended to have wider implications.
Mandatory data breach reporting back on the agenda?
The Parliamentary Joint Committee on Intelligence and Security has completed its inquiry into the Data Retention Bill and has produced a report, which includes 39 recommendations, all of which have since apparently received bipartisan support. The recommendations are intended to promote improved oversight and safeguards over the use of metadata, given concerns over the potential for misuse.
The mandatory data breach reporting scheme has long been advocated by Australia’s Privacy Commissioner, Timothy Pilgrim. The Labor government had, in 2013, attempted twice to pass legislation to introduce in the Privacy Act mandatory data breach reporting obligations with potential penalties of up to $1.7 million for serious or repeated offences.
EDR exemption extended for commercial credit providers
Commercial credit providers may continue to access consumer credit reports without the need to subscribe to a recognised external dispute resolution (EDR) scheme.
The previous 12 month transitional exemption under the Privacy Amendment (External Dispute Resolution Scheme—Transitional) Regulation 2014 which was scheduled to expire on 11 March 2015 has been replaced with a permanent exemption which allows commercial credit providers to disclose credit information to credit reporting bodies (to obtain consumer credit reports) without being EDR scheme members.
The change takes effect under the Privacy Amendment (2015 Measures No. 1) Regulation 2015. These regulations also extend equivalent transitional relief for utilities for a further period expiring on 1 January 2016 to allow time for the utilities ombudsman services of some States and Territories to become recognised EDR Schemes under the Privacy Act.
Under the Privacy Act 1998 (Cth), a credit provider is prohibited from disclosing credit information about an individual to a credit reporting body unless it is a member of a recognised EDR scheme or is prescribed by regulation.