mandatory data breach notificationThe long-awaited amendments to the Privacy Act 1988 making reporting of serious data breaches mandatory, has been passed in the House of Representatives and had its second reading in the Senate yesterday. We  cover what this Bill will mean if it is passed, and what it means for your credit file.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and

If passed by both houses, the Privacy Amendment (Privacy Alerts) Bill 2013 will be implemented as part of amendments to the Privacy Act in March next year, alongside other amendments.

The amendments will force businesses and government agencies covered by the Privacy Act 1988, to notify people when a serious data breach affecting their privacy occurs.

The notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm. Serious harm could include physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm.

The Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements and the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches.

The legislation has been introduced following criticism of the current voluntary reporting system. It seems when faced with a choice, many entities think of the bottom line or other publicity concerns rather than the security of people’s personal or financial information.

A bit about how data breaches can threaten your credit file

Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.

A lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised.

Once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.

These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive blow to their financial future – defaults for as little as $100 will stop someone from getting a home loan.

Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.

What is not widely known is how difficult credit repair following can be – even if the individual has been the victim of identity theft, there is no guarantee the defaults can be removed from their credit file. The onus is on them to prove their case and provide copious amounts of documentary evidence.

Unfortunately data breaches are difficult for individuals to have any control over, and the only way people can ensure their details are safe are to demand that the companies they deal with have strong IT systems before disclosing that information.  People should adopt the philosophy of a need-to-know basis for disclosing their personal information. They should always question the need for it to be handed over. If it is not essential, they shouldn’t do it.

Image: Stuart Miles/