Draft guidelines issued for mandatory reporting of data breaches

The Australian Privacy Commissioner, Karen Curtis, is seeking feedback from the businesses community in response to the release of a draft Voluntary Information Security Breach Notification Guide today.

Currently there are no specific requirements under the Privacy Act for organisations to notify individuals of an information security breach.

However, a proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission (ALRC) as part of a national privacy review.

"The development of a voluntary guide offers a timely opportunity for stakeholders to comment on this important issue and we look forward to hearing their views," Curtis said.

The draft Guide draws upon voluntary guidelines developed by the Privacy Commissioners of Canada and New Zealand and public submissions close on June 16, 2008. Details at www.privacy.gov.au.

While agencies and organisations are required to safeguard data, Curtis said breaches still occur and information can go missing.

"Not all breaches result from malicious, intentional behaviour such as computer hacking for example - they can occur because of human error, from a failure to follow established protocols, or from information going missing," she said.

"Recognising that this is the current reality of the modern information handling environment, the Guide aims not only to assist agencies and organisations to minimise the possibility of a breach occurring, but also to prepare for and respond effectively to any breaches when they do occur."

The Australian Democrats welcomed the guidelines to regulate the reporting of data breaches with privacy spokesperson Senator Natasha Stott Despoja warning this stop-gap measure should not delay a permanent legislative solution.

"While voluntary guidelines may provide some useful guidance for prudent organisations, I am concerned that the voluntary and non-binding nature of the guide will mean that data security breaches will continue to fall through the cracks," Stott Despoja said.

"I am also concerned that under the guidelines, a decision on whether or not to notify a customer of a data breach will reside with the organisation involved in that breach."

In 2007, the Senator introduced a Private Bill to parliament to amend the Privacy Act and introduce mandatory reporting.

"In order to give individuals more control over their personal information and to satisfy public expectations Parliament must legislate; organisations must advise individuals when their personal information has been compromised," she said.

Stott Despoja said notification requirements would lessen the impact of identity theft and facilitate greater awareness of data security breach issues and improve security practices.

Page Break

She welcomed moves by the government to overhaul the Privacy Act based on the ALRC's review.

"The Act is full of loopholes, confusing differences between state and federal laws also make compliance a nightmare, and different rules apply to government and business," she added.

"Moreover, exemptions for political parties, the media and small business mean that the Act is more like a block of Swiss Cheese than a bulwark against undue incursions into personal privacy.

"Genuine reform of the Privacy Act must be a first order priority for the Rudd government."