The Australian Privacy Commissioner, Timothy Pilgrim, has said he supports the introduction of mandatory data breach notification laws in Australia – outlined by Attorney-General Mark Dreyfus – and has done so since they were first proposed in 2008 by the Australian Law Reform.
In his view, mandatory notifications will result in a better public understanding of the scope and frequency of breaches and as a result, promote privacy awareness.
Pilgrim said because there is currently no legal requirement for Australian government agencies or private sector organisations to notify individuals after a breach, people affected by the incidents are unable to take mitigation steps in protecting personal information – this includes requesting a new credit card or Medicare number.
According to Pilgrim, the last few years have seen several high-profile data breaches, and research suggests the frequency of these has continued to grow over the past three years. Despite this, the Office of the Australian Information Commissioner (OAIC) has only received 46 notifications in the 2011 to 2012 financial year , down 18 per cent from the previous.
“Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised,” Pilgrim said.
“There are real incentives for agencies and organisations to notify of a privacy breach. Apart from being good privacy practice, it can also engender customer trust, reduce the cost of dealing with a data breach, and mitigate against reputational damage.”