Australian Privacy Commissioner Karen Curtis is seeking feedback from the businesses community in response to the release of a draft Voluntary Information Security Breach Notification Guide last week. The draft Guide, at www.privacy.gov.au, draws upon voluntary guidelines developed by the Privacy Commissioners of New Zealand and Canada. Currently there are no specific requirements under the Australian Privacy Act for organisations to notify individuals of an information security breach. However, a proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission (ALRC) as part of a national privacy review. "The development of a voluntary guide offers a timely opportunity for stakeholders to comment on this important issue and we look forward to hearing their views," Curtis says. In February, after the release of a voluntary data breach disclosure guidelines, New Zealand Privacy Commissioner Marie Shroff said that some people thought because she was promoting voluntary guidelines she did not support a change in the law to require notification of breaches.
“However, I believe that there is a good case to require agencies by law to notify customers where a security breach puts those customers at risk,” she announced.
Shroff said the voluntary guidelines were not inconsistent with such a move.
“I believe there is now enough experience to suggest that breach notification laws are a useful adjunct to comprehensive information privacy law. While agencies and organisations are required to safeguard data in Australia, Curtis says breaches still occur and information can go missing. "Not all breaches result from malicious, intentional behaviour such as computer hacking for example — they can occur because of human error, from a failure to follow established protocols, or from information going missing," she says. "Recognising that this is the current reality of the modern information handling environment, the Guide aims not only to assist agencies and organisations to minimise the possibility of a breach occurring, but also to prepare for and respond effectively to any breaches when they do occur." The Australian Democrats welcomed the guidelines to regulate the reporting of data breaches with privacy spokesperson Senator Natasha Stott Despoja warning this stop-gap measure should not delay a permanent legislative solution. "While voluntary guidelines may provide some useful guidance for prudent organisations, I am concerned that the voluntary and non-binding nature of the guide will mean that data security breaches will continue to fall through the cracks," Stott Despoja says. "I am also concerned that under the guidelines, a decision on whether or not to notify a customer of a data breach will reside with the organisation involved in that breach." In 2007, the Senator introduced a Private Bill to parliament to amend the Privacy Act and introduce mandatory reporting.
She welcomed moves by the government to overhaul the Privacy Act based on the ALRC's review. "The Act is full of loopholes, confusing differences between state and federal laws also make compliance a nightmare, and different rules apply to government and business," she says.