The federal Attorney General’s discussion paper, Australian Privacy Breach Notification should be considered by all Australian organisations and passed into law, according to Privacy Commissioner Timothy Pilgrim.
The paper covers a number of discussion questions including the possible introduction of mandatory data breach notification laws, the kind of breaches that should trigger notification requirements and how a data breach notification requirement should be enforced.
“Privacy breach notification is an important issue that needs community debate, and I’m sure there will be a wide range of views expressed on whether this notification should be mandatory.” Pilgrim said in a statement.
“All organisations must embed a culture that values and respects privacy. I believe that mandatory data breach notification will go some way to achieving this.”
He pointed out that there is currently no legal requirement in Australia for organisations to notify individuals when a privacy breach occurs. The only recourse for Australian organisations is to use the OAIC’s 2008 guide for voluntary data breach notifications which was updated in April this year.
Pilgrim said that where personal information has been compromised, mandatory data breach notification could be essential in helping individuals to regain control of that information.
“An individual can take steps to regain control of their identity and personal information by changing passwords or account numbers if they know that a data breach has occurred,” he said.
In addition, there were “real business incentives” for organisations to notify their customers of a privacy breach.
“Apart from being good privacy practice, it can also be a way of engendering consumer trust and mitigating against the substantial reputation damage that can result from a data breach.”
During the financial year 2011–12, the OAIC received 46 data breach notifications, an 18 per cent decrease from the number of notifications received in 2010–11.
According to Pilgrim, the decrease was difficult to explain. However, he had seen reports that suggest the OAIC is only being notified of a small percentage of data breaches that are occurring.
“It is very concerning that many of these incidents may be going unreported and customers are unaware that their personal information may be compromised.”
While the OAIC’s notifications decreased, the Office of the Victorian Privacy Commissioner (OVPC) recently reported that inappropriate disclosure of personal information and data security rose in Victoria during the financial year 2011-12.
The OVPC’s annual report found that 75 of the 109 complaints were new with 34 carried over from the 2010-11 financial year.
Follow Hamish Barwick on Twitter: @HamishBarwick