The Australian privacy commissioner and a consumer group supported mandatory data breach notifications, in comments submitted today to the Attorney General.
Last week, Parliament passed a bill containing several amendments to privacy law. Among other things, the law gives Privacy Commissioner Timothy Pilgrim more powers, including the right to seek civil penalties for serious privacy breaches.
However, the privacy legislation did not include a more controversial provision requiring companies to notify customers in the case of a data breach. The proposal involves some tough issues, including what constitutes a breach and how soon after a breach a company should alert customers.
In today’s submission, the Office of the Australian Information Commissioner (OAIC) said it “supports the introduction of mandatory data breach notification legislation, as current voluntary data breach notification arrangements are insufficient.”
The Australian Communications Consumer Action Network (ACCAN) agreed on behalf of consumers in its own comments.
“A mandatory data breach notification requirement would provide greater information to consumers about the security of their personal information, and provide an incentive for organisations to improve their security practices,” ACCAN said.
The OAIC said notification should be triggered if the breach “gives rise to a ‘real risk of serious harm’ to an individual.”
“There should be a catch-all test that is able to apply to a range of circumstances, rather than a prescriptive test, and the specific elements that should be included in the notification trigger include the type of personal information involved in the breach, the context of the affected information and the breach, the cause and extent of the breach and the risk of harm to the affected individuals.”
However, ACCAN seeks a broader trigger than “serious harm,” it said. “It is not clear, for instance, whether the disclosure of credit card information carries ‘a real risk of serious harm.’”
However, ACCAN said it recognises “the concerns of ‘notification fatigue’ if notifications are made for too wide a range of events, and agree[s] that an excessively broad definition might contribute to this fatigue.”
The OAIC said notifications “should be made as soon as is reasonably practicable.”
ACCAN agreed: “Organisations should be responsible for notifying as soon as is practicable or reasonable after a breach is known (or reasonably suspected) to have occurred.”
“A set time limit would serve only to signal to organisations that notification could be delayed until that limit had been reached,” it said. “We note that delayed notification may be needed in particular cases, e.g. where notification would negatively impact on law enforcement activities.”
Follow Adam Bender on Twitter: @WatchAdam