A Financial System Inquiry has recommended the adoption of mandatory data breach notification in Australia in order to help consumers keep control over their personal and financial information.
According to the Inquiry, which was published today, the growing amount of data stored and used by firms can bring many benefits to consumers, businesses and government agencies.
“However, it also creates the risk of a data breach exposing amounts of sensitive customer information, especially given the increased sophistication and frequency of cyber attacks,” said the report.
Where data breaches involve personal information, there are no mandatory requirements to report the incident to the Office of the Australian Information Commissioner (OAIC) or notify affected individuals under the Privacy Act, the report said.
“Mandatory notifications can help individuals regain control over personal information. Being transparent about handling information can help rebuild public trust by demonstrating that an organisation takes its obligation to protect personal information seriously,” said the report.
According to the Inquiry, data breach notification could also be made more complicated if the bank or financial services provider is using cloud computing to store information.
“The use of cloud technology has the potential to introduce some level of confusion in relation to who is accountable to the consumer. Where cloud solutions are provided by a third party, questions may arise if a consumer’s private data is handled inappropriately or financial services transactions are not administrated to an appropriate standard.”
- How to avoid a Privacy Act breach
- Cost of a Privacy Act breach could extend to ongoing audits: legal expert
- Mandatory data breach notification back on government agenda
According to the Inquiry, cloud technology may offer many benefits but “dilutes” a firm’s control over its data and systems, which increases security risks.
“Where a cloud provider is located offshore, a regulator may have limited capacity to obtain information, investigate or take enforcement action where necessary.”
The Inquiry said it would value feedback about implementing mandatory data breach notifications to affected individuals and the Australian government agency with relevant responsibility under privacy laws.
It also recommended the adoption of a principles-based approach to setting cloud computing requirements and the need to consider the benefits, as well as the risks, of cloud.
In March 2014, the Privacy Amendment (Privacy Alerts) Bill was back on the government agenda after it had a first reading in the Senate.
The Bill lapsed in 2013 after a second reading in parliament was delayed during June and the Coalition government was elected into office.
If passed by the Coalition, the bill will require government agencies and businesses to notify customers of serious data breaches in relation to personal, credit reporting, credit eligibility or tax file number information.
Follow Hamish Barwick on Twitter: @HamishBarwick