Review of Privacy Act reveals push for tougher data protection standards

Regulations needed for data breach notifications

Federal privacy commissioner, Karen Curtis, has called for tougher standards in Australia to force organizations to notify customers of a security breach that exposes customer information.

Curtis said forcing organizations to notify customers of a breach is a "strong market incentive" that will encourage organizations to adequately secure databases and increase customer trust.

The recommendation, which made no reference to formal penalties, is part of a 474 page submission Curtis has made to the Australian Law Reform Commission (ALRC) which is currently reviewing the Privacy Act.

Many of the submissions to the ALRC have called for a tougher regulatory climate as a result of a huge increase in high profile data breaches in the past two years which have made the Privacy Act outdated and almost redundant.

For example, the US Congress has introduced a data breach notification bill and more than 30 states have passed similar laws since 2005.

Australia has been slow to legally adopt similar measures but the privacy review has revealed a strong push by industry for tougher data governance standards.

The largest custodian of credit information in Australia, Veda Advantage (formerly Baycorp Advantage), claims there is an "urgent need" for stronger data governance standards and there should be greater obligations on companies that aggregate data.

Veda's recommendations are in line with those made by Curtis, who has also recommended a review of date-matching guidelines.

Curtis also wants biometric information to be classified as sensitive under the Privacy Act to ensure a higher level of protection than other forms of personal data.

"In addition, all organizations including small businesses that are generally exempt under the Privacy Act and handle biometric information, should also be covered under the legislation," she said.

"New technologies can offer immense benefits but we need stronger protections in place."

The review is timely considering organizations are at the centre of a digital revolution. A report released last week by analyst firm, IDC, predicts digital information will rise six fold by 2010, reaching 988 exabytes.

In 2006 alone, the amount of digital information created and copied worldwide was equal to 161 billion gigabytes, or 161 exabytes. That is equivalent to three million times the information in all the books ever written - or the equivalent of 12 stacks of books, each extending more than 93 million miles from the earth to the sun.

In its submission to the ALRC, Veda Advantage said the Privacy Act should recognize the indirect collection of data in information networks. Customers should be notified if personal details are collected indirectly or through third party collection.

The amount and range of data sharing and the degree of risk would determine the level of obligation applied to organizations.

"Harness emerging technologies such as portable digital signatures and other forms of digital identity to allow consumers to manage their own portfolio of data collection consents. This is particularly important in the case of bundled consents," the submission said.

"Strengthen guidelines for assisting and monitoring trans-border data flows including the monitoring of compliance."

Join the newsletter!

Error: Please check your email address.

More about ACTBaycorpBaycorp AdvantageBillBillionBrother International (Aust)CDTEFFIDC AustraliaRaymond James FinancialSymantec

Show Comments

Market Place