The Office of the Australian Information Commission (OAIC) has updated its voluntary data breach guidelines as a means of encouraging organisations to notify the public in the advent of a data breach.
The new guidelines, entitled <i>Data breach notification</i>, update the August 2008 Guide to handling personal information security breaches.
Information Commissioner, John McMillian, launched the guidelines in Sydney to coincide with Privacy Awareness Week.
McMillian said that the government is still considering the data breach notification framework, despite a recommendation in 2008 by the Australian Law Reform Commission (ALRC) in its report, For your information: Australian Privacy Law and Practice, that it should be a legal requirement to notify customers of a data breach in Australia.
“Legal obligation, aside, there is strong support for the notion that government and industry should treat data breach notification as an obligatory privacy practice,” he said.
“A survey due to be released by ebay this week has found that 85 per cent of Australian customers want data breach notifications to be mandatory.”
McMillian added that the tide was “turning internationally” to mandatory data breaches, notably in the European Union, the United States and the United Kingdom.
“The Australian government is aware of those developments and I expect the data breach notification framework will continue to be considered,” he said.
The updated guidelines outline four reasons as to why organisations should notify the public about data breach notification. These reasons include security safeguards, openness about privacy practices, restoring control over personal information and rebuilding public trust.
“The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice, and in the interest of maintaining a community in which privacy is valued,” the guideline documents state.
The guidelines also state that while the OAIC conducts its investigations in private, it will publish the outcomes of its investigations in consultation with the affected organisation.
“In some circumstances, consistent with its role of education and enforcement, the OAIC may publicise information about the information management practices of an agency or organisation,” the guideline documents state.
However, the four data breach notification steps from 2008 remain the same.
- Step 1: Contain the breach and make a preliminary assessment.
- Step 2: Evaluate the risks for individuals associated with the breach.
- Step 3: Consider breach notification.
- Step 4: Review the incident and take action to prevent future breaches.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU