Creating a mandatory data breach notification scheme is a “long overdue initiative,” according to Internet Australia CEO Laurie Patton.
The government yesterday released an exposure draft of legislation to create such a scheme
The government had originally committed to legislating a notification scheme this year.
The scheme as currently drafted would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
Commonwealth agencies, organisations with turnover in excess of $3 million, and organisations that work with sensitive personal data would be covered by the scheme.
“At a time when governments and others are increasingly inclined to collect and retain people's personal information, it is essential that they be required to keep it safe from unauthorised access,” Patton told Computerworld Australia.
“History tells us that without a legal requirement to do so we cannot be confident that we'll be told when there’s been a breach. Sadly, we need a law to force organisations to do the right thing in this respect.”
Patton said Internet Australia would work closely with other groups “to ensure that any legislation is sufficient and appropriate”.
“I welcome the Australian government’s release of draft mandatory data breach notification laws for public consultation,” the acting Australian Information Commissioner, Timothy Pilgrim, said in a statement.
“I have been a keen supporter of the development of mandatory data breach notification provisions for some time.”
“Data breach notification can be an important mitigation strategy in the event of a serious data breach,” Pilgrim said.
“A mandatory notification scheme will provide confidence to all Australians that, in the event of a serious data breach, they will be given the opportunity to manage their personal information accordingly,” the commissioner said.