Mandatory data breach disclosure recommended in privacy law reforms

At a media briefing in Sydney, Federal Cabinet Secretary John Faulkner, and Attorney-General Robert McClelland officially launched the 2700 page report titled: ‘For Your Information: Australian Privacy Law and Practice.

The landmark report makes 295 recommendations to the existing Privacy Laws and practices, of which, a recommendation for mandatory data breach disclosure is included.

Professor Les McCrimmon, Commissioner in charge of the Privacy Inquiry said, the ALRC has made a recommendation that there should be a mandatory data breach notification provision.

"A notification scheme gives individuals the information and opportunity to protect themselves against fraud and identity theft," said McCrimmon.

"It also will provide a strong incentive for agencies and organisations to ensure that they secure their databases," he added.

The three-volume report is the culmination of a research and consultation exercise conducted over two years involving submissions by countless organisations, businesses and community groups.

According to McCrimmon, there was wide spread concern in the community about data breach disclosure as a result of the digital age and the free movement of information.

As part of the consultation process the ALRC looked at different data breach disclosure models in several countries before making its own recommendations.

“We don’t want a situation where all unauthorised access of information will result in a requirement to notify," said McCrimmon.

"[Instead] in our view, where the breach can cause a serious harm to an individual, is when there should be disclosure. Serious harm might be information such as a tax file number which can result in identity theft," said McCrimmon.

However, disclosure would not be required in a situation where a breach involved an unauthorised person gaining access to information and it goes no further.

"We have moved the bar up so that we’re not looking at trivial breaches," he said.

ALRC President, Professor David Weisbrot said the Privacy Act has worked pretty well to date, but it now needs a host of refinements to help navigate the Information Superhighway.

“These days, information privacy touches almost every aspect of our daily lives, including our medical records and health status, our finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.”

Meanwhile, Senator Faulkner reiterated the government's position, ensuring that the confidence of Australian's in the security and release of personal information is part of the government’s program.

He said due to the complexity of the recommendations, the government will tackle the report in two stages.

He indicated that stage one reforms will be in place within the next 12 to 18 months. Data breach disclosure laws fall into the second stage.

As for when the data breach disclosures will be inacted, Weisbrot said, "We have given the government our report and it’s a matter for the government to work through the recommendations."

“It’s a big complex report – my personal preference is that they do it right."

breach data disclosure law mandatory privacy reforms security