Mandatory data breach notification may soon become a reality

First of all, some definitions. Personal information is, in essence, information that identifies a person or could reasonably identify a person; data breach means unauthorised access to, or disclosure of, personal information; and serious data breach means a data breach where there is a real risk of serious harm (including reputational, economic and financial harm) to the affected individual.

We will all agree that a data breach, especially if it is serious, can severely adversely impact on the individual’s whose personal information has been compromised. For example, the affected individual can be exposed to the risk of fraud and identity theft. Prompt notifications will allow individuals to take action to protect themselves.

Data breach notification has been in the spot light for some years now. Those of us who have been following Australia’s privacy reforms will recall that in its 2008 privacy report, the Australian Law Reform Commission (ALRC) noted that there was an increasing risk that the huge volume of personal information collected by government agencies and large corporations could become subject to data breaches. At the time, the ALRC already recommended mandatory data breach reporting.

Late last week, we saw the Privacy Amendment (Privacy Alerts) Bill 2014 being re-introduced into the Federal Parliament (on 20 March 2014). The Second Reading Speech pointed out that the re-introduction of this Bill is the next key step in the major reform of Australia’s privacy laws. The Bill provides that when a government agency or an organisation has suffered a serious data breach, it must notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).

Currently, there is no requirement for agencies and organisations to notify affected individuals or the OAIC when they have suffered a data breach. The OAIC has voluntary guidelines encouraging notification, but is concerned that many data breaches remained unreported. It is intended that the Bill, when it becomes law, will see the long overdue measure recommended by the ALRC go live, stop the gap in Australia’s privacy laws and position Australia as a global leader in privacy protection.

If you want to learn more take CPD Interactive’s latest online course Australian privacy principles essentials 2014.