We will all agree that a data breach, especially if it is serious, can severely adversely impact on the individual’s whose personal information has been compromised. For example, the affected individual can be exposed to the risk of fraud and identity theft. Prompt notifications will allow individuals to take action to protect themselves.
Data breach notification has been in the spot light for some years now. Those of us who have been following Australia’s privacy reforms will recall that in its 2008 privacy report, the Australian Law Reform Commission (ALRC) noted that there was an increasing risk that the huge volume of personal information collected by government agencies and large corporations could become subject to data breaches. At the time, the ALRC already recommended mandatory data breach reporting.
Late last week, we saw the Privacy Amendment (Privacy Alerts) Bill 2014 being re-introduced into the Federal Parliament (on 20 March 2014). The Second Reading Speech pointed out that the re-introduction of this Bill is the next key step in the major reform of Australia's privacy laws. The Bill provides that when a government agency or an organisation has suffered a serious data breach, it must notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).
Currently, there is no requirement for agencies and organisations to notify affected individuals or the OAIC when they have suffered a data breach. The OAIC has voluntary guidelines encouraging notification, but is concerned that many data breaches remained unreported. It is intended that the Bill, when it becomes law, will see the long overdue measure recommended by the ALRC go live, stop the gap in Australia's privacy laws and position Australia as a global leader in privacy protection.
This post first appeared on CPD Interactive's "Legal Natter's Blog".