Aussies face $1.1m fines for data breaches

Proposed reforms for lost data.

Australian organisations that lose sensitive customer data through hacking or privacy gaffes could face fines of up to $1.1 million under proposed reforms to the Privacy Act.

The Federal Privacy Commissioner can currently push for agreed determinations but lacks powers to enforce penalities on offending organisations.

If passed, the legislation would give the Commissioner new teeth to impose financial penalties against individuals and organisations.

"I could for instance identify flaws in security systems and require organisations to patch those flaws or adopt a stronger security system," Privacy Commissioner Timothy Pilgram told CRN sister site SC Magazine.

Under the proposed legislation small-scale offenders could be taken to court and fined up to $22,000 for individuals, and $110,000 for organisations.

Repeat and serious offenders face financial penalties of up to $220,000 for individuals or $1.1 million for organisations.

The Privacy Commissioner will consult with industry to detail the constitution of an offence in the nine months following its theoretical passing into law.

The Bill (Privacy Amendment (Enhancing PrivacyProtection) Bill 2012) would replace the ageing National Privacy Principles (NPP) governing the private sector and Information Privacy Principles (IPP) covering government with a single federal framework, the Australian Privacy Principles (APP).

It would not replace state privacy laws.

Data breach disclosure reforms were first recommened by the Australian Law Reform Commission in 2008 and are already in place in the US and Europe.

The reforms would also respond to concerns from security experts over the lack of guidelines regarding the handling of biometric data.

Organisations would be required under the Privacy Act to implement minimum security arrangements to collect, store and disseminate biometric data.

The dissemination of biometric data, such as fingerprint and iris scans would still be allowed for the purposes of law enforcement.

The Biometrics Institute in March revoked a series of voluntary privacy principles for the handling of biometric data ahead of the introduction of the Privacy Act.

Other reforms under the Bill include:

• clearer and tighter regulation of the use of personal information for direct marketing
• extending privacy protections to unsolicited information
• making it easier for consumers to access and correct information held about them
• tightening the rules on sending personal information outside Australia
• a higher standard of protection to be afforded to “sensitive information” – which includes health related information, DNA and biometric data
• enhancing the powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance.

The reforms also covered credit reporting arrangements, including:

• making a clear obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings
• making it easier for individuals to access and correct their credit reporting information
• prohibiting the collection of credit reporting information about children
• simplifying the complaints process by removing requirement to complain to the organisation first, complaints can be made directly to the Privacy Commissioner, and by introducing alternative dispute resolution to more efficiently deal with complaints.