Australian organisations that lose sensitive customer data through hacking or privacy gaffes could face fines of up to $1.1 million under proposed reforms to the Privacy Act.
The Federal Privacy Commissioner can currently push for agreed determinations but lacks powers to enforce penalities on offending organisations.
If passed, the legislation would give the Commissioner new teeth to impose financial penalties against individuals and organisations.
"I could for instance identify flaws in security systems and require organisations to patch those flaws or adopt a stronger security system," Privacy Commissioner Timothy Pilgram told CRN sister site SC Magazine.
Under the proposed legislation small-scale offenders could be taken to court and fined up to $22,000 for individuals, and $110,000 for organisations.
Repeat and serious offenders face financial penalties of up to $220,000 for individuals or $1.1 million for organisations.
The Privacy Commissioner will consult with industry to detail the constitution of an offence in the nine months following its theoretical passing into law.
The Bill (Privacy Amendment (Enhancing PrivacyProtection) Bill 2012) would replace the ageing National Privacy Principles (NPP) governing the private sector and Information Privacy Principles (IPP) covering government with a single federal framework, the Australian Privacy Principles (APP).
It would not replace state privacy laws.
Data breach disclosure reforms were first recommened by the Australian Law Reform Commission in 2008 and are already in place in the US and Europe.
The reforms would also respond to concerns from security experts over the lack of guidelines regarding the handling of biometric data.
Organisations would be required under the Privacy Act to implement minimum security arrangements to collect, store and disseminate biometric data.
The dissemination of biometric data, such as fingerprint and iris scans would still be allowed for the purposes of law enforcement.
The Biometrics Institute in March revoked a series of voluntary privacy principles for the handling of biometric data ahead of the introduction of the Privacy Act.
Other reforms under the Bill include:
The reforms also covered credit reporting arrangements, including:
Copyright © SC Magazine, Australia
Issue: 345 | December 2015