Attorney-General Mark Dreyfus has backed plans to introduce a mandatory data breach notification scheme in Australia.
The scheme was recommended by the Australian Law Reform Commission in 2008. It will require companies to inform the public whenever customers' personal information is compromised.
Former Attorney-General Nicola Roxon introduced a discussion paper on the topic last October, seeking feedback on what should trigger notification, who should be notified and which organisations should be subject to the regime.
Dreyfus said today the Government would engage in a 'small amount' of further talks with key stakeholders before deciding whether to implement such a system.
Speaking today at the launch of the 2012 Privacy Awareness Week, Dreyfus said any government agencies and organisations suffering a data breach should provide timely advice to affected parties.
He said the growing amount of breaches reported in the media continued to raise community concerns about the need for a mandatory scheme.
“If there continues to be under reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move to a mandatory scheme,” he said.
Dreyfus cited a 2012 report by Canberra University's Centre for Internet Safety which found a majority of Australians supported data breach notifications.
"I believe government agencies or companies that suffer a data breach should provide timely advice to those who have or could have had their privacy infringed, and that seems to be the view of many Australians."
He highlighted recent breaches at the likes of the ABC, Telstra, Medvet and Sony Playstation as cases for a mandatory scheme.
“While I am an optimist, I do not anticipate we have yet seen the end of these types of breaches. A mandatory notification requirements may also act as an incentive for holders of information to secure it," he said.
“The Government is carefully considering what has emerged from consultation and we’ll engage in a little bit more consultation before deciding which option we’re going to pursue.”
He did not give a timeframe for any potential legislative changes. The Attorney General's department has been contacted for further comment.
Privacy Commissioner Timothy Pilgrim also called for mandatory notification, warning that attacks like those leading to the recent arrest of Sydney-based alleged LulzSec hacker Matthew Flannery would continue, putting Australians' personal information at risk.
“In 2011/12, the OAIC [Office of the Australian Information Commissioner] received 1357 privacy complaints; that was an increase of 11 percent on the previous year," he said.
"Not surprisingly, data security was one of the top four reasons for most complaints against the private sector, and featured prominently in the majority of our own investigations."
In its response to Roxon's October 2012 discussion paper, the OAIC stated that Australia's existing voluntary data breach notification arrangements were insufficient.
The OAIC recommended:
- that notification occur when a breach gives rise to a ‘real risk of serious harm’ to an individual;
- that a ‘catch-all’ test should apply to a range of circumstances; and
- that a notification should include the type of personal information involved in the breach, the context of the information and the breach, and the case and extent of the breach and the risk of harm.
It also suggested the notification should include an incident description and the organisation’s response to the breach.
Pilgrim said the OAIC should have the power to compel notification and impose civil penalties on those who fail to comply.
The new Privacy Act 2012 will come into effect in March 2014. Changes to the 24-year-old Act include 13 new privacy principles which cover both private and public sectors, called Australian Privacy Principles (APPs).
The APPs replace the existing Information Privacy Principles (IPPs) for the public sector and National Privacy Principles (NPPs) which apply to the private sector.
Additionally, the Privacy Commissioner will benefit from increased powers including the ability to accept enforceable undertakings; seek civil penalties; and conduct performance assessments of privacy performance for government agencies and businesses.
Credit reporting laws will also change under the new Act. New features include: more comprehensive reporting; a simplified complaints process; prohibition on reporting of credit information about children and defaults less than $150; specific rules dealing with pre-screening of credit offers and an individual’s ability to freeze access to credit-related personal information in cases of suspected identity theft/ fraud; and civil penalties for breaches of certain provisions.