The Australian Commonwealth Government published - on 17 October 2012 - a discussion paper entitled 'Australian Privacy Breach Notification' requesting public comment on the introduction of mandatory data breach notification requirements. The consultation is in response to the Australian Privacy Law and Practice Report 108, published in May 2008, in which the Australian Law Reform Commission (ALRC) recommended, among other things, that the Privacy Act be amended to include data breach notification requirements.
Attorney-General for Australia, Nicola Roxon, said: "We are providing more personal information than ever before to government agencies and companies, both in Australia and overseas and this information is susceptible to hackers and other types of security breaches. It is therefore timely to consider whether our existing privacy framework is adequate in encouraging entities to take the rights in the event of a data breach, and in allowing individuals to mitigate the adverse effects of such a breach".
© 2013 Cecile Park Publishing Ltd. All rights reserved
The key question posed is whether a mandatory data breach notification scheme is necessary in Australia. However the paper also asks for public comment on what ought to be the triggers for breach notification, timeframe and methods for notification, who should decide whether to notify, and if there should be any penalties for failing to notify.
Currently, there is no mandatory breach notification requirement in Australia, except in limited circumstances such as breach of patient information under the Personally Controlled Electronic Health Records Act 2012. However, a guide published by the Office of the Australian Information Commission (OAIC) and revised in 2011, recommends organisations practice voluntary data breach notification.
Timothy Pilgrim, Privacy Commissioner for Australia, supported the discussion paper, stating: "There are real business incentives for organisations to notify of a privacy breach. Apart from being good privacy practice, it can also be a way of engendering consumer trust and mitigating against the substantial reputational damage that can result from a data breach. […] In my view, all organisations must embed a culture that values and respects privacy. I believe that mandatory data breach notification will go some way to achieving this".
The public consultation will end on 23 November 2012.