The Australian Commonwealth Government published - on 17 October 2012 - a discussion paper entitled 'Australian Privacy Breach Notification' requesting public comment on the introduction of mandatory data breach notification requirements. The consultation is in response to the Australian Privacy Law and Practice Report 108, published in May 2008, in which the Australian Law Reform Commission (ALRC) recommended, among other things, that the Privacy Act be amended to include data breach notification requirements.

Attorney-General for Australia, Nicola Roxon, said: "We are providing more personal information than ever before to government agencies and companies, both in Australia and overseas and this information is susceptible to hackers and other types of security breaches. It is therefore timely to consider whether our existing privacy framework is adequate in encouraging entities to take the rights in the event of a data breach, and in allowing individuals to mitigate the adverse effects of such a breach".

The key question posed is whether a mandatory data breach notification scheme is necessary in Australia. However the paper also asks for public comment on what ought to be the triggers for breach notification, timeframe and methods for notification, who should decide whether to notify, and if there should be any penalties for failing to notify.

Currently, there is no mandatory breach notification requirement in Australia, except in limited circumstances such as breach of patient information under the Personally Controlled Electronic Health Records Act 2012. However, a guide published by the Office of the Australian Information Commission (OAIC) and revised in 2011, recommends organisations practice voluntary data breach notification.

Timothy Pilgrim, Privacy Commissioner for Australia, supported the discussion paper, stating: "There are real business incentives for organisations to notify of a privacy breach. Apart from being good privacy practice, it can also be a way of engendering consumer trust and mitigating against the substantial reputational damage that can result from a data breach. […] In my view, all organisations must embed a culture that values and respects privacy. I believe that mandatory data breach notification will go some way to achieving this".

The public consultation will end on 23 November 2012.

EU: BCR Webinar: Top 5 takeaways

EU: Soundbites from the EU Parliament seminar on the data reform

EU: WP29 clarifies DPAs' expectations of BSPRs

EU: 'Three possible dates' put forward for the LIBE vote on data proposals

USA: Data brokers urged to review privacy practices after FTC warnings

USA: NLRB: blanket confidentiality rule during employee investigations 'invalid'

China: MIIT draft rules expand telecoms & IISP obligations

Singapore: Personal Data Protection Commission to launch May 2013

Australia, OAIC: Data security 'critical' to meet upcoming requirements

USA: Commerce Committee criticises industry failure to adopt DNT

USA: SEC and CFTC issue Red Flag Rules for financial institutions and creditors