The discussion paper considers the rationale for mandatory data breach notification laws and a range of data breach notification regimes that have been proposed or legislated in Australia and other jurisdictions.
The Commonwealth Attorney-General, Nicola Roxon, released a discussion paper on 17 October 2012 seeking views on whether a mandatory data breach notification law should be introduced in Australia and, if so, how it should be framed.
The discussion paper was prepared as part of the Government's second stage of responding to the Australian Law Reform Commission's (ALRC) 2008 report on the effectiveness of Australia's privacy laws. It follows the introduction of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 into Parliament in May 2012 to implement the Government's first stage response. Specifically, submissions on the issues raised in the discussion paper will inform the Government's response to the ALRC's recommendation that a data breach notification requirement should be introduced into the Privacy Act.
The discussion paper considers the rationale for mandatory data breach notification laws and a range of data breach notification regimes that have been proposed or legislated in Australia and other jurisdictions. It poses a number of questions regarding a possible mandatory data breach notification law.
Should Australia introduce a mandatory data breach notification law?
Agencies and organisations are required under the Privacy Act to take reasonable steps to protect the data they hold from misuse and loss and from unauthorised access, modification. However, there is no specific requirement to notify the Office of the Australian Information Commissioner (OAIC) or anyone else if there is a breach in data security.
The OAIC takes the view that the "reasonable steps" required to protect data may include notifying affected individuals and the OAIC so that steps can be taken to mitigate the harm caused by a data breach. The OAIC has a guide to handling information security breaches which encourages agencies and businesses to voluntarily put in place reasonable measures to deal with data breaches (including notification of affected individuals and the OAIC). Forty-six data breaches were reported to the OAIC in the 2011/2012 year, down from 56 notifications in the 2010/2011 year. However, according to the OAIC, it is only being notified of a small percentage of data breaches that are occurring and in many cases individuals may be unaware that their personal information may be compromised.
Agencies and businesses may also be subject to contractual obligations to notify affected individuals of data breaches and in some circumstances may owe a duty of care to individuals to notify them of breaches so that they can protect against the misuse of their data.
Mandatory data breach notification regimes are in place or being considered in a number of foreign jurisdictions, including the United States, the European Union and the United Kingdom. The discussion paper asks whether the current voluntary data breach notification arrangements in Australia are sufficient or should the Government introduce a mandatory data breach notification law.
Which breaches should be reported?
The ALRC test, also adopted in the OAIC guide, is a cover-all test which uses "a real risk of serious harm" as the trigger for notification. The discussion paper considers a range of cover-all tests, as well as specific trigger approaches, and asks what should be the appropriate test to determine the trigger for notification.
Who should decide on whether to notify?
The discussion paper asks who should be notified about a breach (ie. either the OAIC or the affected individuals, or both) and who should be responsible for deciding whether or not notification to affected persons is required. A key issue here is the extent to which the OAIC should be involved in the decision-making process. The ALRC recommended that the agency or business should be the primary decision-maker but that the OAIC should have oversight and be able to require notification in relation to the most serious breaches.
What should be reported (content and method of notification) and in what time-frame?
The issues here are:
- what should be the form or medium in which a data breach notification is provided;
- should there be a set time limit for notification or a test based on notifying as soon as practicable or reasonable; and
- what should be the content of the notification?
What should be the penalty for failing to notify when required to do so?
The ALRC recommended the use of a civil penalty regime to encourage compliance with the notification requirement. Importantly, the penalty would be to encourage the notification, not to penalise for the security breach itself.
The discussion paper asks whether there should be a penalty or sanction for failure to notify. What should the penalty or sanction be and what is the appropriate level of that penalty or sanction?
Who should be subject to a mandatory data breach notification law?
While the ALRC recommended that all entities subject to the Privacy Act should be subject to the mandatory data breach notification law (ie. Commonwealth public agencies and large private sector organisations), different approaches have been followed internationally.
For example, the existing EU data breach notification requirements apply only to electronic communications providers, but there is a proposal to extend these requirements to all of the private sector. Only some European countries have extended their data breach notification requirements to the public sector.
Should there be an exception for law enforcement activities?
Notification of a data breach by an agency could compromise its law enforcement activities in some cases. The discussion paper asks whether there should be an exception for law enforcement activities and whether it should be a specific exception or part of a wider public interest exception.
What happens next?
Submissions on the questions raised in the discussion paper (and any other comments on the proposal for a new mandatory data breach notification law) must be received by Friday 23 November 2012.