Summary

  • Despite the Office of the Australian Information Commissioner (OAIC) recently updating its best practice guide on data breach notification, the government is now looking at whether to make it mandatory to notify the Commissioner, affected individuals and others.
  • The new Discussion Paper picks up on a recommendation by the Australian Law Reform Commission in 2008 regarding the introduction of mandatory data breach notification.
  • Data breach incidents and costs are on the rise, including incidents resulting from hacking, system errors, theft and accidents.
  • The Discussion Paper seeks feedback by 23 November 2012 on whether a mandatory scheme is needed, and the triggers for notification, involvement of the OAIC, content and timing of notifications, penalties and exceptions.

Introduction

On 17 October 2012 the Australian Government released its Discussion Paper, Australian Privacy Breach Notification.

The seemingly exponential growth in the electronic, networked and portable storage of sensitive data in recent years has seen an increase in high-profile data security breach incidents involving major corporations and government bodies. The cost of these breaches also appears to be on the rise, with a benchmarking study finding the average cost to affected Australian organisations per compromised data record (there are often hundreds or thousands) increasing from $128 to $138 between 2010 and 2011.

The Office of the Australian Information Commissioner (OAIC) currently receives notifications of data breaches on a voluntary basis. The 46 notifications they received in the 2011/12 year, included incidents involving hacking, system errors, failure to use the ‘bcc’ field when sending mass emails and theft of hard copy records.3

Regulators and legislatures around the world have been responding to this environment with the introduction of laws and guidelines dealing with notification of what are variously called ‘data breaches’, ‘security breaches’ and ‘privacy breaches’. The Discussion Paper includes a survey of some of the laws and guidelines in the US, EU, New Zealand and Canada, as well as the OAIC’s recently updated Data Breach Notification Guide (OAIC Guide), on which we have commented previously.4

Questions for consultation

The key questions for consultation set out in the Discussion Paper include:

Should Australia introduce a mandatory data breach notification law?

One issue here is whether the current arrangements including the OAIC Guide are sufficient.

Which breaches should be reported? Triggers for notification

The OAIC Guide recommends a ‘real risk of serious harm’ as the ‘trigger’ for notification, however a range of alternative approaches are canvassed, including tests based on the number of affected individuals and the type of information involved.

Who should decide on whether to notify?

A data breach notification law could require notification to the OAIC, affected individuals or both. Notifying other relevant bodies such as police and financial institutions could also be required. A further issue here is whether the OAIC should be involved in any decision to notify individuals and third parties.

What should be reported (content and method of notification), and in what time frame?

Issues here include whether to specify:

  • a particular form or communications medium or to allow flexibility, and
  • a fixed time limit or have some sort of ‘as soon as practicable’ requirement.

What should be the penalty for failing to notify when required to do so?

Considerations here include whether to follow the new Privacy Act enforcement regime, and whether penalties should be on a per incident, per record and/or per day basis.

Who should be subject to a mandatory data breach notification law?

The Australian Law Reform Commission (ALRC) recommends that all entities subject to the Privacy Act should be subject to the new law, but different approaches in other jurisdictions are commented on in the Discussion Paper, including a US proposal which would apply to business entities only and an EU directive which only applies to electronic communications providers.

Should there be an exception for law enforcement activities?

This could be done through a specific exception or by application of a broader public interest test.

Context: broader privacy reform

The Discussion Paper is part of the government’s response to the ALRC’s 2008 report on privacy law, For Your Information: Australian Privacy Law and Practice.5 The government initially responded to 195 of the ALRC report’s 295 recommendations in 2009,6 indicating that the remainder of the recommendations would be addressed following work on the initial reforms. Many of the initial recommendations are dealt with in the Privacy Amendment (Enhancing Privacy Protection) Bill 20127 which was passed by the House of Representatives last month, but which now appears likely to be amended by the Senate.8

The issue of data breach notification was one of the government’s so-called ‘second stage’ privacy reforms, as was a statutory cause of action for serious invasions of privacy, on which an Issues Paper was released last year.9 Activity on these two issues before the ‘first stage’ reforms are complete begs the question of whether consideration will soon turn to other second stage issues such as the exemptions for small business, employee records and media, telecommunications privacy and the use of authorised representatives. A question also remains as to whether the government still intends to make further reforms in relation to health privacy. This was announced as part of the ‘first stage’ of reforms, but has not been substantially addressed in the Privacy Amendment (Enhancing Privacy Protection) Bill.

Submissions

Submissions on the Discussion Paper are due by 23 November 2012.