17 October 2012: The Federal Government has released a discussion paper on mandatory data breach notification laws. Such laws would require organisations to notify consumers and the Government when data breaches occur.
Mandatory breach notification procedures are in place or being considered in a number of other jurisdictions, including the EU, the UK and Ireland, and a number of US states. The discussion paper considers issues including:
- what constitutes a data breach and what should trigger a notification;
- who should be notified e.g. the Privacy Commissioner and/or affected consumers; and
- what penalties might be appropriate for failing to notify
In releasing the discussion paper, Attorney General Nicola Roxon stated that:
Australians who transact online rightfully expect their personal information will be protected. More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers.
The Australian Privacy Commissioner, Timothy Pilgrim, has welcomed the discussion paper, stating that
Privacy breach notification is an important issue that needs community debate, and I’m sure there will be a wide range of views expressed on whether this notification should be mandatory. I believe that where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can take steps to regain control of their identity and personal information by changing passwords or account numbers if they know that a data breach has occurred.
Submissions on the discussion paper will be accepted until 23 November 2012.
A copy of the discussion paper can be found here. You can read the Attorney General’s Department’s media release regarding the paper here, and the statements of the Privacy Commissioner here. For more information on information privacy issues, including data breach notification laws, as they relate to cloud computing, read Nicholls Legal’s Whitepapers Privacy and the Cloud and Data Security in the Cloud.