By Shamma Iqbal and Fredericka Argent
This month, following an inquiry by the Australian Law Reform Commission (“ALRC”) into the effectiveness of the Australian Privacy Act 1988, the Australian government launched a discussion paper which calls for views from the public on whether a mandatory data breach notification scheme should be introduced in Australia. This scheme refers to a legally-binding obligation to provide notice to the relevant authority and any affected persons where the party in charge of protecting personal information unlawfully or accidentally breaches their security obligations — for example by destruction, loss or unauthorised disclosure of information. The paper recognises the importance of a data breach reporting requirement in light of the increasing amount of personal data held by public and private organizations in Australia, often in electronic form, which are vulnerable to theft and loss.
The paper analyses the pros and cons of introducing a mandatory data breach notification scheme, weighing up arguments such as the onerous costs of compliance and the effectiveness of the current voluntary guidelines issued by the Office of the Australian Information Commissioner (“OAIC”) against the positive effects of a legally-binding scheme, such as:
• Allowing the affected person to mitigate the consequences of the breach;
• Providing an incentive for organizations holding personal information to adequately secure information;
• Enabling data breach incidents to be tracked and information on breaches to be provided in the public interest; and
• Maintaining public confidence in the legislative privacy regime.
The paper also examines data breach notification models for Australia, including an amendment to the Privacy Act 1988 proposed by the ALRC and the voluntary OAIC guidelines. Also analysed are legislative and voluntary models in foreign jurisdictions, such as the legislation presented by President Obama to Congress for the United States in May 2011 and the European Union’s Privacy and Electronic Communications Directive 2009/136/EC.
The discussion paper sets out seven “key questions” for consultation and determination by the Government, as follows: i) whether there should be a mandatory data breach notification law; ii) what the trigger should be for notifying a breach (for example, whether notification should be limited to breaches posing a serious risk of harm); iii) who should be notified about the breach; iv) the content, method and timing of notification; v) the penalty for failing to notify; vi) which entities should be subject to the breach notification requirement; and vii) whether exceptions should be allowed for law enforcement activities.
Submissions on the above seven points are invited and should be submitted by 30 November 2012 to Privacy.Consultation@ag.gov.au.