Australian Commissioner: Privacy guidelines needed

The Australian Privacy Commissioner, Karen Curtis, has called for feedback from businesses, organisations, government agencies and the public on a draft Voluntary Information Security Breach Notification Guide.

Curtis said while agencies and organisations are required to safeguard the personal information they hold, unfortunately and despite their best efforts, sometimes an information security breach occurs.

"Not all breaches result from malicious, intentional behaviour such as computer hacking for example - they can occur because of human error, from a failure to follow established protocols, or from information going missing,” she said.

According to Curtis, recognising that this is the current reality of the modern information handling environment, the Guide aims not only to assist agencies and organisations to minimise the possibility of a breach occurring, but also to prepare for and respond effectively to any breaches if and when they do occur.

Curtis claimed at present there are no specific requirements under the Privacy Act for agencies and organisations to notify individuals of an information security breach. However, a proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission in its Review of Privacy.

"The development of a voluntary guide offers a timely opportunity for stakeholders to comment on this important issue and we look forward to hearing their views," she said.

The draft Guide draws upon voluntary guidelines developed by the Privacy
Commissioners of Canada and New Zealand. Submissions on the draft Guide should be received by 16 June 2008, said Curtis.

Details of the consultation process can be viewed at www.privacy.gov.au