Information Commissioner strengthens data breach guide

Mandatory notification laws yet to come.

The Office of the Australian Information Commissioner (OAIC) has put a spotlight on data breach notification in a revised set of data breach guidelines issued today.

The new, voluntary guidelines update an August 2008 "Guide to handling personal information security breaches", targeted at agencies and organisations storing customers' personal data.

They were renamed "Data breach notification" and launched by Information Commissioner John McMillan as part of Privacy Awareness Week this morning.

McMillan noted that the Government had yet to move on the Australian Law Reform Commission's 2008 recommendation that organisations be legally required to notify customers of data breaches.

But there was "strong support for the notion that the Government must treat data breach notification as a mandatory process", he said.

"Internationally, the tide is moving in this direction."

The latest guide makes a stronger statement about a data breach possibly being a breach of the principles of the Privacy Act, in particular the security requirements of the information privacy principles (IPPs) and national privacy principles (NPPs).

It refers back to those principles by observing that an organisation or agency may be required to notify if notification is seen as a 'reasonable step' to ensure the security of personal information that they hold.

The OAIC also highlighted its intention to publicise information from any of its data breach investigations, including those voluntarily instigated by the organisations involved and those instigated by complaints.

In recent months, the Office has reported on own-motion investigations into some breaches such as the Vodafone breach and at least one Telstra breach.

Privacy Commissioner Timothy Pilgrim said the OAIC had undertaken 59 own-motion investigations that were instigated by third-party complaints in the past financial year.

But he said the number of own-motion investigations had fallen this financial year as organisations more proactively notified the OAIC of potential breaches.

Upping the ante

The basic four-step process set out in the previous guide remains the core of the new edition:

• Step 1: Contain the breach and do a preliminary assessment
• Step 2: Evaluate the risks associated with the breach
• Step 3: Notification
• Step 4: Prevent future breaches

Malcolm Crompton, managing director of Information Integrity Solutions and former Australian privacy commissioner, welcomed the new guidelines.

In the absence of mandatory data breach legislation, Compton said the guidelines were a way of "upping the ante".

"While more guidance is provided, I would describe it as more detailed and more helpful rather than more 'prescriptive'," Compton told iTnews.

"There are some interesting changes in tone," he said. "For example, the latest guide now talks in terms of 'The OAIC strongly encourages agencies and organisations to report serious data breaches to the OAIC'."

Delegates at the OAIC's launch of the data breach guidelines this morning viewed the document as an indication of how an Australian mandatory data breach notification scheme might be structured.

Pilgrim agreed with concerns raised by representatives of the ANZ bank and Woolworths that customers may suffer from "notification fatigue" if they were to be notified of every potential breach, regardless of severity.

"One of the things the guide tries to do is give guidance on when you should notify and when you shouldn't," he said.

"If you take a pure black-and-white approach, if you have a customer relations officer sitting there with access to people's accounts, they type in one wrong number and they bring up the wrong person.

"They look at it quickly, realise that they've got the wrong person and they log out, but technically that's a breach. Should we immediately contact the individual?

"Many of us here would say no as long as you can demonstrate that nothing has happened that's going to adversely affect the individual."