Privacy Commissioner to look favourably on voluntary breach notifications

Privacy Commissioner Timothy Pilgrim has promised members of the business community who proactively notify his office about a data breach are more likely to receive a favourable reception than those who don't.

Privacy Commissioner Timothy Pilgrim

"Notification of a privacy breach may not stop us from commencing an investigation if we feel it is necessary and appropriate in the circumstances," Pilgrim told attendees at this morning's Privacy Awareness Week launch.

"But the early notification of a data breach will be taken into account when considering whether additional regulatory action is necessary."

Such was the case in 2011, when the ANZ bank came to realise a security hole gave unauthorised users the ability to access customer statements, despite the user having logged out of their account on a specific computer.

The backlash from the public was quick, the Privacy Commissioner said, but was softened by the fact that ANZ had wasted no time getting on the phone to Pilgrim himself.

"ANZ contacted me personally one evening and outlined what had happened, the steps they were taking to deal with it, and to identify what happened," he told iTnews.

"When the news broke in the media some 24 hours later, I was able to say I was across the incident."

By keeping the OAIC in the loop, the ANZ also avoided a formal investigation by the regulator.

"But if an organisation doesn't tell us about a breach and we find out about it through the media, we will have to start an investigation because we don't have the background information that we need," Pilgrim said.

While the rate of voluntary notifications coming into his office is on the increase, the Commissioner said he suspected "we receive only a small fraction of those that actually take place".

Pilgrim said the OAIC would not "jump straight into" using its new powers, which allow it to fine business entities and agencies up to $1.7 million if they are found to have unlawfully disclosed personal information of customers.

"We see the next 12 months as a period of consolidation, for all of us to bed down the reforms," he said.

The Office would be more likely to err on the side of written enforceable undertakings in any case that action is warranted against an entity, he said.

"If an organisation pledges to us that they are going to introduce a new security system by a certain time and they haven't done that in a way that we have agreed, we will be able to take them to court," Pilgrim said.