Pilgrim pushes for data retention breach notices

Telcos and internet service providers should be forced to notify customers of data breaches as part of the Government's proposed two-year metadata retention scheme, according to Privacy Commissioner Timothy Pilgrim.

Pilgrim has long advocated for laws that would force companies to notify customers as well as his office if personal information had been compromised in a data breach.

The Labor party has attempted on a number of occasions to pass legislation to enforce data breach notifications - most recently mid last year - but the bills have been knocked back by the Coalition which argued the bills needed more work in terms of wording and definitions.

The two bills proposed by Labor would have amended the Privacy Act to include provisions governing a "serious data breach" and "notifying [of a] serious data breach", outlining the circumstances in which an entity would have been subject to a serious data breach and how they must then act to address it.

The bills would also have given the Privacy Commissioner powers to seek penalties of up to $340,000 for individuals or $1.7 million for organisations who repeatedly or seriously offend. 

In his submission to the parliamentary committee investigating the Government's data retention bill, published late last week, Pilgrim argued that the bill must include requirements for providers to notify both himself and their customers in the event of a data breach.

"Telecommunications data retained under the scheme is likely to be a target for people with malicious or criminal intent," he wrote.

"In the event of a security breach resulting in unauthorised access to or disclosure of telecommunications data, affected individuals would face increased risks of identity theft, fraud, harassment or embarrassment."

Pilgrim said the telcos and service providers likely to be subject to the scheme were among the top 20 entities most complained about to the Office of the Australian Information Commissioner.

Whilst not providing specific names, Pilgrim pointed to Telstra's 2011 leak of 734,000 customer details and a further leak of the details of 15,775 customers in 2013.

"Australian service providers have experienced significant issues in handling and keeping personal information secure."

He also warned that providers may end up collecting more personal information on their customers than necessary and retaining it longer than needed, meaning telcos and ISPs could end up being forced to handle personal data in a manner inconsistent with their obligations under the Privacy Act.

Pilgrim's submission to the parliamentary inquiry was one of around 130 to be published over the last week.

The majority of the submissions voiced strong dissent to the proposed legislation, which would see ISPs and telcos forced to retain a still-to-be-defined set of user metadata for two years.

Australia's law enforcement agencies continued their push for the scheme, while dozens of privacy, human rights, consumer advocacy and industry groups denounced the proposal as going beyond what was necessary to fight crime.