Home > News > Security > Data breach disclosure, new guidelines to help Australian businesses

Data breach disclosure, new guidelines to help Australian businesses

A data breach notification guideline to assist businesses and government agencies in the case of a significant data breach is currently in development, the Office of the Privacy Commissioner (OPC) has announced.

The guide, a response to growing public sentiment surrounding the subject, will provide best practices and advice surrounding voluntary data breach disclosure.

“[The guide] is actually in response to requests, particularly from Commonwealth agencies but also from the private sector,” said Andrew Hayne, acting director of Policy at the OPC in his keynote speech at the SecurityPoint 2008 conference in Sydney today.

“It will explain when they should tell us about a notification and when they should go to the expense and trouble of telling consumers.”

The Australian Law Reform Commission (ALRC) is yet to announce its rulings regarding the Privacy Commissioner, Karen Curtis’s December 2007 submission urging a review of the Privacy Act.

Early indicators suggest that at the very least mandatory disclosure laws will soon be a reality in Australia, to what extent is a concern for Hayne.

“The ALRC has supported the idea of data breach notification requirement, however, in our Office’s view, it’s the detail of how such a requirement should neither impose an unreasonable burden on agencies and organisations nor result in unnecessary or alarmist notfications to individuals,” he said.

According to Hayne, a requirement to notify significant data breaches would also encourage organisations and agencies to take adequate steps in the first place to ensure information is secure.

Australian and ACT government agencies are compelled by the Privacy Act as well as those in the private sector with a turnover exceeding $3 million.

All health services, credit providers and Tax file number recipients are also obliged. SMBs are conditional.

These draft guidelines will be available for consultation in the near future.

Ads by Google

Thoughts on this article? Add a comment below.

Comments: 1

In the US we often take a knee-jerk approach to http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html - notifying
people about data security incidents. Our
enterprises therefore issue a bunch of confusing and
http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html - unnecessary
data security breach notices. It is hard for US
consumers to tell the difference between an important
notification and a meaningless one. Australia's draft
voluntary guidelines therefore deserve praise. They
are more intelligent than the typical US approach.
They advise a dataholder to evaluate the true impact
of a putative data security breach as part of the
decision whether to send a notice and what to say in
the notice if it is sent. --Ben

Posted by Ben, Apr 17, 2008 10:17 AM

Report

Report this comment as offensive:

* Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.

Name:

Email:

(will not be displayed)

Comment:

(HTML not permitted)

Validation

Enter the code you see below:

Product Reviews

	Cyber-Ark Software Enterprise Password Vault The Cyber-Ark Enterprise Password Vault, or EPV, is a high-end password management powerhouse.

	Hitachi ID Systems ID-Archive The Hitachi ID-Archive sets its focus on password randomisation.

	Lieberman Software Enterprise Random PM The Lieberman Software Enterprise Random Password Manager is a full-on password manager and randomiser for...

	Proginet Corporation SecurForce Proginet SecurForce is a little bit of a horse of a different color for this month's Group Test.

	Siber Systems RoboForm Enterprise On the surface, RoboForm Enterprise starts out looking like a single sign-on product, but that is just on the...