Information Commissioner strengthens data breach guide

By , on
Information Commissioner strengthens data breach guide
Professor John McMillan, Australian Information Commissioner

Mandatory notification laws yet to come.

The Office of the Australian Information Commissioner (OAIC) has put a spotlight on data breach notification in a revised set of data breach guidelines issued today.

The new, voluntary guidelines update an August 2008 "Guide to handling personal information security breaches", targeted at agencies and organisations storing customers' personal data.

They were renamed "Data breach notification" and launched by Information Commissioner John McMillan as part of Privacy Awareness Week this morning.

McMillan noted that the Government had yet to move on the Australian Law Reform Commission's 2008 recommendation that organisations be legally required to notify customers of data breaches.

But there was "strong support for the notion that the Government must treat data breach notification as a mandatory process", he said.

"Internationally, the tide is moving in this direction."

The latest guide makes a stronger statement about a data breach possibly being a breach of the principles of the Privacy Act, in particular the security requirements of the information privacy principles (IPPs) and national privacy principles (NPPs).

It refers back to those principles by observing that an organisation or agency may be required to notify if notification is seen as a 'reasonable step' to ensure the security of personal information that they hold.

The OAIC also highlighted its intention to publicise information from any of its data breach investigations, including those voluntarily instigated by the organisations involved and those instigated by complaints.

In recent months, the Office has reported on own-motion investigations into some breaches such as the Vodafone breach and at least one Telstra breach.

Privacy Commissioner Timothy Pilgrim said the OAIC had undertaken 59 own-motion investigations that were instigated by third-party complaints in the past financial year.

But he said the number of own-motion investigations had fallen this financial year as organisations more proactively notified the OAIC of potential breaches.

Upping the ante

The basic four-step process set out in the previous guide remains the core of the new edition:

  • Step 1: Contain the breach and do a preliminary assessment
  • Step 2: Evaluate the risks associated with the breach
  • Step 3: Notification
  • Step 4: Prevent future breaches

Malcolm Crompton, managing director of Information Integrity Solutions and former Australian privacy commissioner, welcomed the new guidelines.

In the absence of mandatory data breach legislation, Compton said the guidelines were a way of "upping the ante".

"While more guidance is provided, I would describe it as more detailed and more helpful rather than more 'prescriptive'," Compton told iTnews.

"There are some interesting changes in tone," he said. "For example, the latest guide now talks in terms of 'The OAIC strongly encourages agencies and organisations to report serious data breaches to the OAIC'."

Delegates at the OAIC's launch of the data breach guidelines this morning viewed the document as an indication of how an Australian mandatory data breach notification scheme might be structured.

Pilgrim agreed with concerns raised by representatives of the ANZ bank and Woolworths that customers may suffer from "notification fatigue" if they were to be notified of every potential breach, regardless of severity.

"One of the things the guide tries to do is give guidance on when you should notify and when you shouldn't," he said.

"If you take a pure black-and-white approach, if you have a customer relations officer sitting there with access to people's accounts, they type in one wrong number and they bring up the wrong person.

"They look at it quickly, realise that they've got the wrong person and they log out, but technically that's a breach. Should we immediately contact the individual?

"Many of us here would say no as long as you can demonstrate that nothing has happened that's going to adversely affect the individual."

Copyright © . All rights reserved.

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register


How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
ISPs should foot the whole bill
Government should chip in a bit
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

|  Forgot your password?