There is significant activity on this from various governmental entities.
Progress is slow but there is progress. The Australian Attorney-General (AG), The Office of the Privacy Commissioner and Australian Law Reform Commission are all playing a part.
The 2006 inquiry is complete and its recommendations were handed to the AG on May 30th. Unfortunately they will not be made public until it is tabled in Parliament sometime between mid July and August.
That noted two key proposals, published in interim ALRC papers are bound to be included even perhaps enhanced, they are:’The ALRC proposes that the Privacy Commissioner should have the power to audit personal information held by private sector organisations, to assess compliance with privacy laws’ and ‘The ALRC proposes that individuals be notified where there has been unauthorised access to personal information that could lead to a real risk of harm to any affected individual.’
On 31 August 2007 the Privacy Commissioner, Karen Curtis, released a list of 'essentials' for privacy law reform in Australia, drawn from submissions they made to the ALRC inquiry.
Included is‘The Office supports the introduction of compulsory notification of data security breaches in certain circumstances. Such an obligation should be proportional to the severity of the breach.
By notifying people in a timely manner, organisations give people an opportunity to take any necessary steps to protect their personal information’.
As a stepping stone toward compulsory notification the Office of the Privacy Commissioner released a draft Voluntary Information Security Breach Notification Guide In April this year.
All this means is that tougher privacy laws are coming. When? Well, sometime in July or maybe August the public will hear the results of the ALRC inquiry.
Based on previous chronology (1976 to 1988) we can expect new legislation around 2020. Let us hope that it doesn’t take that long. The intent that is being floated by politicians is that there will be amendments this year.
Significant enhancements to Australian privacy legislation are required to protect the privacy of Australians. All indications are that the enhancements are coming, with them will come greater regulation in order to comply with these new regulations Australian organisations will need to spend more.
The stick that is regulation forces organisations to take security more seriously.
David Kaplan is the Head Security Architect at earthwave, Australian IT Managed Security Services provider.