Aussies want mandatory data breach reporting: survey

Australians have overwhelmingly placed their support behind transparency when it comes to security breaches affecting the personal information handed over to public and private sector organisations.

The Office of the Australian Information Commissioner (OAIC) today released the findings of its survey of community of attitudes towards privacy, which shows 96 percent of respondents want government agencies and businesses to notify them if their personal information is lost or compromised.

Eighty five percent said they felt particularly strongly about the need for notification from private sector organisations, and 88 percent felt strongly about notifications from government.

“This is a strong vote in favour of mandatory data breach notification,” Australian privacy commissioner Timothy Pilgrim told attendees at the survey launch.

“On this issue almost all respondents had an opinion, with fewer than one percent stating that they didn’t know.”

To the OAIC’s disappointment, a bill mandating data breach notification in serious instances was one of many which did not make it onto the floor of the senate before parliament was prorogued in the lead up to the federal election.

The OAIC has been a long time supporter of the reform, which it says would help to minimise risk to consumers whilst building trust in the efforts that organisations put into securing their information stores.

“We watched with interest the legislative calendar of the last week of parliament, with hundreds of bills and only so many hours. One moment we were confident that it was going through and then we weren’t,” information commissioner John McMillan said of the tension in the office at the time.

Consequently the bill has now lapsed and will have to be reintroduced if mandatory data breach reporting is to become a reality in Australia.

“It will be interesting to see what the approach of the new government will be," Pilgrim said.

The coalition government had not yet responded to requests to clarify its position on mandatory data breach notification at the time of publishing.

Even without new legislation, however, the commissioners will receive new and enhanced powers to investigate and even fine organisations for serious and repeated breaches from March 2014, thanks to amendments to the Privacy Act passed by the previous government.

“They will increase our powers to resolve own motion investigations. For example, we will be able to obtain written undertakings from organisations that they will do certain things, and if they don’t comply we will be able to enforce them through the courts," PIlgrim said.

"In cases of serious or repeated breaches we will have access to civil penalty powers to a maximum $340,000 against an individual and up to $1.7 million against a company."

Currently the OAIC invites voluntary reporting of data breaches from organisations, and says once mandatory reporting legislation became a distinct possibility it saw an increase in the rate of reports from about 40 to more than 60 per annum, a process that Pilgrim endorses.

“If an organisation comes to us voluntarily, then generally our response will be to stand back and let them resolve that issue without us having to enact a more formal approach or undertake an investigation,” he said.

But even if a mandatory data breach reporting did make it into Australian law, there is still the very big issue of enforcement to contend with, a point that both commissioners acknowledged.

“In the past few months we have seen a doubling of the complaints numbers coming in to our office. That has had a significant impact on our ability to complete the complaints we have on board.

“There have been staff reductions across the board in government and we have had our fair share of those as well,” Pilgrim said.

“Having a set of laws is one part of the struggle, having the capacity to enforce those laws is the other part,” McMillan added.