The decision to notify customers after a data breach should be largely left to affected businesses, Federal Privacy Commissioner Timothy Pilgrim says.
In a submission to the Attorney General's Department, Pilgrim said the need to notify victims of data breaches should be determined according to the severity of the breach.
But the Office of the Australian Information Commissioner (OAIC) would retain the teeth to compel businesses to inform victims, Pilgrim wrote in the submission.
"Both the OAIC and, where appropriate to the circumstances, the affected individuals should be notified about a breach; the decision as to whether to notify should be made by the entity concerned, but the Commissioners of the OAIC should have the power to compel notification," he wrote.
Data breaches ranged in severity from merely failing to conceal personal email addresses in electronic newsletters to losing scores of credit cards and personal data.
Pilgrim said severity should be distinguished by an "appropriate test" which would gauge "real risk of serious harm to an individual".
"There should be a catch-all test that is able to apply to a range of circumstances, rather than a prescriptive test. [This should] include the type of personal information involved in the breach, the context of the affected information and the breach, the cause and extent of the breach and the risk of harm to the affected individuals."
Factors influencing whether an organisation should report a breach included whether the compromised data was exposed to legitimate sources or malicious hackers, and the level of harm caused, ranging from identity theft to financial loss or even risk to physical safety.
Pilgrim said mandatory data breach notification would be vital should the government push ahead with proposed plans to retain telco subscriber data for two years.
"In the event that the proposed data retention policy is implemented, the OAIC reiterates its view that a mandatory data breach notification scheme should be implemented as part of the measures to protect the large volumes of personal information that would be required to be stored by telecommunications carriers and carriage service providers."
Data breach notification was part of the federal Australian Privacy Principles (APP) which would replace the ageing National Privacy Principles (NPP) that govern the private sector and the Information Privacy Principles (IPP) covering government.
The notification reforms were first recommened by the Australian Law Reform Commission in 2008 and are already in place in the US and Europe.
Pilgrim told SC in May the reforms could see small-scale offenders taken to court and fined up to $22,000 for individuals, and $110,000 for organisations. Repeat and serious offenders faced financial penalties of up to $220,000 for individuals or $1.1 million for organisations.
Ultimately he said financial penalties would be a civil matter and should be scalable so that it would serve as a deterrent to cashed-up big business.
"Without notification, individuals affected by serious data breaches are unable to take mitigating steps – steps which only they may be able to take, for example cancelling credit cards or requesting a new Medicare number – to protect their personal information," Pilgrim said.
The OAIC received only 46 data breach notifications in the 2011-12 financial year, down 18 per cent over the previous 12 months.