Mandatory data breach notification back on government agenda

The Privacy Amendment (Privacy Alerts) Bill is back on the government agenda after it had a first reading in the Senate this week.

The Bill lapsed in 2013 after a second reading in parliament was delayed during June and the Coalition government was elected into office.

If passed by the Coalition, the bill will require government agencies and businesses to notify customers of serious data breaches in relation to personal, credit reporting, credit eligibility or tax file number information.

• ADMA critical of plans for compulsory data breach notification
• ACCAN goes into bat for mandatory data breach notification
• Comms Alliance expresses concerns with mandatory data breach notification

The 2014 version of the Bill includes the Australian Privacy Principles (APPs) which were passed into law on 12 March this year.

If the Bill is passed, Australian Privacy Commissioner Timothy Pilgrim would have the power to investigate data breaches. This means if he finds there has been a serious data breach in relation to personal information, credit reporting information, credit eligibility or tax file number, the Commissioner could ask the company or government agency to prepare a statement explaining what happened.

The statement would need to include information such as a description of the breach and recommendations about steps affected customers or clients should take.

Australian Information Security Association (AISA) Queensland branch chair Lani Refiti told Computerworld Australia that organisations need to be “held more accountable” for the data they hold, particularly when it’s not their data.

“We would have much better visibility into the current state of information security in Australia if we had mandatory breach notification,” he said.

“It's not a panacea, compliance and regulatory requirements never are but they would be a step in the right direction. Also, it [the bill] needs careful public consultation as was done with the Privacy Bill amendments.”

In June 2013, a Senate Standing Committee on Legal and Constitutional Affairs recommended the bill should be passed, stating that mandatory data breach notifications would benefit both Australian consumers and industry stakeholders.

In October 2013, Australian Privacy Commissioner Timothy Pilgrim said that while it was a decision for the Coalition government as to whether they would reintroduce the new legislation, he was supportive of it becoming law.

“I will be putting to government that I think it is an important piece of legislation,” he said. “It’s something that needs to be given strong consideration for reintroduction.”

Timothy Pilgrim has been contacted for comment by Computerworld Australia.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia