Data breach disclosure, new guidelines to help Australian businesses

A data breach notification guideline to assist businesses and government agencies in the case of a significant data breach is currently in development, the Office of the Privacy Commissioner (OPC) has announced.

The guide, a response to growing public sentiment surrounding the subject, will provide best practices and advice surrounding voluntary data breach disclosure.

“[The guide] is actually in response to requests, particularly from Commonwealth agencies but also from the private sector,” said Andrew Hayne, acting director of Policy at the OPC in his keynote speech at the SecurityPoint 2008 conference in Sydney today.

“It will explain when they should tell us about a notification and when they should go to the expense and trouble of telling consumers.”

The Australian Law Reform Commission (ALRC) is yet to announce its rulings regarding the Privacy Commissioner, Karen Curtis’s December 2007 submission urging a review of the Privacy Act.

Early indicators suggest that at the very least mandatory disclosure laws will soon be a reality in Australia, to what extent is a concern for Hayne.

“The ALRC has supported the idea of data breach notification requirement, however, in our Office’s view, it’s the detail of how such a requirement should neither impose an unreasonable burden on agencies and organisations nor result in unnecessary or alarmist notfications to individuals,” he said.

According to Hayne, a requirement to notify significant data breaches would also encourage organisations and agencies to take adequate steps in the first place to ensure information is secure.

Australian and ACT government agencies are compelled by the Privacy Act as well as those in the private sector with a turnover exceeding $3 million.

All health services, credit providers and Tax file number recipients are also obliged. SMBs are conditional.

These draft guidelines will be available for consultation in the near future.