Last week the ACCC announced that it breached the Privacy Act by allowing personal information to be inadvertently made available online.
It seems they got onto it pretty quickly, no-one really knew it was out there, and little harm was done. Unlike when the Department of Immigration published the details of people in immigration detention online only a couple of months ago, in which case the consequences of those peoples' details being leaked were much worse.
Just like businesses with turnover of more than $3 million, Commonwealth government agencies are bound by the Privacy Act.
Currently there is no obligation to notify anyone if you become aware of a data breach, so you can't get in trouble for keeping it a secret. However, you certainly can be done for the breach itself. If you're investigated by the Privacy Commissioner, we doubt he will be impressed if you decide to keep mum when not disclosing the breach makes things worse.
Non-binding guidelines have been published which set out what you should take into account when deciding whether you should fess up. The important question you should ask is whether there is a real risk of serious harm to the individuals affected. If yes, then you should notify. For example, if the leaked info includes enough to allow identity theft, then you should tell people so they can take actions to stop it.
While there is talk of making disclosure of data breaches mandatory, considering the glacial pace of privacy law reform in Australia, we're not getting excited just yet.
We do not disclaim anything about this article. We're quite proud of it really.
