On 16 August, Democrats Senator, Natasha Stott-Despoja, introduced the Privacy (Data Security Protection Breach Notification) Amendment Bill into the Senate, which proposes to amend the Privacy Act 1988.
The proposed amendment will require all private organisations and Commonwealth Government agencies, which are subject to the Act, to notify affected individuals whenever their data security has been breached.
The Bill proposes to insert definitions of 'breach of data security' and 'unauthorised party' into the interpretation section 6(1) of the Act.
A data security breach would mean any interference with a person's privacy as provided for in section 13 of the Act. This would include the unauthorised acquisition, transmission, disclosure or use of personal information involving an unauthorised party.
An unauthorised party includes an employee of an agency or organisation, who exceeds their authority to access personal information, or uses personal information for purposes unrelated to their professional duties and outside the scope of authorised use, under the Information Privacy Principles.
Notification must occur as soon as possible following detection of the breach, and at no cost to the individual. The agency or organisation responsible for the breach must 'co-operate with the person' whose privacy they have interfered with including:
- by providing copies of the information disclosed or suspected of having been disclosed;
- by providing a description of the data security breach;
- by advising of known or likely recipients of the information disclosed;
- the action taken by the agency or organisation to recover or attempt to recover the information disclosed;
- notification of any measures taken to prevent a re-occurrence of the breach.
A register of notifications made or attempted, and of action taken, must be maintained by the responsible agency or organisation.
During her second reading speech, Senator Stott-Despoja, explained the impetus for the proposed Bill and raised concerns over the current situation, where organisations and agencies are not compelled to notify someone if their privacy has been breached. This is particularly alarming when reports indicate a growing cost in computer crime and misuse as well as evidence to suggest that many organisations regularly lose sensitive data.
She also cites:
- the cases of the loss of the CD of the report of Private Jake Kovko's death at Melbourne airport and the technical failures on the Big Brother website;
- the Access Card Project, which will result in the creation of a number of databases
- the guidelines which the Privacy Commissioner has issued for security breach notification schemes; and
- the success in the US of similar schemes.
The Senator says the Bill would effectively reduce the risk of possible identity theft and enable people to mitigate the adverse effects of data security breaches. She also argues that the Bill seeks to balance the economic interests of agencies and organisations with their privacy responsibilities and help them protect their brand, reputation and trust through openness and transparency.
While the objects may be honourable, the burden of complying with such a broadly defined obligation would be immense and a corresponding benefit may not be obtained.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.