On 25 August 2008, the Australian Privacy Commissioner
released a data breach guide for use by businesses, agencies
and non-government organisations in preventing and, if
necessary, responding to a data breach.
Compliance: Compliance with this voluntary
guide is recommended but is not mandatory. In her media
release, Karen Curtis (the Privacy Commissioner) said that
"While the guide is voluntary, it represents good practice
in handling breaches, and I would urge all organisations and
agencies to read it and consider its use".
Personal information security breach: A
personal information security breach occurs when personal
information is subject to loss or unauthorized access, use,
disclosure, copying or modification. The guide states that the
use of the term "personal information security
breach" is consistent with the Privacy Act, which
regulates the handling of personal information. This term is
used in preference to the term "data" which is
generally not used in the Privacy Act.
Examples of personal information security
breaches: The guide provided some examples –
Lost or stolen laptops, removable storage devices or
physical files containing personal information
Paper records inadequately recycled or left in
Computer hard drives and other storage media being
disposed of without erasing contents
An agency or organisation mistakenly providing personal
information to the wrong person, for example by sending
details out to the wrong address (including email
An individual deceiving an agency or organisation into
improperly releasing the personal information of another
Databases containing personal information being
"hacked" into or otherwise illegally accessed by
individuals outside of the agency or organisation
Employees accessing personal information outside the
requirements of their employment.
4 keys steps in responding to a breach: the
guide provides that there are 4 key steps to consider when
responding to a breach or suspected breach as follows:
Contain the breach and do a preliminary assessment
– once an agency and organisation has discovered or
suspects that a personal information security breach has
occurred, they should take immediate common sense steps to
limit the breach.
Evaluate the risks associated with the breach –
factors to be considered in assessing the risks include
identifying what personal information is involved and the
context of the information, establishing the cause and extent
of the breach, assessing the risk of harm that could result
to individuals and identifying what other harms or risks
Consider notification – the guide suggests that
individuals affected by a breach should be notified where a
breach creates a real risk of serious harm to the
Prevent future breaches – a prevention plan may
include a security audit of both physical and technical
security, review of policies and procedures, review of
employee selection and training practices and review of
service delivery partners (for example, dealers and
Data breach notification: The guide states
that there is no specific requirement in the Privacy Act to
notify individuals when and if a breach has occurred, but
notification in appropriate circumstances is consistent with
good privacy practices. It should also be noted that in its
final report on privacy review "For your information:
Australian Privacy Law and Practice" released on 11 August
2008, the Australian Law Reform Commission has recommended that
mandatory breach notification be introduced into law.
Privacy Awareness Week
The guide was released at the start of the Privacy Awareness
Week (25 – 30 August 2008). The Privacy Commissioner has
also called on business owners and operators to review their
privacy practices and said "Privacy Awareness Week is a
timely reminder for businesses to review their privacy
obligations and to implement good privacy practices".
Deacons is able to assist organisations in providing advice
on your privacy obligations.
The content of this article is intended to provide a
general guide to the subject matter. Specialist advice should
be sought about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
There has been a range of recent legal developments that affect privacy, child abuse claims and workers compensation.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).