Mandatory data breach notification still on government's agenda

The government has confirmed it is still planning to legislate a mandatory data breach notification scheme before the end of the year.

The legislation will compel organisations to notify people when their privacy is potentially compromised by a data breach.

The report of the Parliamentary Joint Committee on Intelligence and Security's (PJCIS) data retention inquiry recommended the introduction of a mandatory data breach notification scheme by the end of 2015.

In its response to the report, the government indicated it would move to create such a scheme before the end of the year.

The Department of the Prime Minister and Cabinet's list of legislation proposed for introduction in the 2015 spring sittings (PDF) didn't include a bill related to a mandatory breach notification scheme.

However a spokesperson for the Attorney-General's Department today confirmed that the government will this year introduce legislation to create a scheme.

"The government has committed to the introduction of a mandatory data breach notification scheme by the end of 2015 and will consult on draft legislation before it is introduced into parliament," the spokesperson said.

The spokesperson did not give any indication of the timing for a consultation process.

The introduction of data retention made a data breach notification scheme all the more important, privacy advocates argued during the PJCIS inquiry.

"By creating a large repository of personal information, the proposed data retention scheme increases the risk and possible consequences of a data breach. This is because the challenge of effectively securing that information from misuse, interference and loss, and from unauthorised access, modification or disclosure will become more difficult as technology evolves," the then Australian Privacy Commissioner, Timothy Pilgrim, said in his submission to the inquiry.

"For example, the large volume of personal information held by service providers will be an attractive target for people with malicious intent and/or criminal intent. One way to help manage the impact on individuals affected by a data breach involving telecommunications data is to amend the Bill to include a mandatory data breach notification requirement that applies to service providers."

The Office of the Australian Information Commissioner is currently without a Privacy Commissioner; the statutory office tasked with overseeing Privacy Act compliance.

Pilgrim has been appointed Acting Information Commissioner. His term as Privacy Commissioner expired last month.

Follow Rohan on Twitter: @rohan_p


Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon