Media release: Privacy Commissioner supports the release of mandatory data breach notification discussion paper
17 October 2012
The Australian Privacy Commissioner, Timothy Pilgrim, has supported the release of the Government’s discussion paper on mandatory privacy breach notification.
‘I’m pleased to see the release of this discussion paper. Privacy breach notification is an important issue that needs community debate, and I’m sure there will be a wide range of views expressed on whether this notification should be mandatory.’ Mr Pilgrim said.
‘Currently there is no legal requirement in Australia for organisations to notify individuals when a privacy breach occurs. However, I believe that where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can take steps to regain control of their identity and personal information by changing passwords or account numbers if they know that a data breach has occurred,’ Mr Pilgrim said.
Since 2008, organisations have been encouraged to use the Office of the Australian Information Commissioner’s guide on voluntary data breach notification to assess how to handle a privacy breach and when to notify.
‘I would say that there are real business incentives for organisations to notify of a privacy breach. Apart from being good privacy practice, it can also be a way of engendering consumer trust and mitigate against the substantial reputational damage that can result from a data breach,’ Mr Pilgrim said.
In 2011–12, the OAIC received 46 data breach notifications, an 18% decrease from the number of DBNs received in 2010–11.
‘This decrease in notifications is difficult to explain but I have seen reports that suggest we are only being notified of a small percentage of data breaches that are occurring. It is very concerning that many of incidents may be going unreported and customers are unaware that their personal information may be compromised,’ Mr Pilgrim said.
‘The discussion paper raises some interesting issues that need to be considered. In my view, all organisations must embed a culture that values and respects privacy. I believe that mandatory data breach notification will go some way to achieving this,’ Mr Pilgrim said.
Media contact: Ms Leila Daniels – 0407 663 968 or email@example.com
The OAIC’s Data Breach Notification: A guide to handling personal information security breaches can be accessed here:http://www.oaic.gov.au/publications/guidelines/privacy_guidance/data_breach_notification_guide_april2012.html