Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Launch of Data Breach Notification Guide

Presentation by Prof. John McMillan, Australian Information Commissioner, at OAIC's Privacy Awareness Week corporate breakfast, Sydney, 30 April 2012

It is an excellent start to Privacy Awareness Week 2012 that over 180 people from business organisations, legal firms, civil sector bodies, the media and Commonwealth and State government agencies have come to this opening breakfast function. I would like to mark this special annual privacy awareness event by launching the 2012 edition of Data breach notification: a guide for handling personal information security breaches, published by the Office of the Australian Information Commissioner.

Data breaches can occur in many ways. It may be a lost or stolen laptop or portable storage device, a misplaced file, a database being ‘hacked’ into, or a staff member mistakenly providing information to the wrong person – the classic mail room error that catapults a respectable organisation and its Chief Executive Officer onto the front page of the newspaper.

The ways in which personal information can be compromised are numerous. It will usually be unexpected, and very likely be inadvertent.

But the response to the data breach must be very different: it must be deliberate and systematic. The quality and effectiveness of the response can rank in importance alongside the gravity of the data breach.

How to respond is the theme of this opening breakfast for Privacy Awareness Week. We approach this issue in an Australian context where data breach notification is not a mandatory obligation applying generally to government and business, though the Australian Law Reform Commission recommended in 2008 that it should be a mandatory element of the Privacy Act 1988.

Legal obligation aside, there is strong support for the notion that government and business should treat data breach notification as an obligatory privacy practice.    

eBay and the Centre for Internet Safety will today release a survey which found that 85% of 700 eBay customers surveyed want a practice of mandatory data breach.

Internationally the tide is moving in this direction, notably in Europe, the United States and the United Kingdom.

A proposed new European Union data protection law released in January this year will require organisations to reveal data breaches within 24 hours. This law is due for ratification by member states in 2014 or 2015. It has also been proposed in the EU that businesses be fined five per cent of their global turnover for data breaches.

European Commission Vice-President and Justice Commissioner, Viviane Reding, has foreshadowed that these new laws could give European technology companies a competitive edge, as personal data, in her words, is “the currency of today’s digital market, and, like any currency, it needs stability and trust”.

In the United States, State Security Breach Notification Laws are in place in forty-six states; organisations must also notify the US Federal Trade Commission within 60 days if personal information is compromised during a security breach; the notification must list the individuals responsible for the breach.[1] The legal obligations extend to notifying those whose personal information is compromised. Failure to do so renders an organisation liable for a fine that can peak at US$5 million.

In the UK, internet and telecommunications service providers must disclose when they experience a breach and, as mentioned previously, the EU wants to extend this requirement to all businesses. The UK Information Commissioner's Office is able to impose penalties of up to £500,000 on organisations that breach its Data Protection Principles.

The Australian Government is aware of these developments, and I expect that the adequacy of Australia’s legal framework for data breach notification will continue to be keenly considered. The OAIC thought that we can best highlight the importance of the issue by revising, updating, strengthening and relaunching a guide that was first developed in 2008 to assist agencies and organisations to respond to data breaches.

May I now formally launch the 2012 edition, retitled: Data breach notification: A guide to handling personal information security breaches. The central purpose of the Guide is to urge organisations that hold personal information to voluntarily put in place reasonable measures to deal with data breaches – in effect, to make it an obligatory feature of their own internal privacy management practice.

The Guide outlines four steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan. One of the prescribed principles is to notify affected individuals and the OAIC of the data breach. The Guide contains a helpful flowchart that outlines the data breach notification steps an organisation should take.

I commend the Guide to you. If the steps in the Guide are followed this can make a material contribution to better privacy practice in Australia.


[1] See: May 12 White House letter <>