Australia 'must overhaul data disclosure mess'

Australia 'must overhaul data disclosure mess'

Summary: The Australian Law Reform Commission has given the thumbs up to the introduction of data breach disclosure laws in Australia, which would put it in line with current US and European legislation.

TOPICS: Privacy, Security

The Australian Law Reform Commission (ALRC) has given the thumbs up to the introduction of data breach disclosure laws in Australia, which would put it in line with current US and European legislation.

The ALRC has proposed a major shake-up of current privacy laws, including data breach disclosure laws, which it hopes will simplify complex and overlapping state and Commonwealth privacy legislation, including the Commonwealth Privacy Act 1988, which has not been reviewed for 20 years.

Professor David Weisbrot, ALRC President, said: "That's not normal. When you think about sedition laws, that took three to four [hundred], 500 years to review. [However] when Michael Kirby and the other commissioners were doing this work in the 1980s ... no one had heard of e-mail, or mobile phones and no-one had digital cameras. All files were paper based ... There was no Internet, no Amazon, no Myspace, no YouTube, no spam, no phishing, no biometrics, no DNA testing, and no e-tags. And there was no offshore data processing centres where Australian's personal information was routinely sent or accessed from."

The discussion paper contains 301 proposals, however, recommendations will only be submitted to the government of the day in March 2008 after a further round of community and stakeholder feedback.

The commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said current arrangements have caused confusion for those attempting to navigate the current "piecemeal" Commonwealth Privacy Act and overlapping state privacy legislation.

The ALRC will propose that the Commonwealth Privacy Act apply to both the Commonwealth public sector and the private sector, removing state-based privacy legislation from the latter. The ALRC has not proposed that the Commonwealth Act applies to state government agencies, but it will however propose the Act adopts common understandings of definitions such as what constitutes "personal information" and a "record".

Data breach laws
If data breach disclosure laws are introduced in the way the ALRC has proposed, organisations and businesses will be obliged to notify the individuals concerned as well as the Privacy Commissioner when personal information has been compromised under the custodian's care.

The Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said: "Businesses are concerned that if we go down this road of data breach notification, what is it going to cost? The cost, particularly if you look at some of the US examples, can be substantial. Wherever there is unauthorised access to information you must notify, even if there's no serious threat of harm to the individual whose information has been breached. That can result in a very great cost of compliance for business."

However McCrimmon said the ALRC's proposals have been tempered so that only certain breaches qualify for notification status.

"What we propose is that there should be a data breach notification provision. What we've also proposed however is that there be certain thresholds that are set," he said.

Those thresholds are that there is a real risk of serious harm to affected individuals, and in instances where the information was not adequately encrypted or redacted.

If there has been a breach but no harm caused, McCrimmon said -- such as instances where an employee accesses a document that he does not have rights to by mistake but immediately leaves the document and does so with it unaltered -- that would not necessitate a notification. "In some US states, it would. The one we're proposing, it wouldn't," he added.

He said the Centrelink and Medicare examples, where records were inappropriately accessed, and in instances where a laptop is left at the airport would trigger notification rules.

Despite the increased attention given to the issue of data breaches by the ALRC's discussion paper, David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of New South Wales, said it will be a long time before real changes are made.

Referring to the Democrats introducing a Private Members Bill on amending the Privacy Act to include data disclosure laws last month, Vaile said: "The fact it's been introduced is only a tiny step forward. Private members bills are often ignored."

Topics: Privacy, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What about privately owned websites like forums?

    I do think people have a right to know when their personal information has been lifted or even just viewed by an un-authorised person however how far do the new laws extend?

    I own several websites which include weblogs and forums and these sites require registration. Whilst some people prefer to use pseudonyms others choose to use their real name. Such sites (not limited to mine) also store things like IP addresses, e-mail addresses and other information that may appear generic but can sometimes be tied to an individual. Are non-commercial website owners subject to the new laws?

    Another point to make is that quite often when people are asked to divulge certain information on websites they choose to include false information. Are website owners still liable under the new laws if site members provide false information, especially information that makes them un-contactable?
  • Privacy laes

    I had my gen medical and psych files illegally released from a Qld Public hospital, it took 2 yrs for the state government to say " sorry" " we did not know the law" ! it took the Ombudsman to consult a Senior Counsel to spill the beans.They have been doing this for 8 yrs Governments can abuse peoples privacy and get away with ...sorry was ignorant and the CMC excepted it ! Try doing that in the privet sector .