The Australian Law Reform Commission (ALRC) has given the thumbs up to the introduction of data breach disclosure laws in Australia, which would put it in line with current US and European legislation.
The ALRC has proposed a major shake-up of current privacy laws, including data breach disclosure laws, which it hopes will simplify complex and overlapping state and Commonwealth privacy legislation, including the Commonwealth Privacy Act 1988, which has not been reviewed for 20 years.
Professor David Weisbrot, ALRC President, said: "That's not normal. When you think about sedition laws, that took three to four [hundred], 500 years to review. [However] when Michael Kirby and the other commissioners were doing this work in the 1980s ... no one had heard of e-mail, or mobile phones and no-one had digital cameras. All files were paper based ... There was no Internet, no Amazon, no Myspace, no YouTube, no spam, no phishing, no biometrics, no DNA testing, and no e-tags. And there was no offshore data processing centres where Australian's personal information was routinely sent or accessed from."
The discussion paper contains 301 proposals, however, recommendations will only be submitted to the government of the day in March 2008 after a further round of community and stakeholder feedback.
The commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said current arrangements have caused confusion for those attempting to navigate the current "piecemeal" Commonwealth Privacy Act and overlapping state privacy legislation.
The ALRC will propose that the Commonwealth Privacy Act apply to both the Commonwealth public sector and the private sector, removing state-based privacy legislation from the latter. The ALRC has not proposed that the Commonwealth Act applies to state government agencies, but it will however propose the Act adopts common understandings of definitions such as what constitutes "personal information" and a "record".
Data breach laws
If data breach disclosure laws are introduced in the way the ALRC has proposed, organisations and businesses will be obliged to notify the individuals concerned as well as the Privacy Commissioner when personal information has been compromised under the custodian's care.
The Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said: "Businesses are concerned that if we go down this road of data breach notification, what is it going to cost? The cost, particularly if you look at some of the US examples, can be substantial. Wherever there is unauthorised access to information you must notify, even if there's no serious threat of harm to the individual whose information has been breached. That can result in a very great cost of compliance for business."
However McCrimmon said the ALRC's proposals have been tempered so that only certain breaches qualify for notification status.
"What we propose is that there should be a data breach notification provision. What we've also proposed however is that there be certain thresholds that are set," he said.
Those thresholds are that there is a real risk of serious harm to affected individuals, and in instances where the information was not adequately encrypted or redacted.
If there has been a breach but no harm caused, McCrimmon said -- such as instances where an employee accesses a document that he does not have rights to by mistake but immediately leaves the document and does so with it unaltered -- that would not necessitate a notification. "In some US states, it would. The one we're proposing, it wouldn't," he added.
He said the Centrelink and Medicare examples, where records were inappropriately accessed, and in instances where a laptop is left at the airport would trigger notification rules.
Despite the increased attention given to the issue of data breaches by the ALRC's discussion paper, David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of New South Wales, said it will be a long time before real changes are made.
Referring to the Democrats introducing a Private Members Bill on amending the Privacy Act to include data disclosure laws last month, Vaile said: "The fact it's been introduced is only a tiny step forward. Private members bills are often ignored."