As the Federal Government stalls on making a decision about whether to make data-breach notifications mandatory, the office of the information commissioner has released a formal guide designed to encourage organisations to voluntarily notify the public about data breaches.
The Australian Law Reform Commission (ALRC) recommended in its 2008 report "For Your Information: Australian Privacy Law and Practice" that the Federal Government introduce mandatory data-breach notification laws that would require any Australian organisation that has a data breach involving individuals' private data to notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).
Almost four years on, the government has yet to embark on any legislative changes, and has said that it is still considering the recommendations of the report.
In the meantime, the OAIC has today released a new guide, "Data breach notification: a guide to handling personal information security breaches", designed to encourage organisations to "voluntarily put in place reasonable measures to deal with data breaches, while legislative change is considered by the government".
The guide indicates that there are four key steps that organisations should take when handling a potential data breach.
The OAIC recommends that when the organisation first realises that there has been a breach, it should move to contain it immediately, conducting acts such as recovering lost records, shutting down the breached system or revoking access privileges. The organisation should then move to appoint someone to assess the situation, and determine what personal information is involved, what was the cause of the breach, how can it be contained and what harm the breached information could cause.
The organisation should also work out who needs to be made aware of the breach, and, depending on the seriousness, decide whether to inform the affected parties right away.
Organisations must look at the type of information contained in the data breach to determine what harm it may cause, the guide states. If the breach involves banking information or medical information, this is likely to cause more harm through identity theft or financial loss than if it involved just names and addresses.
The organisation hit by a data breach must also examine who is affected by the breach, who will have access to the information contained in the breach, how this information could be used and whether this data was encrypted.
The OAIC suggests that an agency hit by a data breach should also determine whether the data breach is from a theft of hardware like a laptop, and whether the culprit was after the data itself or just the hardware.
The OAIC guide states that if an organisation decides not to notify those affected by a data breach, it risks loss of trust if the public then finds out about the breach through the media.
When an organisation decides to notify those affected, the guide says that the company should first consult with law-enforcement agencies if they are involved, and then notify affected parties as soon as possible. It would be appropriate to delay notifying affected parties until the system that caused the data breach had been repaired and tested, the commissioner noted.
Notification should be direct by phone, letter, email or in person. The commissioner said that indirect notification either through the media or on a website should only be used when it is cost-prohibitive to inform everyone individually.
The notification should include information about the data-breach incident, what personal information is involved (but not the actual personal information), timing, what the agency has done to respond to the breach, what assistance it can provide to people affected by it, organisation contact details, the potential legal implications and how to lodge a complaint to the OAIC.
The OAIC said that the organisation should not include information in the notification about system vulnerabilities that led to the breach.
To reduce the chances of a breach occurring in the future, the OAIC stated some of the measures that organisations have taken, such as creating a role to oversee data security, upgrading passwords or disabling download functions to prevent data from being moved onto USB thumb drives or other removable media.
In general, the guide paints data-breach notifications as a way for companies to show to the public that they can be transparent when a data breach occurs.
Recently, Optus and Telstra have both expressed their opposition to mandatory data-breach laws, instead favouring the OAIC's voluntary guidelines. The Internet Industry Association (IIA) said that such a law could be detrimental to Australian businesses, because they would be forced to comply with the law, while international companies that also have personal information of Australian customers, such as online retailers, would not have to comply with the law.