Mahesh Sharma | August 12, 2008
THE Australian Law Reform Commission has outlined changes to the Privacy Act, but local organisations and government agencies have largely opposed the proposed data breach reporting recommendations.
Data breach reporting was one of 295 recommendations in a 2700-page report from the Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice.
Launched yesterday, it also recommends drafting regulations for health information, managing electronic health records and educating children on ownership of personal information posted on social networking sites.
In the case of customer information being compromised, the commission recommends that any agency or organisation notify the privacy commissioner and affected individuals when a data breach has occurred, but only when this may cause serious harm to an individual.
It says there should be a civil penalty if there is a serious or repeated interference, or if that would have a worthwhile educative or deterrent effect.
It says there should be fines for companies that fail to immediately report breaches to the privacy commissioner.
The Australian Information Industry Association and IBM did not support introducing data breach reporting and in their submissions to the review they said it would "impose too great a burden on businesses".
Telstra was similarly unconvinced by the commission's proposed data breach notifications and did not support the penalty for failing to notify the privacy commissioner of a data breach.
"It fails to achieve the right balance between the competing policy interests in this area," Telstra's submission says.
Google Australia expressed concern that mandatory notification requirements would result in notification fatigue for consumers, and said guidelines should be voluntary.
"The real risk arising from the implementation of data breach legislation is to trivialise notification obligations in the mind of consumers to such an extent that they become meaningless and ineffective in terms of real data protection," Google writes.
"In fact, the potential damage to consumers of a blanket notification obligation could be twofold: on the one hand, it can create unjustified anxieties and on the other hand it may result in a lack of proper attention to more serious incidents (for example, if consumers come to regard numerous 'less serious' data breach notification emails as a form of spam)."
The Australian Federal Police say there must be clear definitions of when the risks of notifying individuals outweigh the benefits.
"This could include where an agency's internal processes have dealt appropriately with the person or system responsible for the disclosure and the individual to which the personal information relates has not been affected by that disclosure."
The commission also recommends that new privacy guidelines should be drafted for health information to cover patient access and control over their information, as well as the management and delivery of electronic health records among medical professionals.
It says Part 13 of the Telecommunications Act, which deals with the use and disclosure of personal information in the industry, is too complex, and needs to be simplified and streamlined.
It also recommends a review of the Telecommunications Act to see if it is still relevant in today's rapidly evolving technology environment.
Special Minister of State John Faulkner said yesterday that it was too early for the Government to respond to specific points.