Jurisdiction - Australia
Australia – Government Releases Data Breach Discussion Paper.

29 October, 2012


Legal News & Analysis – Asia Pacific – Australia – TMT


In brief


  • The Australian government has continued its momentum in relation to the reform of Australia’s privacy laws by releasing a Discussion Paper entitled Australian Privacy Breach Notification.
  • The Discussion Paper highlights the pros and cons of imposing a statutory reporting obligation on organisations which experience a breach of security in relation to their storage of personal data.
  • The government is seeking comment on the issues raised by 23 November 2012.




On 17 October 2012, the Federal Attorney-General released a Discussion Paper entitled Australian Privacy Breach Notification.


Release of the discussion paper is the latest in a series of initiatives undertaken by the Government since the question of the adequacy of Australia’s privacy laws was initially referred to the Australian Law Reform Commission for consideration in 2006.


The key developments over the years have included the following:


  • in January 2006, the adequacy of Australia’s existing privacy laws was referred to the Australian Law Reform Commission (ALRC);
  • the ALRC released an interim report in September 2007, followed by a final report in August 2008;
  • the Australian Government released an exposure draft of new privacy principles in June 2010, to be known as the Australian Privacy Principles (APPs);
  • in September 2011, the Attorney-General released an issues paper inviting comment on the merits of introducing a statutory cause of action for serious invasion of privacy;
  • on 23 May 2012, a Bill implementing the first round of reforms was tabled in the House of Representatives.


Objectives of Discussion Paper


The concept of “privacy breach notification” contemplates a statutory obligation on businesses to notify all individuals potentially affected by an accidental or unauthorised disclosure of personal information under the control of that business.


The Discussion Paper focuses on a threshold question of whether the introduction of a formal privacy breach notification procedure is warranted and, if so, whether it is possible to achieve an appropriate balance between the public interest in mitigating the effects of data breaches whilst avoiding an unduly burdensome compliance requirement for business.


The rationale behind a mandatory data breach reporting regime would be that individuals whose personal information had been compromised by a breach would be able to take remedial steps to lessen the adverse impact that might arise as a consequence.


The Discussion Paper refers to anecdotal evidence that breaches of data security are increasing in frequency and scope. In the 2010/2011 financial year, the Office of the Australian Information Commissioner (OAIC) was informed approximately once a week of the occurrence of a new data breach, whilst recent US reports have found that up to 88% of organisations surveyed suffer at least one data breach during the course of a year.


Current position in Australia


The Privacy Act does not contain a mandatory data breach notification obligation, nor is one contained in the proposed new Australian Privacy Principles. The OAIC’s Data Breach Notification Guidelines, published in April 2012, strongly encourage organisations to report data breaches to affected individuals as a part of “good privacy practice” but these guidelines are voluntary and do not themselves impose any binding obligations on organisations.


There is, nevertheless, an existing obligation on the Commonwealth government under Information Privacy Principle 4 and on private sector organisations under National Privacy Principle 4 to keep information secure, and a similar security obligation is contained in the proposed new Australian Privacy Principle 11. Whilst a breach of security is a breach of the existing and proposed new privacy principles, it is not accompanied by a specific obligation to inform individuals who may be potentially affected.


The discussion paper notes a number of arguments in favour of the status quo. These include:


  • the additional cost of compliance with a mandatory notification scheme;
  • existing commercial incentives to maintain high standards of data security;
  • the effectiveness of voluntary guidelines previously published by the Office of Australian Information Commissioner;
  • the inability of many organisations to detect whether a data breach has occurred; and
  • general queries over the link between data security breaches and identity theft.


Arguments in favour of implementing a new statutory obligation include:


  • the opportunity for individuals potentially affected by the breach to take corrective action (such as changing passwords);
  • deterrence and incentive on holders of personal information to maintain adequate security procedures;
  • the ability for government to monitor the scope and frequency of data breaches; and
  • improved public confidence that individual privacy rights are receiving the maximum statutory protection practicable.


Possible legislative model


The Discussion Paper considers various models for implementing a data breach notification obligation in the event it were considered appropriate to do so.


It notes that the Australian Law Reform Commission, in its recommendation 51-1, recommended the introduction of a legislative provision which would require notification to the Privacy Commissioner and affected individuals in the event that specified personal information had been, or was reasonably believed to have been, acquired by an unauthorised person and there was a belief that this may “give rise to a real risk of serious harm to any affected individual”. The proposed legislative provision nominated various factors which might be taken into account when determining the existence of a “real risk”, including whether the information was encrypted and whether the breach of security was an innocent mistake or something more malicious.


The Discussion Paper noted that the precise wording of the legislative provision recommended by the ALRC had subsequently been the subject of considerable comment and debate, and had not won universal acceptance.


The Discussion Paper also referred to the OAIC’s voluntary guide for entities on how to handle a data breach. The guide describes practical steps which an organisation should take, including breach containment, risk evaluation, possible notification, incident review and prevention of recurrence.


The Discussion Paper raised the possibility that the OAIC’s guidelines could provide the basis of a suitable legislative provision if new laws were to be introduced.


Existing legislative models


The Discussion Paper outlines existing legislative models for data breach notification, noting that none exist in Australia, either federally or at State or Territory level.


In conducting this analysis, the Discussion Paper made the following observations:


  • 47 US States have enacted some form of data breach notification legislation and in February 2012 the Obama administration released a White Paper advocating a nationally uniform notification standard;
  • the European Union recently (through Directive 2009/136/EC) amended its Directive on privacy and electronic communications (Directive 2002/58/EC) to include data breach notification provisions applicable to electronic communications providers, and in June 2011 there was a proposal that the mandatory data breach notification protocol be extended to all sectors rather than only the telecommunications sector;
  • in the United Kingdom specifically, new regulations were implemented in May 2011 to impose a fixed monetary penalty where a telecommunications service provider failed to comply with the notification requirement;
  • in 2010, the Irish Data Protection Commissioner approved a mandatory Code of Practice relevant to personal data security breaches by non-government organisations.


Key issues for consultation


The Discussion Paper raises seven specific questions in respect of which public feedback is sought:

  • Should Australia introduce a mandatory data breach notification law?
  • Which breaches should be reported, and what should be the triggers for notification?
  • Who should decide on whether to notify (that is, the organisation/agency, the Commissioner, or the organisation/agency in consultation with the Commissioner)?
  • What should be reported (content and method of notification), and in what time frame?
  • What should be the penalty for failing to notify when required to do so?
  • Who should be subject to a mandatory data breach notification law (specifically, should it extend to government agencies)?
  • Should there be an exception for law enforcement activities? Public consultation 


Submissions on issues raised in the Discussion Paper are sought by 23 November 2012. For more information see the Attorney- General’s webpage on Australian Privacy Breach Notification.



Leave a Reply

You must be logged in to post a comment.