The ALRC has renewed its call for the government to introduce financial penalties for data breaches
The Australian Law Reform Commission (ALRC) has renewed its call for fines for failing to notify the privacy commissioner of data breaches after the UK introduced penalties of up to half a million pounds.
The ALRC initially made the call in its report: <i>For Your Information: Australian Privacy Law and Practice</i> released in 2008.
Authorities in the UK recently amended the Data Protection Act to allow the Information Commissioner to issue fines for data breaches of up to £500,000.
ALRC research manager Jonathan Dobison said the penalty method would be effective in the current information age, where there is an increasing number of ways information can be leaked through technology such as flash drives and laptops.
In February 2006, the Federal Government announced a major review of the Privacy Act 1988 would be undertaken by the ALRC that included how to deal with data loss situations.
In October, the Federal Government released its response to the ALRC's Privacy Act review and said the accepted recommendations will be implemented in two stages.
At the time, the government said draft legislation to implement the first stage changes will be available early this year for consultation
However, the data loss recommendations were not included in the first stage and it is not yet clear whether the government will force organisations to reveal if they have suffered a breach.
Dobison said even though the penalty approach might not stop data breaches, organisations will be more cautious about data protection.
“The idea of penalty is not only to punish but also to deter,” he said.
As part of the ALRC's data breach recommendation, the privacy commissioner only needs to be notified of a breach if there is a real risk, such as the leak of a name, address or another unique identifier.
Dobison added that notification to the privacy commissioner would not be required if the incident is not in the public interest.
There are few high-profile cases of Australian organisations having suffered a data breach in the public domain.
However, in the past few years there have been several notable cases in the UK and US where laws are more stringent and organisations are obliged to report breaches.
For instance, in late 2008 an unencrypted laptop with data on up to 600,000 people was stolen from a UK Ministry of Defence recruiting officer's car.
One infamous case was the loss of a CD with data on almost half of the UK's population - including dates of birth, addresses, bank accounts and national insurance numbers - in the post by HM Revenue & Customs.
And in October last year The Guardian newspaper was forced to notify 500,000 people that details they posted to the newspaper's employment site may be in the hands of hackers.
The Australian Federal Government has recently called in Symantec for consulting advice on the data breach notification laws aimed at notifying consumers when a business has lost or compromised data linked to them.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.