The Attorney-General’s department has released a discussion paper seeking public input on whether Australia should have mandatory data breach notification laws.
The discussion paper emerges while debate about the department’s proposed data retention regime – under which carriers and ISPs would be required to hold data about their customers’ communication for two years – rages on.
It comes in response to recommendations by the Australian Law Reform Commission that the Privacy Act be amended to require companies to notify the public when a breach takes place. Australia’s Privacy Commissioner, Tim Pilgrim, yesterday told the Australian Financial Review he was concerned at the rising number of un-notified breaches in Australia.
Not yet posted on the AG’s Website, the paper is available from Crikey, here (PDF).
The discussion paper canvasses whether a notification law is required; what the triggers should be for a notification (for example, what likely harm from a data breach is required to demand public notification); who should decide whether notification is needed (for example, whether the notification decision should be delegated to the Privacy Commissioner); the contents and time-frame of notifications; possible penalties; and which organizations should be covered.
It will probably come as no surprise to readers that the paper also asks whether law enforcement should get exemptions.
Submissions are open until 30 November, 2012, and should be sent to [email protected] ®