Privacy revolution on report
Privacy revolution on report
August 12, 2008: The introduction of mandatory data breach notification in Australia has been foreshadowed in a report into Australia's Privacy Act.
A review of the Privacy Act 1988 was commissioned by the previous federal government. The Australian Law Reform Commission’ has now issued a three volume report that recommends 295 changes to privacy laws and practices in Australia.
Announcing the results of the two year investigation, ALRC President Professor David Weisbrot, noted that “About 40 American states now have data breach notification schemes, contained in legislation or administrative arrangements, mainly arising in response to a series of high-profile data breaches.
“For example, ChoicePoint, a large US credential verification organisation, accidentally disclosed sensitive material it had collected on 145,000 individuals. In the UK, the personal details of over 25 million child benefit recipients were lost by a government department. And just the other day, police in the US charged 11 people across five countries with stealing and selling 40 million credit and debit card numbers gained by hacking into the wireless computer networks of major retailers.
“People are now very aware of the nefarious activities of computer hackers and the widespread existence of ‘malware’, and there are regular news reports of laptops containing sensitive personal information being lost and other personal records accidentally being exposed or illicitly accessed.
“Given the increasing fear of identity theft and fraud, most customers and users of government services believe they have a right to be informed when the security and privacy of their personal information have been compromised. In our national consultations there was clear support for the introduction of a data breach notification scheme in Australia, with a strong preference for a national approach overseen by the federal Privacy Commissioner.
“Consequently, the ALRC recommends the introduction of a mandatory scheme, requiring notification where a sufficiently serious breach has occurred.”
Professor Les McCrimmon, Commissioner in charge of the Privacy Inquiry, stated “A mandatory data breach notification scheme gives individuals the information and opportunity to protect themselves against fraud and identity theft. It also will provide a strong incentive for agencies and organisations to ensure that they secure their databases in full compliance with the Privacy Act.
“In addition, the development of a consistent national model is far preferable to a proliferation of differing state and territory schemes—as has happened in the US.”
The Privacy Act report proposes dedicated regulations governing specific fields, such as health privacy and credit reporting. It also recommends regulating cross-border data flows, so that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
The introduction of a federal law to provide Australians with a legal redress in case of “serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy.” is also included in the ALRC's recommendations.
According to Weisbrot, “Although the federal Privacy Act is only 20 years old, it was introduced before the advent of supercomputers, the Internet, mobile phones, digital cameras, e-commerce, sophisticated surveillance devices and social networking websites—all of which challenge our capacity to safeguard our sensitive personal information.
“The Privacy Act has worked pretty well to date, but it now needs a host of refinements to help us navigate the Information Superhighway. These days, information privacy touches almost every aspect of our daily lives, including our medical records and health status, our finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.”
The Privacy Final Report and detailed Briefing Notes on 10 key areas—including children, credit reporting, health, data breach notification (fraud and identity theft), emerging technologies and creating an action for serious invasion of privacy—can be found online at www.alrc.gov.au