Discussion Paper proposal

51.47 In DP 72, the ALRC identified support in submissions and consultations for a requirement that data users notify individuals of a breach of their personal information in certain circumstances.[78] Supporters of a data breach notification law gave a number of reasons why such a law would be valuable. These include that it would:

  • provide a strong market incentive and stimulus to organisations to secure databases adequately to avoid the brand and reputational damage arising from negative publicity;[79]

  • encourage attention to compliance and vigilance against identity theft;[80] and

  • improve accountability, openness and transparency in the handling of personal information by agencies and organisations.[81]

51.48 As set out in DP 72, support was not unanimous among stakeholders, and there were some organisations that did not support a mandatory data breach notification requirement. The trigger for notification was highlighted as the critical issue, with strong support expressed for the idea of making the reporting requirement proportionate to the potential for harm caused by the breach.

51.49 After having regard to several factors, including the ‘data abuse pyramid’ postulated by Professor Daniel Solove,[82] the ALRC proposed that the Privacy Act be amended to include a new Part on data breach notification. The trigger for the requirement proposed by the ALRC was where ‘specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual’. Exceptions were provided, for example, where: the specified information was encrypted adequately; it was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the model Unified Privacy Principles (UPPs); or the Commissioner does not consider that notification would be in the public interest. Civil penalties were proposed for failure to notify the Commissioner of a data breach as required by the Act.[83]

[78] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Privacy NSW, Submission PR 193, 15 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Queensland Government Commission for Children and Young People and Child Guardian, Submission PR 171, 5 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; AAMI, Submission PR 147, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007; K Pospisek, Submission PR 104, 15 January 2007; Civil Liberties Australia, Submission PR 98, 15 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[79] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[80] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Privacy NSW, Submission PR 193, 15 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[81] Privacy NSW, Submission PR 193, 15 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; National Health and Medical Research Council, Submission PR114, 15 January 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.

[82] Solove suggests that it is important for the law to intervene early to address cases of data insecurity, rather than only providing criminal sanctions for cases of identity fraud: see Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [47.55–47.62].

[83] Ibid, Proposal 47–1.