51.1 Data breach notification is, in essence, a legal requirement on agencies and organisations to notify individuals when a breach of security leads to the disclosure of personal information. It is a topical issue in privacy regulation around the world.

51.2 The Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) in the Privacy Act 1988 (Cth) do not impose an obligation on agencies and organisations to notify individuals whose personal information has been compromised. The Act requires, however, that agencies and organisations take reasonable steps to maintain the security of the personal information they hold.[1]

51.3 This chapter begins by considering the rationales given for data breach notification laws in the United States (US), which is at the forefront in the development of such laws. The chapter then considers some of the key elements of data breach notification laws in other jurisdictions, including the event that triggers the requirement to notify. It also looks at the recent introduction in Australia and New Zealand of voluntary data breach notification schemes. Finally, the chapter sets out the ALRC’s view on the justification for a data breach notification law and recommends that the Privacy Act be amended to include a new Part on data breach notification.

[1]Privacy Act 1988 (Cth) s 14, IPP 4; sch 3, NPP 4. See also the recommended ‘Data Security’ principle in the Unified Privacy Principles set out at the beginning of this Report and in Ch 28.