 |
 Stephen Withers turns his gaze on the world of Apple, with
detours into other aspects of IT and communications as they catch his
attention. |
Technology news and Jobs 
Our Blogs Core Dump Privacy Commissioner lukewarm on data breach disclosures
Our Blogs Core Dump Privacy Commissioner lukewarm on data breach disclosures | Privacy Commissioner lukewarm on data breach disclosures |
|
| by Stephen Withers | |
| Monday, 25 August 2008 | |
|
Page 1 of 3 The Guide says in part "Notifying individuals where a breach affects their personal information is consistent with good privacy," but that's watered down by the suggestion that it's only necessary "if there is a real risk of serious harm" to the affected individuals. It seems to me when a breach occurs, affected individuals should be notified as a matter of course, so they can judge whether there is a risk of harm. I can only think of two reasons why that shouldn't be the rule. The first is that notifications cost money. Well, I'm sorry, but if an organisation's actions or inactions result in personal data being lost or exposed, then it deserves to meet the cost of warning everyone that is or may be affected. Why "may be"? If, for example, a CD goes missing in transit, the organisation most likely knows exactly what was on it. But in some cases an organisation may be unable to determine exactly what subset of individuals were affected by an event, and should therefore warn everyone whose data may have been exposed. Please read on for some examples. |
| < Next story in category | Previous story in the category > |
|---|
