Privacy Commissioner lukewarm on data breach disclosures

Stephen Withers
Monday, 25 August 2008 09:15

Opinion and Analysis

Is Australia taking privacy seriously? The Australian Privacy Commissioner recently supported the introduction of mandatory data breach notification, but a new publication from her office provides plenty of wriggle room for organisations that want to keep their lapses under wraps.

Australian Privacy Commissioner Karen Curtis today released a Guide to Handling Personal Information Security Breaches, but it only calls on organisations to "consider" notifying affected individuals if their personal information is compromised.

The Guide says in part "Notifying individuals where a breach affects their personal information is consistent with good privacy," but that's watered down by the suggestion that it's only necessary "if there is a real risk of serious harm" to the affected individuals.

It seems to me when a breach occurs, affected individuals should be notified as a matter of course, so they can judge whether there is a risk of harm. I can only think of two reasons why that shouldn't be the rule.

The first is that notifications cost money. Well, I'm sorry, but if an organisation's actions or inactions result in personal data being lost or exposed, then it deserves to meet the cost of warning everyone that is or may be affected.

Why "may be"? If, for example, a CD goes missing in transit, the organisation most likely knows exactly what was on it. But in some cases an organisation may be unable to determine exactly what subset of individuals were affected by an event, and should therefore warn everyone whose data may have been exposed.

Please read on for some examples.