Search This Blog

Wednesday, May 01, 2013

Privacy Awareness Week

I'll bet you were aware anyway.

If not, Privacy Awareness Week is underway and runs through until 4 May. It's a good idea.

In his first outing in this field, Attorney General Mark Dreyfus spoke at the launch event in Sydney on Monday. You won't find much there you didn't know if you followed the painfully slow development and passage of the amendments to the Privacy Act enacted last year and to commence in 2014. 

The Australian Law Reform Commission and its report 108 that kicked all this off in 2008, Privacy Law and Practice, didn't crack a mention.

Nor was there a mention of its recommendation all those years ago (in line with recommendations from the NSW and Victorian law reform commissions) for a statutory cause of action for a serious and unwarranted breach of privacy. As recently as 12 March this was on its way back to, ahem, the Australian Law Reform Commission for "detailed examination."

But presumably that's gone now along with the rest of the media reform package, parts of which addressed another ALRC recommendation: that the exemption from the Privacy Act media organisations enjoy in the conduct of journalism should be conditional on signing up to adequate privacy standards that include proper enforcement mechanisms. (How tough is that? But i digress...)

And no mention of other ALRC recommendations that in 2009 then responsible minister Ludwig identified as ‘second stage’ reform issues, including removal of exemptions for small business and, ahem again, political parties; telecommunications privacy; children’s privacy and leadership on the issue of national harmonisation of privacy laws.

The only second stage issue that received a run was data-breach notification. Voluntary and encouraged now, but mandatory notification is under consideration. Still.

On this subject the Attorney General said:
"While on the issue of information security, I can say that the Government remains committed to providing a robust and transparent privacy law framework that protects against and deters data breaches.
I believe that government agencies or companies that suffer a data breach should provide timely advice to those who have had, or could have, their privacy infringed.
This would seem to be the view of many Australians as well. A recent study undertaken by the Centre for Internet Safety at the University of Canberra, found that 85% of Australians supported notification where their personal information has been breached.
Notification of data breaches empowers individuals to take corrective or remedial action to change or resecure the personal information.
The simple act of cancelling a credit card or changing a password gives that individual the opportunity to limit the possibility of identity theft or fraud.
We currently have a voluntary system in Australia. I know that many of you have systems in place to conform with the voluntary system, and some have notified the OAIC and affected individuals where appropriate.
Whether that system is adequate is still a question we need to consider. If there continues to be underreporting of data breaches, or we continue to find out about them only through media reports, some would argue that there is strong case to move to a mandatory scheme.
Large scale data breaches continue to occur, and every incident that is reported in the media continues to raise community concerns about the need for a mandatory scheme.
As recently as February this year, the Australian Broadcasting Corporation (ABC) revealed that the personal details of almost 50,000 internet users had been exposed online after the ABC's main website was hacked. This followed large scale breaches in recent years at Telstra, Medvet and Sony Playstation. While I am an optimist, I do not anticipate that we have seen the end of these types of breaches.
A mandatory notification requirement may also act as an incentive to the holders of personal information to adequately secure that information, leading to an overall improvement in information security practices.
A mandatory data breach notification scheme would also provide better information to government and the public on the scope and frequency of data breaches. That could be vital in the development of measures to combat the frequency and severity of data breaches.
As many of you are aware, the Government released a discussion paper on mandatory data breach notification in late 2012. We received a number of useful responses raising a range of issues.
As part of the normal process of policy development, we have followed up with some stakeholders to seek more detailed information, including about how a mandatory scheme might impact on businesses.
The Government will carefully consider this ongoing consultation before deciding on which option to pursue."

No comments:

Post a Comment