30 January 2008

In the wake of recent significant data breaches in the United Kingdom, the Australian Privacy Commissioner, Karen Curtis, has reiterated her call for compulsory notification of major data security breaches by Australian organisations.

"While reporting would need to be proportional to the severity of the breach, it would provide organisations with a strong market incentive to adequately secure their databases," Ms Curtis said.

"It would also give people an opportunity to take any necessary steps to protect their personal information."

Ms Curtis's call for mandatory reporting was made in a 786-page submission by her Office to the Australian Law Reform Commission (ALRC) in response to its Discussion Paper 72: "Review of Australian Privacy Law". Other recommendations in the submission included:

• Maintaining a principles-based and technology neutral approach - to provide flexibility and responsiveness to change.

• Creating codes where specific privacy concerns emerge - to apply in addition to the uniform principles.

• Minimising exemptions from the Privacy Act.

• Health sector - the Privacy Act should "cover the field" for the regulation of private sector health service providers.

• Credit reporting - further independent research on comprehensive (or "positive") credit reporting is required before it is clear whether its introduction will be beneficial.

• Audits - a qualified audit power would allow the Office to conduct privacy performance assessments of private sector organisations for compliance in certain circumstances.

The full submission is available here.