15 April 2008

The Australian Privacy Commissioner, Karen Curtis, has called for feedback from businesses, organisations, government agencies and the public on a draft Voluntary Information Security Breach Notification Guide.

"While agencies and organisations are required to safeguard the personal information they hold, unfortunately and despite their best efforts, sometimes an information security breach occurs," said Ms Curtis.

"Not all breaches result from malicious, intentional behaviour such as computer hacking for example - they can occur because of human error, from a failure to follow established protocols, or from information going missing. 

"Recognising that this is the current reality of the modern information handling environment, the Guide aims not only to assist agencies and organisations to minimise the possibility of a breach occurring, but also to prepare for and respond effectively to any breaches if and when they do occur."

At present there are no specific requirements under the Privacy Act for agencies and organisations to notify individuals of an information security breach. However, a proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission in its Review of Privacy. 

"The development of a voluntary guide offers a timely opportunity for stakeholders to comment on this important issue and we look forward to hearing their views."

The draft Guide draws upon voluntary guidelines developed by the Privacy Commissioners of Canada and New Zealand.

The draft Guide and details of the consultation process can be viewed at www.privacy.gov.au/aboutus/consult/.

Submissions on the draft Guide should be received by 16 June 2008.