25 August 2008

The Australian Privacy Commissioner, Karen Curtis, has released a "Guide to Handling Personal Information Security Breaches". It is for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.

"Under the Privacy Act, organisations must take reasonable steps to prevent a malicious or unintentional loss of personal information they hold," said Ms Curtis.

"Prevention is always better than the cure.

"However, in the eventuality that a breach does occur, the Guide will provide clear steps that can be taken to minimise the impact of the breach on those individuals affected by it."

Ms Curtis said the Guide was developed following extensive consultation with a range of stakeholders. It includes four key steps to consider when responding to a breach:

• Step 1: Contain the breach and do a preliminary assessment
• Step 2: Evaluate the risks associated with the breach
• Step 3: Consider notification
• Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests that individuals affected by a breach should be notified where a breach creates a real risk of serious harm to the individuals. 

The Guide incorporates illustrative examples which will assist in circumstances, such as whether notification is an appropriate response. 

"While the Guide is voluntary, it represents good practice in handling breaches, and I would urge all organisations and agencies to read it and consider its use," Ms Curtis said.

The operation of the Guide could inform the Government's response to the Australian Law Reform Commission's August 2008 recommendation that mandatory breach notification be introduced into law.

The Guide is available at www.privacy.gov.au/materials/types/download/8628/6478