Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
SENATE
Privacy (Data Security Breach Notification) Amendment Bill 2007
Explanatory Memorandum
Circulated with authority by Senator Natasha Stott Despoja
This Bill would require organisations and Commonwealth Government agencies to notify
affected individuals of a data security breach involving their personal information.
Organisation is specified in section 6C of the Privacy Act 1988 to mean an individual, body
corporate, partnership, any other incorporated association or trust that is not a small business
operator, a registered political party, an agency, a State or Territory authority or a prescribed
instrumentality of a State or Territory.
Policy rationale
Organisations and government agencies have statutory obligations to maintain the
security of personal information. Even the most security conscious organisation or
agency can become the victim of information theft. However, existing privacy laws
do not specifically require an organisation or Government agency to notify affected
individuals if the personal information in their control is disclosed to an unauthorised
person.
Over recent years, media reporting has highlighted growing concerns among the
public about increased losses, infiltrations and unauthorised disclosures of personal
information held by various organisations and agencies. The Sydney Morning Herald
reported in an article titled 'A sensitive issue', the results of research conducted by the
IT Policy Compliance Group, which showed that more than two-thirds of Australian
organisations experience six losses of sensitive data each year. Further, the report
stated one in five organisations lose sensitive data 22 or more times a year. These
breaches reportedly include customer, financial, corporate employee and IT security
data, which is stolen, leaked or destroyed. In May 2006 an Australian Computer
Crime and Security Survey reported that in Australia the average annual losses from
electronic attacks, computer crime, and computer access misuse or abuse rose 63 per
cent over a 12 month period, reaching AUD$241,150 per organisation in 2006.
The data security breaches are occurring at a time when the Government is
considering several proposals to rationalise, centralise and streamline many
government services and databases, including the billion dollar Access Card project.
This activity is creating several databases that contain delicate personal information,
which is a target for criminals. Such large databases also have the potential to
magnify the data breaches and harm, which can be suffered by individuals where
there are security breaches. There have also been several high profile reports of
Commonwealth employees losing personal information including a senior officer
leaving a compact disc containing the report into the death of Private Jake Kovko at
Melbourne airport, where it was found and handed to broadcaster Derryn Hinch.
These reports of data security breaches and losses of personal information have
coincided with an increase in identity theft, which has implications for affected
persons' finances, harassment by debt collectors, credit denials and law enforcement
scrutiny for crimes committed by another individual. The incidence and severity of
identity theft can be ameliorated through greater awareness and pre-warning when
sensitive information is obtained by or disclosed to an unauthorised party.
Data security breaches are a product of globalisation, technological change and
increasing use of the internet for communication and electronic media for information
storage. Use of electronic data is increasingly becoming the norm for all sectors of
society including schools, hospitals, government agencies, private sector
organisations and charities. Consequently, data security breaches are a global problem
affecting all aspects of society that pose implications for privacy but also impose
additional costs on consumers and industry. For example, the US Federal Trade
Commission claimed that identity-related offences cost US consumers and businesses
around US$53 billion in 2002. Over a similar time-frame, estimates of the cost in
Australia vary from around $2 billion to $6 billion. The Australian Institute of
Criminology estimated the overall cost of fraud in Australia as more than $5 billion
per year, almost a third of the $19 billion 'total cost of crime'. Similar problems have
been experienced in various parts of the world with a 2006 study highlighting that 94
per cent of European Union companies experienced a data security breach in the
preceding three years.
However, many overseas governments have responded by implementing legislative
requirements for organisations and agencies to notify affected persons of data security
breaches regarding their personal information. Such requirements are common in the
United States and the European Commission is expected to pass the European
Directive on Data Protection later in 2007 to impose similar obligations.
In order to give individuals more control over their personal information and to
satisfy public expectations, Parliament must legislate to require Commonwealth
agencies and organisations to tell individuals when their personal information has
been compromised, so that they can take steps themselves to remedy the effects of the
breach. Measures can be implemented to lessen the impact of identity theft, but only
if persons are aware of the loss of their information. Such notification requirements
could also facilitate greater awareness of data security breach issues and improve
security practices, as has occurred in other countries.
The object of this Bill is to amend the Privacy Act 1988 to provide a procedure for the
notification of a breach of security involving personal or health information where an
organisation or agency discovers a data security breach.
Provisions of the Bill
Notes on clauses
Clause 1 - Short title
1. This clause is a formal provision that would provide for the Act to be cited as the Data
Security Breach Notification Act 2007.
Clause 2 - Commencement
2. This clause would provide that the Act come into operation on the day after the day it
receives Royal Assent.
Clause 3 - Object of Act
3. This clause would set out the broad policy aims of the amendments contained in the Act.
The main object of the Act would be to require organisations and Commonwealth
Government agencies to notify affected individuals of a data security breach involving their
personal information.
Schedule 1--Amendment of the Privacy Act 1988
This schedule provides for amendments to the Privacy Act 1988.
Item 1 - Subsection 6(1)
Item 1 would insert additional definitions in subsection 6(1) of the Privacy Act 1988:
· breach of data security; and
· unauthorised party.
The definition of a breach of data security would clarify that this is an aspect of the broader
issue of interferences with privacy, which is outlined in Division 1.
Item 2 - After section 13A, Insert 13AB Notification to a person of a breach of their data
security
Item 2 provides the principal operational provisions of the bill, notably stipulating the
requirement that notification be made to affected persons of any disclosure of their personal
information to an unauthorised party. Affected persons are those whose personal information
is the subject of a data security breach.
Breaches of data security can arise where an organisation or agency loses personal
information or where there has been unauthorised access to individuals' personal information.
This notification requirement would be to ensure that, as far as practicable and appropriate,
organisations and agencies are open, responsible and transparent in their information
handling practices. It would stem from National Privacy Principle 4 (Data security), which
requires organisations to take reasonable steps to safeguard individuals' personal information
held by them. It also would be drawn from Information Privacy Principle 4 (Storage and
security of personal information), which provides similar requirements for Commonwealth
agencies.
The requirement would create an incentive for organisations to invest in security. It would
also promote the responsible and transparent handling of personal information. By making
individuals aware of the circumstances surrounding a data security breach involving their
personal information, the affected individuals are then able to take steps to minimise harm
such as cancelling credit cards, alerting credit reporting agencies, changing contact details,
upgrading security measures or contacting law enforcement agencies.
Subsection (1) would contain the principal notification requirement, notably obligating
organisations and agencies to notify individuals of any breach of data security involving that
individual's personal information following the discovery of the breach.
Subsection (2) would require that notification be made as soon as possible and that, in
recognition of the responsibility of the holding organisation or agency for the security of the
information, any administrative costs incurred should not be transferred to the affected
person. In some cases, an organisation or agency may suspect but be unable to confirm that
a data security breach has taken place. In such circumstances, the affected person should be
notified of the possibility to ensure that they have sufficient notice and warning to take
necessary security precautions, considering the potentially significant consequences of
identity theft. This simply imposes the same requirements for caution and vigilance on
organisations or agencies holding other people's personal information that is exercised by the
persons themselves in protecting their information and responding to potential losses of that
information.
Subsection (3) would provide an accountability and tracking measure designed to protect
both the organisation or agency holding the information and the person whose information
was disclosed to an unauthorised party. This would allow verification that reasonable efforts
have been made to achieve compliance with the obligations under the bill. Notification could
be via a variety of communication methods, noting that organisations and agencies may
possess only certain contact details for affected persons. However, there should be an
emphasis on providing verifiable written communication where possible. Also, there should be
sensitivity to the possibilities that a data security breach could be compounded or notification
may not be received if out-of-date contact details are used or unsecured methods employed.
Subsection (4) would provide the requirement for cooperation by organisations and agencies
holding personal information about affected persons. This subsection would ensure that
organisations and agencies entrusted with personal information provide sufficient cooperation
to exercise the duty of care for holding such data and allow affected persons to take
appropriate self-protection measures. However, such cooperation must ensure that the
privacy rights of unauthorised parties are also respected.
Index]
[Search]
[Download]
[Bill]
[Help]