25 June 2013

Privacy Breach Alerts

The Australian Senate Constitutional & Legal Affairs Committee has produced a quick response to the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth), more accurately labelled the Data Breach Bill.

The Committee was seeking public input as late as last Tuesday, with a deadline of lunchtime Wednesday. (Disclaimer: I made a submission on that basis.)

The Coalition Senators on the Committee sensibly comment that
Coalition senators are, like a number of submitters to this inquiry, concerned with the lack of due process and time for scrutiny afforded to this bill through the committee. 
Coalition senators understand that the number and depth of analysis of submissions to this inquiry has been hampered by the restrictive timeframe. No explanation has been forthcoming from the government as to the reason for this extraordinarily foreshortened process. 
Given the importance of the nature of this matter, and the extensive criticisms which were levelled at the primary privacy legislation when it was examined by the committee last year, it is most unfortunate that thorough and detailed scrutiny should not have been afforded to this bill. ... Coalition senators believe that the concerns of key stakeholders should not lightly be set aside, where they are afforded an opportunity to be consulted. Coalition senators believe the concerns raised by those stakeholders should be better scrutinised, understood and acted upon by the relevant government agencies as this new privacy regime is rolled out.
The report features the majority comment, in endorsing the Bill, that
The committee supports enhanced privacy protection for individuals whose personal information has been accessed by, or disclosed to, a third party as the result of a 'serious data breach'. The committee notes the Commissioner's evidence that data breaches are under-reported and on the increase within Australia. 
The measures proposed in the Bill are supported by the ALRC, which specifically recommended such a reform to help resolve the situation of individuals being adversely affected by the compromise of their personal information. The Commissioner has also expressed unconditional support for the Bill, as did consumer advocates who participated in the inquiry. The committee agrees that the proposed reform is 'long overdue' and would benefit Australian consumers, as well as industry stakeholders, who would be simultaneously encouraged to effect and maintain high-quality data security practices. 
A public consultation paper was released by the Department in October 2012, seeking the community's view on whether a mandatory data breach notification law should be introduced in Australia and, if so, how the law should be framed. This was followed by a confidential targeted consultation in respect of a more detailed legislative model in April 2013. The committee considers that stakeholders have been afforded ample opportunity to comment on the proposals in the Bill, noting that the matters under consideration were first raised in 2008 by the ALRC. 
The trigger for mandatory notification concerned several submitters. While the committee acknowledges these concerns, the Department pointed out that this threshold has been implemented in the voluntary data breach guidelines since 2008, when the ALRC recommended the standard. The committee therefore accepts the Department's view that the threshold is familiar to stakeholders, and agrees that it is preferable for the Commissioner to continue to issue guidance on the meaning of a 'real risk of serious harm', as circumstances require. In this context, the committee notes that the Commissioner is already considering amendments to the OAIC guide, to account for the changes to be introduced by the Bill.
All in all neither the Bill nor the drumhead consultation are matters of which the Government can be proud