Draft VOLUNTARY Information Security Breach Notification Guide issued by Federal Privacy Commissioner

On 15 April 2008, the Federal Privacy Commissioner issued a draft VOLUNTARY Information Security Breach Notification Guide for public comment (Guide). The Guide has been designed to assist public sector agencies and private sector organisations (together, Organisations) respond effectively to an information security breach.

It also provides advice to Organisations about taking steps to prevent such breaches from occurring. The Guide is 41 pages in length and suggests a number of practical steps to be followed if an Organisation is responding to a data security breach.

Under the draft Guide, an information security breach occurs when personal information is exposed to unauthorised access, use, disclosure or modification as a result of a breach of an Organisation’s information security procedures. Examples of possible information security breaches include the loss of portable devices such as laptops which contain personal information about customers, or an Organisation providing communications containing personal information to the wrong individual.

Background

At present, there is no obligation under the Privacy Act 1998 (Cwth) (including in the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs)), for Organisations to notify affected individuals of an information security breach involving their personal information. However, as part of the Australian Law Reform Commission's current inquiry into reforming Australia's privacy laws, a MANDATORY requirement to notify affected individuals of information security breaches has been proposed.

The Guide was developed in response to increasing public concerns about breaches of information security, and the impact that these may have on individuals and Organisations. Examples of how individuals may be affected include identity theft, threats to physical safety and financial loss, while Organisations may suffer reputational damage or be subject to litigation.

Four key steps in responding to an information security breach

The Guide recommends that the following four measures be adopted by Organisations in responding effectively to an information security breach.

• The Organisation should contain the information security breach and complete a preliminary assessment of how it occurred.
• The Organisation should evaluate the risks to its customers or clients as a result of the breach.
• The Organisation should consider whether its customers or clients should be notified that an information security breach has occurred, based on factors such as the risk of serious harm to the individual, the ability of the individual to avoid or mitigate possible harm if notified and the legal and contractual obligations involved.
• The Organisation should take appropriate action to prevent future breaches from occurring.

Steps 1 to 3 should be completed quickly or simultaneously to contain the breach and prevent further harm. Step 4 should be undertaken as a longer term strategy to improve the Organisation's information security practices.

The Guide expresses the view that notifying individuals of an information security breach is good privacy practice in certain circumstances, and that such notification reflects the current NPPs and IPPs. In particular, notifying affected individuals may allow those individuals to take steps to protect their personal information and provide an incentive for Organisations to ensure that personal information is adequately safeguarded.

Next steps

Organisations should read the Guide and consider whether they wish to make a submission on any of the issues that it raises (the draft Guide lists a number of specific issues that Organisations may wish to consider commenting on).

Submissions on the Guide are due on 16 June 2008.

It is possible that some or all of the measures set out in the final version of the Guide may become law in the future, particularly if the procedures in the Guide are later incorporated into a mandatory breach reporting requirement under the Privacy Act, as a result of the ALRC privacy review.

Organisations should also consider whether to incorporate some or all of the Guide’s procedures in their internal information security policies and risk management plans.

How we can help

We have considerable experience and expertise in advising on privacy issues. We can assist you in considering the impact of proposals on your Organisation, preparing submissions on the draft Guide and reviewing your information security policies and risk management plans from a privacy perspective.