The recent ALRC Privacy Law report noted that given the increasing fear of identity theft and fraud, most customers and users of government services believe they have a right to be informed when the security and privacy of their personal information have been compromised.
Consequently, the ALRC recommends the introduction of a mandatory data breach notification scheme.
The ALRC has recommended that an agency or organisation only be obliged to notify affected individuals and the Privacy Commissioner when a data breach has occurred that may give rise to serious harm to any affected individual.
The government has indicated it will deal with this issue in the second stage of its response in the next 12 to 18 months.
In the meantime, the Australian Privacy Commissioner, Karen Curtis, has released a "Guide to Handling Personal Information Security Breaches" (pdf). It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.
The Guide includes four key steps to consider when responding to a breach:
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).
Step 3: Consider notification
Step 4: Prevent future breaches.
With regard to Step 3, the Guide suggests that individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals.
The Guide incorporates illustrative examples which will assist in circumstances, such as whether notification is an appropriate response.