Australian Lefty on Politics, Governance, Science and Info Management

Privacy Commissioner Consultation

Posted by Dave Bath on 2008-04-16

For those following Jacques Chester’s recent Club Troppo posts (here and here) on our Federal Government’s cluelessness on IT security and privacy issues, I’d point out a new Privacy Commissioner consultation about a code for notifying individuals about privacy breaches.

Comments are sought on the Draft Voluntary Information Security Breach Notification Guide by 2008-06-16, with responses to or "Information Security Breach Notification Consultation", Office of the Privacy Commissioner, GPO Box 5218, Sydney NSW 2001.

As noted in the introductory sections of the draft…

In Australia, the Privacy Act 1988 (Cth) (Privacy Act) does not specifically require an agency or organisation to notify individuals or the Privacy Commissioner of a breach of information security.  However the issue of an amendment to the Privacy Act to require mandatory data breach notification is under consideration as part of the Australian Law Reform Commission’s (ALRC) review of privacy.

Of course, one of the problems is that many agencies and their commercial subcontractors not only do not want to admit their failures, but are often too stupid to recognize them, or the importance of proper governance of information services (including appropriate metadata tags).

The discussion paper goes on…

It is the Office’s view that breach notification in certain circumstances is good privacy practice and reflects key privacy principles.  In particular, notifying individuals of a breach to the security of their personal information allows individuals to take steps to protect their personal information.  In this way notification can enhance an agency or organisation’s transparency and openness with individuals; an important part of consumer trust and confidence.  It would also provide a strong market incentive for agencies and organisations to adequately secure the personal information they hold.

Personally, I don’t think "market incentives" are enough: rigorous auditing, reporting of scorecards against ANAO-recognized information systems governance standards such as COBIT, and vigorous prosecution of incompetent executives are required.  I don’t think "voluntary" is appropriate for government agencies (and their commercial subcontractors): it should be mandatory.  Without such threats, debacles such as those at Centrelink will continue.

Mind you, when an agency or large commercial organization (e.g. a bank) stuffs up, it is usually big time: thousands and thousands of individuals affected at a time.  You can bet that such organizations will complain that the costs of letters, emails and/or phone calls to the victims will be an unreasonable financial burden.


3 Responses to “Privacy Commissioner Consultation”

  1. nigel said

    I wonder if the Vic privacy act will be upgraded or the moment the cruncher with the state legislation is…’the individual has no requirements under the act’…kind of a waste of time to read the act or write to Versey once you realise that you have no requirements :)

  2. […] "Privacy Commissioner Consultation into IT security and privacy" (2008-04-16) explores a code for organizations to notify those whose privacy has been compromized because of sloppy IT practices… I wonder if the government wants to comply?  […]

  3. […] Kimberley Communities are to get faster broadband.The Liberal Party – still flogging a lame duck.Dave “The Dominator” Bath wants you to submit, once again – this time to a NSW Privacy Commission consultation.Ken Lovell […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: