This submission made by the Australian Privacy Foundation offers response in relation to the previously published Privacy Breach Discussion paper.
Data breach notification has been addressed in guidelines released by the Privacy Commissioner/Office of the Australian Information Commissioner (PC/OAIC)
The guidelines set out the following four steps to consider in responding to a data breach or suspected breach:
Contain the breach and do a preliminary assessment;
Evaluate the risks associated with the breach;
Notification; Prevent future breaches.
In relation to notification, the guidelines provide that this should be considered in the context of the particular circumstances of the breach. While the guidelines point out that notification may be an ‘important mitigation strategy’, they provide that whether or not a breach should be notified should be considered on a case-by-case basis.