A Senate committee has given the green light for the upper house to pass the “privacy alerts” legislation, as the Association for Data-driven Marketing and Advertising is pushing for more consultation.
ADMA has offered to work with the Privacy Commissioner to establish a new voluntary code, which would replace the current guidelines, as an alternative to the proposed privacy legislation reforms.
ADMA’s code would aim to define what entails a “serious data breach”, have benchmarks for different kinds of data issues including cyber-attacks and hacking, and give details of third party monitoring, auditing and enforcement.
Yesterday the Senate committee deemed the Privacy Alerts Bill, which deals with issues such as data breaches and how businesses should handle them, should be passed by the Senate despite criticisms there hasn’t been enough consultation with industry.
Attorney-General Mark Dreyfus said in May the bill is aimed to protect consumers.
“It will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices,” he said.
If this bill is passed by the Senate, the Privacy Act will be amended to introduce mandatory data breach notification, meaning businesses will need to inform consumers of serious data breaches, or risk being subject to penalties.
Businesses will be required to prepare a detailed statement concerning the breach, provide a copy of the statement to the Privacy Commissioner and notify affected consumers by publishing a copy of the statement on its website.
Responding to the committee’s findings, the chief executive of ADMA, Jodie Sangster, told SmartCompany the reforms have been too rushed and there hasn’t been enough consultation.
“It’s coming to the end of the parliamentary sitting with a possible change of government later this year and there is a flurry of legislation where it’s trying to push through legislations which are popular with the voters, so they can show they’ve actually acted in certain areas.
“This reform has been rushed through at a rate of knot without any thought of businesses,” she says.
Sangster says businesses are already under pressure from a number of reforms going through Parliament, such as the 457 visa legislation, which will result in increased compliance costs, and now businesses “have got this on top of it all”.
“Legislation is meant to address a harm, and there is nothing which has been put forward which says this is an issue with the current guidelines, and the Privacy Commissioner has said the voluntary legislation is working.
“There are a number of question marks which haven’t been addressed such as what constitutes a serious data breach, so ADMA will be developing guidelines so businesses understand what this is,” she says.
In submissions to the Senate committee, other business groups also raised concerns over the new legislation.
The Australian Bankers Association said the bill was unclear.
“The issue for entities is going to be determining what to report and what not to report. It is critical for the [Australian Information Commissioner] to be required to develop guidelines for industry on this matter,” the submission says.
The Communications Alliance submission pushed for a “threshold test” to be developed so businesses could determine if serious harm would be caused.
“In the absence of a definition of ‘serious harm’, it is possible that the legislation will cause an organisation to take a risk-averse position in order to avoid breaching such an obligation. This could potentially result in over-reporting of relatively minor data-related issues,” the Communications Alliance said.
Sangster says over-reporting would be detrimental to the intended impact of the legislation and would result in consumers ignoring notifications about data breaches.
“You don’t want businesses to over report and have consumers overwhelmed with information about what’s happening with their data when there is no real harm.
“It’s a little bit like anything, if you’re getting an awful lot of notices coming through, you won’t take any notice of them and you want the consumers to take notice and not tune out. This undermines the purpose of the data breach reporting code guidelines,” she says.
Sangster says guidelines, such as those which already exist, are put in place when legislation isn’t necessary, but privacy laws are also in existence which protect consumers.
“Privacy laws make businesses accountable to the regulator, and in addition to this, there is a voluntary guideline which talks about what businesses should do if there has been a data breach which will affect consumers,” she says.
Submissions in favour of the legislation argued the standard set out by the reforms which state a serious breach involves “a real risk of serious harm to the individual” is a commonly understood concept among agencies and this could be adapted to fit changing circumstances overtime.