New privacy guidelines could help businesses give customers greater confidence that personal information such as credit card data is being held securely, Federal Privacy Commissioner Karen Curtis says.
Curtis today released draft security breach notification guidelines designed to help business decide how to deal with customer information and what to do if there is an inadvertent breach of that information.
The guidelines recommend a four step response to an information breach involving:
- Containing the information breach and assess how it occurred.
- Evaluate the risk to customers of the breach.
- Consider whether customers should be notified of the breach.
- Take action to prevent future breaches.
Queries from businesses and government agencies about how to deal with breaches of customer information was a key motivation behind the release of the guidelines, Curtis says.
“We have had a few businesses call because they want to do the right thing when information has been lost – they are generally things like a USB memory stick or laptop with customer information on it has been stolen or paper files go missing when a car is stolen,” Curtis says.
Although compliance with the guidelines will be voluntary, they could help give businesses an edge with customers who are increasingly concerned with the safety of their personal information.
“You could lose business if people aren’t happy with how you’ve handled information, so it’s really about protecting your brand and realising the community are getting more and more concerned about how information is being handled and the risk of identity fraud,” Curtis says.
The release comes ahead of the release of a review by the Australian Law Reform Commission in May that is expected to recommend wide ranging changes to privacy regulations.
Information privacy in the workplace is also becoming an issue, with the Government yesterday announcing laws that could give employers new rights to read workers’ email, although many employers already do this in line with their policies.
Businesses and other stakeholders have the opportunity to make comments on the draft security breach guidelines until 16 June 2008. Businesses taking measures to address information security can also participate in Australian Privacy Awards run by the Office of the Privacy Commissioner.