This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Wednesday, December 09, 2015
It Is Not Before Time We Are Seeing This Come In. All Data Breaches Should Be Notified To All Those Affected.
The report of that inquiry had recommended the creation of such a scheme.
The government has lived up to its commitment of a public consolation on the scheme. The Attorney-General’s Department is accepting submissions on the exposure draft until 4 March next year.
The scheme as currently drafted would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
A “serious breach” involves personal information, credit reporting information, or tax file information being subject to unauthorised access or disclosure and putting those individuals affected at “real risk of serious harm”.
Whether an individual was at risk of “serious harm” would depend on a number of factors, such as whether the information is encrypted (and how hard that encryption would be to break) and the sensitivity of the information.
The government has published an exposure draft of its long-awaited bill for mandatory data breach notifications, specifying what it considers to be a serious breach and how organisations will need to respond.
The bill runs along almost identical lines to the Privacy Alertsbill introduced by Labor in 2013, and again last year. It is understood to have bipartisan support.
It outlines what the government considers to be a serious breach and details the steps an organisation must take to address such an incident.
A serious breach, under the bill, occurs when there is unauthorised access to, disclosure or loss of customer information held by an entity, which as a result generates a real risk of serious harm to individuals involved.
Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.
An entity must notify customers, the Privacy Commissioner and potentially the media "as soon as practicable after it is aware" or has reasonable grounds to believe a serious data breach has occurred.
Australians will be informed of certain breaches of their personal information under new laws being proposed by the Turnbull government, but only if the company or organisation breached turns over $3 million in revenue a year.
The government was meant to introduce the bill into parliament before the end of the year but left it until the last sitting day of the year to release an exposure draft before its likely introduction into parliament next year.
If passed, the bill will require companies to disclose a breach within 30 days if it concerns personal information and "there is a real risk of serious harm to any of the individuals" to whom the information relates.
At present, companies, federal government agencies and various other Australian organisations are not required to disclose breaches by law. Nothing stops them, however, from voluntarily disclosing a breach.
Vice chair of the the Australian Privacy Foundation, David Vaile, said that the $3 million threshold of compliance — something that has existed in the Privacy Act for some time — was "a potential problem".
"A backyard data-munging operation can now cause as much damage, and release as much data (but may be less scrupulous or well defended) than any big bank, telco or government agency," he said.
There is a request for Submissions which concludes March 4 next year.
My simple view is that the opening position is that anyone who chooses to collect personal information from you should let you know if they let it loose to anyone you have not authorised to have access.