Once more unto the breach
Once more unto the breach, dear friends, once more
Or close the wall up with our English dead.
In peace there's nothing so becomes a man
As modest stillness and humility
Henry V - Shakespeare
Reports of data breaches have dominated headlines recently, such as the coding error at Optus which resulted in the names, addresses and mobile phone numbers of 122,000 customers who had elected to remain unlisted from the White Pages to be published in the online directory without their consent. There was also the Sony Pictures Entertainment hack, which resulted in the release of personal information about employees and their families, emails between employees and information about executive salaries at the company.
In some instances, the first that an affected individual hears of the breach is when it is revealed by the media, which raises the question about why the entity did not notify the affected individuals when it first became aware of the breach.
While the Information Privacy Act 2009 (Qld) does not specifically require an agency to notify individuals who have been affected by a privacy breach, notification can enable an individual whose privacy has been breached to take measures to limit what harm may result from the breach. For example, an individual may be able to change credit card numbers or seek to have compromised identifiers reissued. Notification can also demonstrate a commitment to open and transparent governance.
In general, if a data breach creates a risk of harm to an individual, the affected individuals should be notified. However, there are occasions where notification can be counter-productive.
The Office of the Information Commissioner has recently updated its guideline on privacy breach management. The guideline sets out the factors to consider when deciding whether notification is appropriate, provides examples of when notification may be and may not warranted, and includes tips for the content of the notification advice should notification be warranted.
For more information, please refer to the OIC Guideline: Privacy breach management and notification.