Another key principle the ALRC proposed will be for the regulation of cross border data flows, with the basic principle that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
Government agencies and business organisations will also be required to notify individuals and the Privacy Commissioner where there is a real risk of serious harm occurring as a result of a data breach.
Gartner's Walls said that large organisations engaging in good security practices already have the processes and infrastructure required to monitor and identify breaches and therefore will not require large expenditure to comply. Rather, the impact of changes to the Privacy Act will be felt on the human side of business rather than the technology side.
"Notification [of a data breach] to the government and affected individuals is actually a public relations activity, a marketing function. So organisations will have to take their incident response and incident management teams and integrate them with PR," he said.
Walls also suggests we get ready for an onslaught of data breach headlines.
"The reality is there probably wont be any more [data breach] activity than normal, we're just going to hear and talk about every one now, which is a healthy thing because it provides transparency and establishes security performance as a market differentiator. But it will be painful for a few years," he said.
Walls said he was somewhat disappointed with the data breach notification proposals, particularly where the threshold that has to be reached before notification is required is decided by the organisation, not the individual whose information has been exposed.
"They made some very ambiguous statements about level of harm. If an organisation experiences a breach on just one person's details out of hundreds of thousands then that is not a big deal for the organisation. But for that individual it could be catastrophic, so by adopting this test based on the organisation's assessment the recommendations are really saying privacy is a problem for business and government agencies, not an individual problem."
In the US, Walls said, if private data is breached the individual's are notified, whether it is one or one thousand customers.
"The company doesn't get to say 'no, its not that big a deal, we'll ignore it'. But under this reasonable test that may not occur."
The ALRC also made recommendations to give the Privacy Commissioner more power to exact stronger penalties on non-compliant organisations, allowing the Commissioner to seek court orders enforcing compliance, or imposing monetary sanctions or civil penalties for serious or repeated breaches.
"We were responding to community concerns there that the Privacy Act might be a bit of a toothless tiger, so we wanted the Privacy Commissioner to be able to issue notices to comply, amazingly they cant do that at the moment," Weisbrot said.
More comprehensive credit reporting has also been recommended to facilitate better risk management practices by credit suppliers and lenders.
"I've actually asked friends and neighbours what they think can be collected and they are astonished at how limited it is," Weisbrot said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.