Today BRR Media speaks with Kaman Tsoi; he’s a Special Counsel in the Technology and Privacy team with Freehills in Melbourne.  Welcome back to BRR Media Kaman.

Thanks a lot Dave it’s great to be here.

Kaman data protection and privacy are back in the headlines after the Office of the Australian Information Commissioner released guidelines setting out key steps for organisations to deal with data breaches.

Yes I guess they were hoping for a few headlines, it’s actually Privacy Awareness Week at the moment which is something that the Information Commissioner’s Office co-ordinates with a few other similar regulators around the world.  So sometimes what they do is stockpile some of their big announcements for this week.  This is an area that has been a big one.  They first put together the original version of this guide back in 2008, and since then it’s been quite an area of activity for the Office of the Information Commissioner.  Over the 2010 and 2011 financial year they dealt with notifications from 56 organisations and government agencies that were subject to these sorts of incidents.

Well if we can just look at the guide that’s been released this week, what are some of the key steps that are set out in that guide when faced with a data breach?

Certainly, look they try to take a fairly practical approach with the guide, you know I think it is a good and very useful document, in that they sort of map out, you know exactly how to approach things if one of these incidents occurs and that’s very useful because if an incident occurs to you, you need to act quickly.  So they set it up around a four step process, so the first step that they say to contain the breach and do a preliminary assessment.  So the idea there is to do whatever you can immediately to stop things getting worse, and potentially that may involve some immediate notification of third parties, such as the individual or banks or police.  The next step then is to evaluate the risks associated with the breach and that can be looking at both risks of harm to the individuals themselves and also risks to the organisations such as legal liability and public relations, those types of issues.  The next step then is the main notification step and that’s where consideration is given to whether and to what extent you notify the individual, you notify the Office of the Information Commissioner, possibly other parties such as insurers or other regulators.  And then finally the last step is to prevent future breaches, and I guess that is really an ongoing part, you know in one sense that could be first step and you may not need to get into the other ones.

Absolutely.  Well just looking at I guess the downside to some of these, what are the penalties if you fail to take these steps?

Yeah it’s an interesting question and this is where you know there are some subtle differences with the changes in the new guide.  The guide continues to be a voluntary guide, but sort of pitched I supposed as a best practice guide, so they’re not sort of explicitly saying that data breach notification is mandatory if one of these incidents occurs and we are a little bit different to some other countries in that respect where there are mandatory requirements, but they are at the same time perhaps being a little bit more ecstatic about the links between requirements under the Privacy Act to protect the security of personal information, and some of these sorts of failures that might (a) lead to a data breach in the first place, but also in how you deal with the data breach, as in you know have you made the appropriate notifications?  Did you have the appropriate data breach policies and response plans in place?  So if any of those things are going to be breaches of the Privacy Act then they could be subject to investigation by the Office, their orders could include things like compensation to affected individuals and also taking other steps to remedy the breach.  Beyond the actual Privacy Act consequences there could be situations for example if the breach involves credit cards and there could be fines imposed by a credit card theme, like Visa or MasterCard, under the Payment Card Industry Data Security Standard.  And we’ve also seen that there have been some cases where the allegations go further than just privacy, you know in taking sort of broader legal concepts such as negligence or breach or confidence you know in those cases they can also give rise to damages claims.

And Kaman I just want to take up your point you mentioned mandatory data breach notification laws which are in place in some other countries, are we likely to see mandatory breach notifications become more here in Australia?

In one sense this new guide from the Information Commissioner sort of weighs into that debate, there was a recommendation made by the Australian Law Reform Commission in 2008, when it conducted a major review of Australian privacy law, and they recommended that a mandatory requirement be introduced.  The new guide strongly supports that recommendation.  There are some reforms to the Privacy Act due to be tabled in Parliament in the next month or two, we’re unlikely to see this requirement go into that round of amendments, and I suspect down the track it probably is something that we will do, sort of taking the lead from countries like the US and the EU that have a lot of these sorts of requirements in place.

Well some great insights and thank you again for your time today Kaman.

No problem, thanks a lot Dave.

That was Kaman Tsoi, Special Counsel in the Technology and Privacy team at Freehills in Melbourne.  Listeners if you have any questions for Kaman about this interview please send a message using the panel on your screen or you can other email through to law@brrmedia.com and we’ll forward your query.