Canadian data breach notification guidelines -- jointly created by the Information and Privacy Commissioners for British Columbia and Ontario -- have made their way to the land down under.
Last week, Australian Privacy Commissioner Karen Curtis released the Voluntary Information Security Breach Notification Guide, which aims to assist organizations in effectively responding to information security breaches. The draft guide credits voluntary guidelines by both the Privacy Commissioners of Canada and New Zealand.
"We had worked with the New Zealand privacy commissioner and showed her our breach notification assessment tool," Ann Cavoukian, Information and Privacy Commissioner of Ontario, said. "She took it and developed one in New Zealand similar to ours. It's great to see Australia follow suit." The jointly created Canadian breach notification guide was created in December 2006 and outlines steps on when and how to notify affected individuals.
"When you're notifying somebody of a breach relating to their data, you've got to be perfectly clear and concise," Cavoukian said. "In regards to the preferred method of notification, we think direct contact either by phone, letter or in person are the most effective methods."
As for what to include in the notification, the assessment tool advises organizations provide a general description of what happened without a lot of legal jargon, outline the steps taken thus far (and will be taken in the future) to control or reduce the harm, and the steps the individual can take to further protect themselves.
"You've got to be practical and do things as quickly as possible," Cavoukian said. "You need to contain the damages, get the notices out, fix the problem and prevent it from reoccurring. You've also have to be practical about it and notify people in a way that's not full of legal legalese and provides clear notice as to what you're doing."
Currently, Australia's privacy legislation does not specifically require an agency or organization to notify individuals, or even the privacy commissioner, of a data breach. However, an amendment to the Australian Privacy Act to require mandatory data breach notification is under way.
The same story is playing out in Canada. Last year, the federal government recommended that data protection laws -- specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) -- be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach.
Cavoukian hopes the breach notification assessment tool, along with the influence it is having on the other side of globe, will inspire the federal government to implement an effective and common sense approach on breach notification.
"They're certainly aware of our guidelines, so I'm sure it's food for fodder for them," she said. "We've had very good feedback on our guidelines and I'm sure it'll be one of the things that they take into consideration."
But some organizations such as the University of Ottawa's Canadian Internet Policy and Public Interest Clinic (CIPPIC) want the government to go even further. Responding to an Industry Canada request for public consultation on data security laws earlier this year, CIPPIC recommended that mandatory reporting of data breaches to a publicly-accessible electronic registry is the most effective way to persuade corporations to shore up their potential security risks.