The recent ALRC Privacy Law report noted that given the increasing fear of identity theft and fraud, most customers and users of government services believe they have a right to be informed when the security and privacy of their personal information have been compromised.

Consequently, the ALRC recommends the introduction of a mandatory data breach notification scheme.

The ALRC has recommended that an agency or organisation only be obliged to notify affected individuals and the Privacy Commissioner when a data breach has occurred that may give rise to serious harm to any affected individual.

The government has indicated it will deal with this issue in the second stage of its response in the next 12 to 18 months.

In the meantime, the Australian Privacy Commissioner, Karen Curtis, has released a "Guide to Handling Personal Information Security Breaches" (pdf). It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.

The Guide includes four key steps to consider when responding to a breach:

Step 1: Contain the breach and do a preliminary assessment

Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).

Step 3: Consider notification

Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests that individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals.

The Guide incorporates illustrative examples which will assist in circumstances, such as whether notification is an appropriate response. 

Imagine the response if your customers received someone else’s account details in a letter addressed to them.

That is what happened to customers of Goldfish, a credit card subsidiary of Barclays (Telegraph UK).

According to ComputerWeekly a processing error at the printer the company uses to process statements meant the statements were printed
incorrectly. The front page was correct, but subsequent pages contained
the account information of other people.

What procedures do your contractors have to avoid these types of errors? How do you monitor them? (Some of my clients have "dummy members" so they see every mail out). How often do you audit their procedures?

And if something goes wrong do you have a rapid response plan?