The Commonwealth Government has published a discussion paper, Australian Privacy Breach Notification, about the possible introduction of mandatory data breach notification laws. A data breach occurs when personal information is improperly accessed, obtained, used, disclosed, copied or modified.

Currently there is no requirement under the Privacy Act to notify the Office of the Australian Information Commissioner (OAIC) or any other individual in the event of a data breach.

However the OAIC has published a voluntary guide: Data Breach Notification: A guide to handling personal information security breaches

Questions raised by the discussion paper include:

Should Australia introduce mandatory data breach notification laws?
What kind of breaches should trigger notification requirements?
Who should decide whether notification is necessary?
What should be reported and how quickly?
How should a notification requirement be enforced?
Who should be subject to a mandatory data breach notification law?