Some Australian companies have failed to notify affected individuals of data breaches according to the Office of the Australian Information Commissioner.
In a speech last month, Commissioner Angelene Falk said that many companies took a proactive approach in engaging with the OAIC but not all.
"But further regulatory action has been necessary, and I have issued a direction to compel notification where we uncovered a failure to notify individuals," Falk said during the Privacy Awareness Week.
Under the Notifiable Data Breaches (NDB) scheme, introduced on 22 February 2018, organisations have 30 days to notify the Privacy Commissioner and all affected parties if an eligible breach occurs.
Falk said that a number of Commissioner initiated investigations over organisations' compliance are nearing completion.
She said that there has been a debate in the community about how to regulate data breaches, with some suggesting a collaborative approach between the regulator and business to encourage sharing of lessons learned as opposed to naming and shaming, which could discourage reporting. However, Falk said, others would like to "see greater use of the regulatory stick".
"While we will continue to work constructively with organisations that experience a breach, and to take a proportionate and evidence‑based regulatory approach, we will be exercising regulatory and enforcement powers where necessary," Falk said.
The OAIC said that the first year since the introduction of the NDB scheme has been focused on assisting organisations to comply with their notification obligations and understand the causes of data breaches to prevent them in the future.
"We have worked with notifying organisations to ensure breaches are contained and rectified, affected individuals are informed so they can act swiftly, and that measures are put in place to prevent a reoccurrence," an OAIC spokesperson told ARN.
A total of 1027 data breaches have been notified from February 2018 until May 2019. The most recently quarterly report by the OAIC showed a drop in notification with a total of 215 between January and March 2019.
In comparison, during the 2017 financial year, the OAIC received 114 voluntary data breach notifications.