Many other countries have mandatory reporting laws and there is pressure on the Turnbull government to act following high-profile cases such as the theft of information from dating website Ashley Madison.

Significant under-reporting

Voluntary disclosures have more than doubled in the past six years but the Office of Australian Information Commissioner (OAIC) says there is still significant under-reporting.

OAIC figures show the federal immigration department, credit rating agencies and banks are among the most-complained-about organisations in relation to alleged privacy breaches.

The Australian Law Reform Commission recommended mandatory reporting in 2008, noting the large and growing volume of information being kept electronically.

In early 2015, the federal government agreed with a similar recommendation by the Parliamentary Joint Committee on Intelligence and Security.

In a draft regulatory impact statement in December, it was revealed three options were considered: maintain the status quo; mandatory reporting; and a series of industry-based codes enforceable by the OAIC.

While the draft legislation specifies mandatory reporting, the government is also seeking feedback on the other options.


Worth considering

Australian Chamber of Commerce and Industry chief executive Kate Carnell said self-regulation was worth considering.

"We accept that probably option one, doing nothing, is not an option," she said.

"The great dilemma in this sort of situation is that various businesses and industries may be interpreting very differently what should be reported and what shouldn't. Industry self-regulation could overcome that."

The statement says the introduction of mandatory reporting will be cost-neutral.

"Research indicates notification costs amount to a small percentage of the overall cost of a data breach," it says.

The Department of Immigration and Border Protection experienced a surge in complaints in 2014-15 because of the release of sensitive information about individuals in immigration detention.

New reporting system

Credit agencies were also moving to a new reporting system, which might have led to more complaints than usual, the OAIC annual report says.

Three of the big four banks – Commonwealth Bank of Australia, Westpac and ANZ – were among the most-complained-about organisations.

"We respect the privilege of protecting our customers’ information, which is why we have and operate under strict privacy policies, and we will never deliberately compromise the trust, security and privacy of our customers," a CBA spokesman said.