The Insurance Council of Australia (ICA) supports a mandatory notification regime for serious data breaches, but cautions the system should be “pragmatic”, with minimal regulatory burden on companies.

In its response to a discussion paper from the federal Attorney-General’s Department, ICA argues the proposed notification regime’s scope must be better defined.

The draft bill limits the scope of mandatory notification to “serious” data breaches.

In part this includes cases in which there is a “real risk of serious harm” to individuals to whom information relates.

ICA believes the definition of “harm” and “risk” should be more tightly defined.

“In determining whether a breach has caused a real risk of harm to an individual, it would be preferable to establish an objective standard of assessment.”

Referring to the draft bill’s list of harms, ICA says “emotional harm” is a “very broad and fluid concept”. It also expresses confusion over the difference between “economic” and “financial” harm.

“To provide certainty…the draft bill should be amended so an exhaustive list detailing the elements of harm is provided,” it says. “This exhaustive list should remove subjective elements of harm, including psychological and emotional harm.”