In the US we often take a knee-jerk approach to notifying people about data security incidents. Our enterprises therefore issue a bunch of confusing and unnecessary data security breach notices. It is hard for US consumers to tell the difference between an important notification and a meaningless one. Australia's draft voluntary guidelines therefore deserve praise. They are more intelligent than the typical US approach. They advise a dataholder to evaluate the true impact of a putative data security breach as part of the decision whether to send a notice and what to say in the notice if it is sent. --Ben