Privacy Commissioner and estimates
June 2, 2014 |
Senate estimates are both a valuable part of the democratic process, holding governmnents accountable and reviewing expenditure, and good media fodder. It can also be tedious.
The Legal and Constitutional Affairs Committee quizzed the Information Commisioner and the Privacy Commissioner on 29 May 2014. It is found here. Noteworthy comments were:
Data Breach notification.
Senator SINGH: Professor McMillan, I want to ask about privacy alerts and whether you support the introduction of mandatory notification requirements for serious breaches of data.
CHAIR: Senator Singh, this might have to be your last question because I have four other senators and 15 minutes left. So could you make this your last question?
Prof. McMillan : Legislation was introduced into the parliament under the previous government for mandatory notifications.
Senator SINGH: Yes, I have now introduced a private member’s bill.
Prof. McMillan : It was called the privacy alerts bill. At the time the Office of the Australian Information Commissioner put out a statement saying that it supported the passage of that legislation. We have made no subsequent statement on the issue.
Senator SINGH: You obviously stand by that previous statement. Are you aware of what significant data breaches have occurred in the last few years?
Prof. McMillan : I will transfer that question to the Privacy Commissioner.
Mr Pilgram : Yes, we are aware, obviously, of a number of major data breaches that have occurred over the last few years. Just to give you an idea, they will vary in severity and the number of people that have been impacted. For example, in the current year, 2013-14, we have become aware of 67 matters. Again, I would stress that they vary between impacting on small numbers of people and large numbers of people. To give you one other figure in comparison, in the previous financial year, we were aware of 74 matters that we would describe as being data breach notifications.
Senator SINGH: Why is it important to Australians to be notified of breaches of their personal data?
Mr Pilgram : There is a question about whether or not people need to be notified on every occasion when there is a data breach. In some circumstances it may not be advisable to be notifying people because it could cause unnecessary concern when it is a minor breach. Our office has issued a voluntary guide for organisations to use to determine how they should respond to a data breach when they have that. As part of that guide it does set out the issues that they should consider in terms of whether they should notify the affected individuals or not, and whether they should notify our office or not. Those matters will relate to, again, severity and the likelihood of harm to the individual as a result of the breach. There are a number of issues.
Senator SINGH: Do you know of any other countries that are introducing data-breach legislation?
Mr Pilgram : I know it is an issue that is under active consideration in a number of other jurisdictions around the world. I cannot actually recall which countries have specifically introduced that type of law. I am aware that the EU have been considering it as part of the reforms to their directive. I am aware that it has been under active consideration in countries such as Canada and New Zealand.
Senator SINGH: Are you aware of any examples of—
CHAIR: We might have to leave it there for—
Senator SINGH: significant data breaches in Australia; recent examples at least?
Mr Pilgram : There have been a number of data breaches over the last couple of years that I have issued a report on, having concluded an investigation, and those reports are on our website.
Staffing
Senator RHIANNON: I am just trying to get the exact number of full-time equivalent staff.
Mr Pilgram : Yes. The budget-funded positions in the office at the moment are 63.3 staff. The budget papers estimate a saving of 23 positions. Of course, it is proposed that there will be a new office of the information commissioner and the staff numbers for that, as I understand it, have not yet been completely clarified. Also, there will be a transfer of an estimated six staff positions to the Attorney-General’s Department for functions that will be discharged there and one staff position to the Administrative Appeals Tribunal.
Senator RHIANNON: Could I just get an idea of how many will be lost to the work? Some are going to be transferred. How many in total will be transferred—just so we can get an idea of what we are going to lose?
Prof. McMillan : It is probably better that detailed questions about staff positions and savings are directed to the department which has responsibility for those aspects of the budget.
Senator RHIANNON: Could the department just give us a figure on the number lost? I am short on time and I am just after a clear figure, if that is possible.
Mr Minogue : It is very difficult to give a precise figure, and to some extent it would be unnecessary and imprecise to do so. Essentially, this is a process that we will be working through with the commission in relation to both the privacy ongoing functions and some of the FOI functions that will come to the department. We will be working with the commission’s office to do the best we can. But, yes, there will be some implications for staff; there is no doubt.
Privacy Complaints
Senator RHIANNON: Thank you. Professor McMillan, or maybe this is for Mr Pilgrim; it is about privacy complaints. I understand that privacy complaints—I saw these figures on your website—are expected to increase by 100 per cent and the total workload of OAIC is expected to increase by up to 20 per cent. How do you see this workload being managed under the new arrangements? Again, I might need to go to Mr Wilkins or somebody else; but could you comment, please.
Mr Pilgram : To the extent of commenting on the numbers, I will just give you two figures. The figures for the financial year 2012-13: we received 1,496 privacy complaints. In the year to date, 2013-14, we have received approximately 3,900 complaints. So there has been a significant increase in the number of complaints coming through to the office. In terms of how we are approaching those, we obviously have processes for dealing with assessing the complaints and looking at the ones that need to be dealt with immediately and triaging those, and we are looking at processes for streamlining how we will respond to those.
As part of the new privacy reforms that came in on 12 March, we now have mechanisms by which we can formally recognise external dispute resolution bodies that will be able to handle privacy complaints in certain areas, such as the credit provisions under the act. We are going to be meeting with those external dispute resolution bodies to work with them on their taking up some of the complaints that come through in particular sectors. In terms of the ongoing impact of the changes, they are matters that we are in discussion with the department on at the moment.
[…] Privacy Commissioner and estimates […]