Legal and Constitutional Affairs Legislation Committee questions Office of Information Commissioner in Senate Estimates on 23 October 2023

October 27, 2023 |

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is no concern about the consequence of data breaches or privacy infringement, at least from the regulator. And currently, as the law stands, that is the main source of action.

It is a lamentable state of affairs.

The transcript provides:

CHAIR: I now welcome officers from the Office of the Australian Information Commissioner. We won’t have time for an opening statement—if you could table what you have. Thank you, Commissioner, for joining us and for sticking with us throughout the day. We apologise that we don’t have an enormous amount of time to spend with you. I wanted to quickly ask about one matter, and then I’ll hand the call over to Senator Shoebridge.

This is probably a matter that’s been raised with most members of this committee. I want to bring your attention to a complaint made to the OAIC on 24 November 2022 in relation to an alleged data breach at Amex. The complainant, who I’m choosing not to name but I think is well known to those on the committee and those familiar with this matter, gave really powerful and harrowing evidence to this committee on 27 July in the context of this committee’s inquiry into sexual consent laws in Australia. Can I take it that you’re familiar with this matter, Commissioner?

Ms Falk : Yes, Chair, I am.

CH AIR: What I’m seeking tonight is to understand whether OAIC’s procedures for handling privacy complaints have been rigorously adhered to in relation to this matter, and seeking an assurance from you, if you can offer it, that the OAIC is giving this matter the attention that it warrants, given the seriousness of the complaint.

Ms Falk : Yes, the matter is being progressed. It’s being investigated. It is actually being progressed by the deputy commissioner. It has been given very senior consideration at the OAIC.

CHAIR: I don’t want to pre-empt any findings of the commissioner, obviously, but do you have an understanding of the time frame for resolving this? Given the nature of the complaint, I think there is a real urgency about resolving the matter.

Ms Falk : I completely understand the issue of urgency, and we are giving it the utmost attention. I can’t give you a finalisation time frame, but I will just assure you that it is progressing with the utmost attention by a very senior officer at the OAIC.

CHAIR: Certainly, after it’s been raised in this committee, hopefully that is the case. Senator Shoebridge, you have the call for the remainder of the evening, I think.

Senator SHOEBRIDGE: I join in the chair’s concerns, and I think there’s a whole series of members of parliament who have raised their concerns. Why do OAIC investigations take so long?

Ms Falk : Privacy complaint investigations take a range of time frames. We aim to finalise 80 per cent of all privacy complaints within 12 months. We’re meeting that KPI. The majority are in fact resolved in our early resolution phase; others take a longer period of time. But the particular matter that you have raised has been given the utmost priority and attention.

Senator SHOEBRIDGE: I’m not asking about complaints. I’m asking about when an investigation is undertaken. Have you got data on how many outstanding investigations there are, what’s the longest outstanding investigation and what the median time is for investigations—not complaints; investigations.

Ms Falk : Are you speaking about commissioner initiated investigations that are not the result of an individual complaint?

Senator SHOEBRIDGE: I wasn’t limiting it to either commissioner initiated or external complaints. I’m asking about privacy investigations.

Ms Falk : It might just assist me to understand what’s at the heart of your concern, because with privacy complaints there are statutory obligations to attempt conciliation where it’s reasonably possible to resolve the matter in that way. So we would go through that process. If that’s unsuccessful, it may actually be that the complaint is finalised at that point, continuing not being warranted. If there is a prima facie case that warrants investigation, it would then move to that phase. The length of time of the investigation depends on the nature of the information, the quantum of the evidence and so on.

Senator SHOEBRIDGE: Yes, that’s why I’m asking you: once it’s been determined to undertake an investigation and jurisdiction has been established—you must have some data on how long they take. For example, when on earth will the investigation into Wesfarmers Group’s potential use of facial biometric software finish? That commenced in July of last year.

Ms Falk : That is a commission-initiated investigation, and at the last estimates I indicated that I hoped to have that completed by the end of the last financial year. As it turned out, the respondent provided extensive further evidence that came before me after that estimates appearance, and that has required procedural fairness requirements, such that we’ve had to go through that evidence. It has taken longer than I would have hoped for. Again, I go back to the average time, which is 80 per cent resolved within 12 months. We have recently looked at that KPI, because we’re finding with commissioner-initiated investigations that the complexity is such that the forensic investigations that we need to undertake are taking longer.

Senator SHOEBRIDGE: Again, I’m not going back to complaints, most of which are resolved at or after conciliation. I’m asking about those investigations where conciliation has not resolved the matter and where there is a need to have an actual investigation, and investigations that are initiated by the commissioner. Will you provide that data on notice?

Ms Falk : Yes, I will provide that data on notice.

Senator SHOEBRIDGE: Can you give a list of outstanding commissioner-initiated investigations, when they commenced and what stage they’re up to?

Ms Falk : I will take that on notice.

Senator SHOEBRIDGE: This question might be to you, Ms Jones. What is the current situation for the recruitment of the standalone Privacy Commissioner?

Ms Jones : I’ve been responsible for chairing a formal selection process for that position. The panel that I chaired has completed the selection process and has provided a report to the Attorney-General. It is now a matter for government to make a final decision, but I am hopeful that that will occur in the very near future.

Senator SHOEBRIDGE: Given the very real concerns that have been raised in this committee’s review of freedom of information, including concerns about the way in which the office operated and the disputes between Mr Hardiman and Commissioner Falk, has there been any consideration given to whether or not it is appropriate to appoint a Privacy Commissioner without undertaking structural reform?

Ms Jones : We can discuss this further tomorrow. You may be aware that a strategic review has been provided for, and obviously we are working very closely with the Information Commissioner. I do think that represents a really significant opportunity. With the office now going back to the three-member structure, there is an opportunity now to look at the structure, the governance and a whole range of issues to support the more effective operation of the entire organisation.

Senator SHOEBRIDGE: But don’t you think that should be done before you recruit somebody—that you actually get the structure sorted? Otherwise, you could potentially see a repeat of the concerns we saw with Mr Hardiman and others.

Ms Jones : I think getting those positions filled as quickly as possible is critically important to support the functioning. You would certainly want to ensure that those officers had the opportunity, also, to help contribute to the discussions around the structure and the governance of the entity.

Senator SHOEBRIDGE: Could I ask what the status of the recruitment for the Information Commissioner is?

Ms Jones : That was progressed in parallel with the Privacy Commissioner. The selection process has been run and there is a report with government for its final consideration.

Senator SHOEBRIDGE: I’ll come back and revisit some of this tomorrow, in light of the structural review. Why is your office yet to issue a formal determination in relation to an eligible data breach?

Ms Falk : I’m sorry; I don’t understand the import of the question.

Senator SHOEBRIDGE: Why has there not been a penalty imposed or some other kind of regulatory action in relation to data breaches, given the urgent law reform that rushed through this parliament at the end of last year and the additional powers and prosecution options given to your office? Why has nothing come of it?

Ms Falk : We have four major investigations that are on foot and that are highly progressed: into Optus, into Medibank, into Latitude—that’s a joint investigation with the New Zealand Privacy Commissioner—and into Australian Clinical Labs. We’ve established a major investigations unit. We’ve got forensic experts assisting us, as well as an external legal team. We’ve also been working closely with the ACMA on the Optus data breach, in terms of collaborating on their investigation. There has been a great deal of activity in that regard, and there will be more to say on that shortly.

Senator SHOEBRIDGE: What does ‘more to say on it shortly’ mean?

Ms Falk : It means that the investigations are significantly progressed and there will be an outcome on those investigations shortly.

Senator SHOEBRIDGE: Has a single financial penalty been applied by your office in relation to an eligible data breach?

Ms Falk : Not to date, no.

Senator SHOEBRIDGE: How many data breaches has your office been alerted to in the last financial year and in this financial year to date?

Ms Falk : Last financial year we actually had a five per cent increase on the year before.

Senator SHOEBRIDGE: How many?

Ms Falk : The exact number I’d have to get to hand. It’s about 800 eligible data breaches. In relation to all of those, we conduct inquiries and ensure that rectification measures are put in place and that the cause is known, and we help entities to navigate the consequences of those breaches. I’ve got the statistics here before me now. Last financial year we received 895 data breaches, and the year before that it was 853. One-third of those relate to human error—issues like a GP practice sending a spreadsheet to the wrong recipient—but a large proportion also relate to malicious attack. We’ve seen an increase in cyberintrusion, hence the major investigations that are ongoing now and the specific funding that we’ve received in order to advance those.

Senator SHOEBRIDGE: So 1,748 eligible data breaches were referred to your office in the last financial year and the year before, and not a single penalty has been issued.

Ms Falk : Not to date. What we’ve done is ensured that the purpose of the notifiable data breaches scheme, which is that individuals are notified that they can take steps to mitigate their risk, as well as the transparency and accountability that results, has been achieved. We have had investigations running. They’ve been resolved by means other than by penalties. And I’ve said that we’ve got major investigations running now, which is a result of specific funding that has enabled that kind of regulatory activity and has been very welcome.

Senator SHOEBRIDGE: So, in the absence of specific funding, there wouldn’t be a single specific investigation for a potential penalty.

Ms Falk : We take the regulatory action that’s appropriate in the circumstances.

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

Senator SHOEBRIDGE: We had the discussion about time, didn’t we, in the privacy reviews. It seems that everything—every part of the office—

Ms Falk : I think matters that are before the court are not within my control.

Senator SHOEBRIDGE: Whether it’s FOI or prosecutions for data breaches or investigations for privacy complaints, every single part of your office is mired in endless delays, isn’t it?

Ms Falk : No, that’s not the case. We have a very, very broad remit across the economy and a very high workload. I thank all of the staff of the OAIC for continuing to give their very best efforts to do their best for the Australian community every day.

Senator SHOEBRIDGE: All strength to them.

CHAIR: That concludes today’s proceedings. I thank the minister and the department officers for their attendance and I thank Hansard, broadcasting and secretariat staff. I will just seek a motion moved by the deputy chair to accept tabled documents received during the day. Thanks, senators. Senators are reminded that written questions on notice should be provided to the secretariat by 5 pm Thursday 2 November 2023.

It has been reported by Crikey with Not one Australian company has been fined despite 1,748 data breaches in 2 years.

Leave a Reply

Verified by MonsterInsights