Peter A Clarke

The Government today announced the appointment of Carly Kind as a stand alone Privacy Commissioner, effective on 26 February 2024. This is an appointment that was foreshadowed in May 2023. The Privacy Commissioner was never abolished, and is a statutory position. The Information Commissioner was created in 2010. The new Federal Government announced that it would abolish the Information Commissioner in the 2014 budget and for a time cut its funding drastically. The Information Commissioner also held the position of the Privacy Commissioner. The attempts to abolish the Privacy Commissioner ended in May 2016 and the Government increased its funding, Its funding situation has steadily improved since then. With data breaches being a high profile issue the Commissioner has received very significant funding increases. In this year’s May budget it received an extra $17.8 million for the 2023 – 24 financial year and $44.3 million to support privacy activities and another $9.2 million over two years to regulate privacy elements of Consumer Data Right, My Health Record and Digital Identity.

The timid enforcement and spotty regulation of the Privacy Act 1988 has been attributed to the inadequate  funding in the past, especially in the 2014 – 2016 period, and beyond.  That is partly true but far from the whole story.  The Privacy Commissioner then Information Commissioner was a less than optimal regulator in the period pre 2014 and after 2016.  Since it obtained civil penalty proceeding powers in 2014 it has only commenced two actions, one of which was earlier this month.  That is regrettable. 

The Attorney General’s announcement of the appointment is:

Carly Kind has been appointed as Privacy Commissioner, reinstating the standalone position abolished by the Coalition. Ms Kind brings to the Privacy Commissioner role expertise in data protection; AI policy, practice and governance; privacy; and technology law and policy.

Ms Kind has held the role of inaugural Director of the London-based Ada Lovelace Institute since 2019. Between 2015 and 2019 she was an independent consultant to a number of human rights organisations, trusts and foundations, international organisations and the private sector. She has provided advice on legal, ethical and practical issues at the intersection of technology and human rights.

Ms Kind will commence on 26 February 2024. Ms Angelene Falk, the Australian Information Commissioner, will continue as Privacy Commissioner until that time.

When the Government amends the Privacy Act, probably some time next year, the Privacy Commissioner is likely to have stronger powers. In addition to the enhanced powers given to her this year.  The test will be whether they are used and how effective such regulation is.

After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

Last Friday ( known trash day for those wanting to put out news that won’t get a run in the mainstream press) the Information Commissioner announced that she would not be seeking a third term. Her term ends in August 2024.  What is not clear from the statement was whether the Commissioner received an indication from the Government that  a third term was a reasonable prospect if she wanted it. 

Her statements is:

The Australian Information Commissioner Angelene Falk has advised the Attorney-General that after having the privilege of serving two terms she will not be seeking a third term.

The Australian Information Commissioner said: “I am greatly honoured to have led the Office of the Australian Information Commissioner (OAIC) through a time of exponential growth, technological development, heightened community expectations and great domestic and international change in the regulatory landscape. I remain focused on the protection and promotion of privacy and information access rights and ensuring the OAIC is well positioned for the challenges of the future.”

Commissioner Falk said the move to a three Commissioner model marked an exciting chapter for the OAIC.

“There is much I wish to do in the remainder of my term and a key priority is to support Commissioners in their roles and leverage our current strategic review so the OAIC can continue to serve the Australian community over the next decade,” she said.

The Attorney-General’s Department has advertised the position ahead of the conclusion of the Australian Information Commissioner’s term in August 2024.

Falk’s tenure has been more effective than her predecessors.  That is partly because she has had more resources of late and the pressures to do more given the increased number and size of data breaches have grown.  That said, previous Commissioners left a disappointing legacy.  Regulation has been weak and enforcement negligible.  As such Read the rest of this entry »

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is Read the rest of this entry »

Its annual report time. And the Information Commissioner is no exception to this exercise ordained by law. And, in the tradition of the Australian Public Service, it was released on a Friday. The 19th October to be exact, even though the Information Commissioner signed the report as being 3 October 2023. That way it avoids serous scrutiny by the traditional media. There is no time to push out a story for the weekend papers and the electronic media would have no interest in that being a weekend story. By Monday the caravan has moved on.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) delivered work for the Australian community through unprecedented times in 2022–23 as millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme.

Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.

“Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation. This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.

“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms.”

Commissioner Falk said the OAIC had sought to influence quality freedom of information (FOI) decision making by providing guidance to government agencies and working with them to improve the system. However, the OAIC still requires sufficient resources to meet current demand and address backlogs.

This year, applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years, and FOI complaints fell 2% to 212.

The OAIC finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 35% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.

“We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure,” Commissioner Falk said.

The OAIC performs an important privacy complaint handling role for the community. In 2022–23, it received 34% more privacy complaints (3,402, a record number) than in 2021–22.

In a year in which data breaches were so prominent, the OAIC received a 5% increase in notifications.

“Not surprisingly, our Australian Community Attitudes to Privacy Survey 2023 released soon after the end of the reporting period in August 2023, found that data breaches are seen as the number one privacy concern by the community,” Commissioner Falk said.

During 2022–23, the OAIC launched significant investigations into Optus, Medibank Private, Latitude Group and Australian Clinical Labs in relation to their data breaches. Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.

The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission. During 2022–23, the OAIC provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.

During the reporting period, the OAIC contributed to the Attorney-General’s Department’s review of the Privacy Act 1988. The Australian Government released its response to the review in September 2023 and legislation is expected in 2024.

“In the May 2023 Budget, the OAIC received additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future,” Commissioner Falk said.

“This is an opportunity full of promise and will occur alongside a change in the composition of the OAIC following the Australian Government’s announcement that the 3 statutory office holder model will be reinstated, with an Information Commissioner (as agency head), FOI Commissioner and Privacy Commissioner.

“The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”

Read the OAIC Annual report 2022–23.

Key 2022–23 statistics

• • Received 1,647 applications for IC review of FOI decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%).
  • Received 212 FOI complaints (down 2%) and finalised 124 FOI complaints (down 44%). The fall in complaints finalised was due to a focus on finalising IC reviews received in 2018 and 2019.
  • Received 3,402 privacy complaints (up 34%) and finalised 2,576 privacy complaints (up 17%).
  • Received 895 notifications under the NDB scheme (up 5%) and finalised 77% of notifications within 60 days against a target of 80%.
  • Handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%).

The overview provides:

In 2022–23 the OAIC delivered our work for the  Australian community through unprecedented times, as tens of millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme in 2018.
With the welcome support of additional government funding for privacy, we commenced and have
substantially progressed major investigations into these breaches. They have brought into sharp relief the requirement for boards across corporate Australia, Ministers and Secretaries of Departments, to prioritise investment in protecting personal information and limiting its collection and retention. As cyber-attacks become increasingly prevalent and impactful, it’s individuals who are at risk of harm but business and others with custody of personal information at risk of serious reputational damage.
This is why the OAIC seeks to serve the Australian people by putting the individual at the centre of our approach. We focus on applying our regulatory tools to promote access to government-held information and protect personal information. This means assessing where potential community impacts are most significant, being targeted in our approach, maximising the use of our resources, and adapting to a rapidly changing and increasingly complex environment.
Achieving that goal requires certain foundations to be in place: appropriate law, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and
importantly, collaboration.
The OAIC has developed these foundations to take a proportionate and proactive approach to identifying and reducing harms. We have sought to influence quality Freedom of Information (FOI) decision-making by providing guidance to agencies and working with them to improve the system. However, to achieve the vision for the OAIC’s role in FOI requires sufficient resources to meet current demand and address backlogs which have arisen since the office’s establishment, resulting in a legacy case load that persists and continues to grow.
This year applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years primarily attributable to the Department of Home Affairs; and FOI complaints fell 2% to 212.
We finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 37% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.
In 2018 the OAIC began efforts to garner support for a review of its functions and resourcing requirements, to ensure the organisation is positioned to meet the needs of the community. We have been consistent and persistent in our representations across all our functions. In the May 2023 Budget we were pleased to receive additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future. Read the rest of this entry »

The Office of the Information Commissioner has released the latest Data Breach Report for the first half of 2023. It was a reduction over the previous 6 months.  It should be noted that there are usually more data breaches in the second half of a year. 

Some of the interesting points made in the report was:

• Health services continued to be the most affected by data breaches, with 63 notifications of the total of 409.
• 42% of the data breaches resulted from cyber security incidents
• 288 of of the attacks were malicious or criminal attack
• human error breaches were the fastest to be identified in 30 days or fewer. 

• 21 of the 23 breaches that affected over 5,000 Australians were caused by cyber incidents. Of these,

  • 7 were caused by ransomware,

  • 7 by compromised or stolen credentials ,

  • 4 by hacking and 1 each by brute-force attack, malware and phishing (compromised credentials).

  • 2 breaches that affected over 5,000 Australians in this period were caused by a rogue employee or insider threat and theft of paperwork or a data storage device.

• 87% of information affected was contact information, such as an individual’s name, home address, phone number or email address.
• in 78% of cases the breaches were identified in 30 days or less.

The media release provides:

The need for organisations to strengthen data security and promptly respond to suspected breaches is highlighted in the latest Notifiable data breaches report, released today.

The Office of the Australian Information Commissioner (OAIC) expects organisations to have robust and proactive procedures in place to protect the personal information they hold, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach. Read the rest of this entry »

As they say, “you couldn’t make this up.” The Office of the Australian Information Commissioner has suffered a data breach according to the Australian’s Peak privacy agency the latest to fall victim to Russia-linked cybercrime gang through the hacking of of HWL Ebsworth’s website. The regulator has regularly engaged HWL Ebsworth to provide legal services. That entails providing information for use by the law firm. And it is at least some of the information that has been compromised. While the Commissioner cannot be blamed for providing information to its trusted legal advisor it might be interesting to know whether the Commissioner enquired of HWL Ebsworth the privacy training it did of its staff and the state of security of documents it held under its control. Normally a victim’s answers to such questions are unsatisfactory. The Commissioner is being tight lipped in its initial response. The concession was made that if personal information collected was compromised then those persons would be notified.

This must be mortifying for the Commissioner. 

At some point the Commissioner would need to provide more than guarded comments. There is a question of making the public trust the integrity Read the rest of this entry »

In late April Russian hackers successfully launched a ransomware attack against HWL Ebsworth, a national Australian law firm. On 30 April it made demand for a ransom. The ALPHV/Blackcat ransomware group posted on its website that 4 tera bytes of data had been hacked. The contents included employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map. As has become usual the firm responded to enquiries by stating that it had contacted the Australian Cyber Security Centre and will work with them. Further details were scarce. Nothing unusual in that. It has become a standard deflector shield against further enquiry.

That was in early May. But ransomware hackers don’t really care about what their victims say. Particularly hackers as effective as BlackCat. On 11 May the Australian Financial Review reported that the Ebsworth data was posted on BlackCat’s site on the dark web. The AFR also reported that clients, including the Commonwealth Bank, La Trobe Financial and ING Bank, had removed their files from the firm. Given the likely entry point for the hackers was via an email received on a staff member’s personal device this is a massive loss of billings and reputation for what was likely a preventable data breach. Human error is the cause of a vast majority of data breaches. And that human error is often caused by poor training and supervision. The fact that the firm only became aware of the hack when the hackers advised of the theft of data points to poor internal security. That 4 terabytes of data could be exfiltrated from various data banks of the firm points to no or inadequate programs to monitor and respond to unusual movements of data. Given that HWL Ebsworth is the largest firm by partner size that is quite extraordinary.

On 9 June the ABC reported that BlackCat had published published 1.45 terabytes of data on the dark web with a statement “ENJOY”. That happened after the demand for ransom payment within 10 days expired without any payment being forthcoming. As the ABC article makes clear the impact of the data breach goes beyond impact of personal information of staff and financial records.  It goes to personal information and other sensitive material belonging to clients such as government agencies and commercial institutions.  That leads to them having to take proactive measures to determine the extent of the loss of their data and what steps they need to take to advise their clients or other persons.  Law firms such as HWL Ebsworth hold masses of sensitive and personal information belonging to clients. The Tasmanian Government has reported suffering a possible data breach linked to the attack on HWL Ebsworth.

Given the nature of the data breach HWL Ebsworth’s focus is on dealing with clients whose clients or employees may have been affected rather than a broad notice to a set group of people.  That has been the tenor of its response to enquiries.  While that is understandable HWL Ebsworth has maintained a very restrained response.  As overseas experience and the Optus and Medibank data breaches attest that is not generally a good strategy.  Clearly given constraints on confidentiality apply however a broader explanation is often better than bromides, which is the nub of the response to date.  Given BlackCat has not finished with HWL Ebsworth it Read the rest of this entry »

Chapter 5 of the Report is devoted to amending the powers in the Privacy Act relating to developing APP Codes and Emergency Declarations. The focus is quite narrow and technical. The amendments should not be controversial given the nature of the changes are build on what is already in the Privacy Act. There are relatively few APP Codes and the Emergency Declarations thankfully do not commonly arise.

The Act sets out a process for making APP codes in which the Commissioner identifies code developers and registers codes developed by them.  An ‘APP code developer’ is any of an APP entity, a group of APP entities, or an association or body representing one or more APP entities.  Currently the Commissioner is only permitted to make an APP code if a code developer has been requested to make a code by the Commissioner and has not complied with the request/  the Commissioner does not to register a proposed code.

The Report proposes to give the Commissioner more power and flexibility in developing Codes.  To that end the Report recommends that the Commissioner be given  additional power to make an APP code on the direction or approval of the Attorney?General:

• where it is in the public interest for a code to be developed, and
• where there is unlikely to be an appropriate industry representative to develop the code.

An APP code could be made in the absence of a suitable industry code developer.

The process would not be unfettered. A code Read the rest of this entry »

The latest data breach notification report, covering the period July – December 2022, covers a period where both Optus and Medibank were the subject of cyber attacks resulting in millions of documents being compromised, almost 10 million for Optus and 9.7 million records for Medibank. In this period there were other significant data breaches which skewed the records. But these figures are still a significant under reporting of the actual number of data breaches that occurred in Australia in this period.  These figures in no way correlate to overseas experience in similar environments. significant under reporting. For example in January 2023 alone there were estimated to be 277,618,767 records compromised in 104 publicly disclosed security incidents.

Some interesting facts from the Report include:

• there were 497 notifications, a 26% increase;
• health again leads the number of notifications with 71 out of hte 497 notifications;
• malicious or criminal attacks were responsible for 70% of the breaches;
• there were 5 breaches affecting 1 – 10 million individuals;
• there was one breach involving more than 10 million;
• in terms of cyber attacks the leading type of attack was ransomware, at 29%
• in January – June 2022 there were 24 data breaches affecting more than 5,000 Australians.  In the July – December half year there were 40 breaches affecting more than 5,000; 
• while 77% of breaches were identified within 30 days 6% took between 4 – 12 months and 5% took more than a year;
• the top cause of human error breaches was personal information sent to a wrong recipient, at 42%.

The report provides:

Executive summary

The NDB scheme was established in February 2018 to drive better security standards and accountability for protecting personal information and improve consumer protection. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 that experiences an eligible data breach must notify affected individuals and the OAIC. Read the rest of this entry »