Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Australian Information Commissioner releases the its annual report.

    November 24, 2025

    The Australian Information Commissioner has published its Annual Report.

    The media release provides:

    The Office of the Australian Information Commissioner (OAIC) upheld and advanced information access and privacy rights throughout 2024-25 as it strengthened its ability to deliver better regulatory outcomes for the Australian community.

    Releasing the OAIC’s Annual report 2024-25, Australian Information Commissioner Elizabeth Tydd said: “This report demonstrates the impact and credibility of the OAIC as the national regulator for privacy and freedom of information. Our broad reaching jurisdiction means that we are instrumental in securing democratic rights and promoting a healthy economy.

    “This environment requires a proactive contemporary approach to regulation in this complex digital environment; that approach is tethered to regulatory transparency and proportionality.

    “We apply a proactive and harm-focused approach to prioritise our efforts. We take regulatory action to encourage and support compliance by regulated entities and to address high-risk matters with the greatest potential for harm.”

    During the year the OAIC finalised significant privacy breaches including a $50 million payment program as part of an enforceable undertaking received from Meta Platforms, Inc. (Meta) and an enforceable undertaking offered by Oxfam Australia after the not-for-profit experienced a data breach in January 2021.  Court action commenced the previous year also recently led to Australian Clinical Labs (ACL) paying $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business, the first civil penalties ordered under the Privacy Act.

    “The OAIC’s impact is also well demonstrated by our data and the increase in positive results from our annual stakeholder survey. In 2024–25 we increased our performance in five of our six stakeholder measures. In case work the OAIC finalised 41% more Information Commissioner (IC) reviews than the preceding year, outpacing a 21% increase in IC reviews received,” Commissioner Tydd said.

    The OAIC also published a separate FOI volume (PDF, 6006 KB) of the Annual report to improve accessibility of agency performance data and provide more detailed regulatory information. “This approach delivers greater transparency to the community and provides policy makers and agencies with reliable and insightful data regarding agency performance and the operation of the FOI system more broadly,” Commissioner Tydd said.

    The OAIC strengthened the effectiveness of its educational and advisory functions during 2024-25, publishing a range of guidance and tools during the year. The privacy foundations self-assessment tool, the FOI self-assessment tool, and a new Freedom of Information (FOI) statistics dashboard all position regulated entities to achieve compliance by clearly articulating better practice and reporting against outcomes.

    The results of the OAIC’s annual stakeholder survey demonstrated positive results with five out of six measures increasing, including:

      • advancing online privacy protections increased from 60% to 66%
      • encouraging and supporting proactive disclosure of government information increased from 56% to 65%
      • OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust increased from 63% to 66%
      • OAIC’s regulatory activities demonstrate collaboration and engagement increased from 58% to 64%
      • OAIC’s regulatory activities are based on risk and data rose from 56% to 59%.

    “The OAIC’s strategic positioning will enable us to further deliver impactful regulatory outcomes to the Australian community in 2025-26,” Commissioner Tydd said.

    Key 2024–25 statistics

      • Finalised 2,470 Information Commissioner (IC) reviews in 2024–25, a 41% increase compared to 1,748 in 2023–24.
      • Issued 248 IC review decisions, compared to 207 previous financial year.
      • Finalised 3,123 privacy complaints compared to 3,103 in 2023–24.
      • Issued 10 determinations following investigations of privacy complaints and continued to reduce the number of older complaints on hand.
      • Finalised 1,155 notifications under the NDB scheme, with 86% of notifications finalised within 60 days, exceeding the OAIC target of 80%.

    The overview from the Privacy Commissioner provides:

    This has been my first full year in the role of Privacy Commissioner, and has been characterised by ever- increasing risks to the protection of Australian’s privacy. With data breaches continuing to mount, AI and other emerging technologies becoming part of our day-to- day reality, and novel scams and online harms creating community concern, the work of the OAIC has never been more important, or more challenging.

    The period of 1 July to 31 December 2024 saw the OAIC notified of 595 data breaches, an increase of 15% compared to the previous 6 months. Across the 2024 calendar year, data breach notifications were up 25% year on year. Individual and representative complaints to the OAIC, arising out of data breaches as well as other privacy interferences, also increased this financial year, totalling 3,295. Health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.

    In response to these building trends, the OAIC has focused on a dual-track regulatory response which prioritises both education and enforcement. Acknowledging the uplift required across the public and private sectors to ensure robust Privacy Act compliance, the OAIC has invested in and developed resources to support businesses and agencies to enhance their privacy governance. For example, in embodying the Privacy Awareness Week 2025 theme of ‘Privacy – It’s Everyone’s Business’ we released the Privacy Foundations self-assessment tool, a simple resource designed to help businesses who want to embed a culture of privacy and improve practices procedures and systems. Throughout the year, we issued new guidance clarifying the application of the Australian Privacy Principles (APPs) to a range of emerging technologies, including tracking pixels, facial recognition and AI, and we updated our charities and non-profits guidance. We launched a blog which we used to share information in a more accessible manner, and to explain the impact of some of the 10 determinations we issued in 2024–25. And together with our Digital Platform Regulators Forum partners, we released a working paper on multimodal foundation models. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Data breaches in January – June 2025 . Five hundred and thirty two notifications

    The Privacy Commissioner has published notifications of data breaches in the first half of 2025 under the National Data Breach Notification Scheme. The health sector continues to have the most reported data breaches (18% of reported data breaches), followed by the finance sector (14%) and Australian Government agencies (13%).

    The details are:

    • Number of notifications: 532
    • 33% of data breaches were caused by cyber security incidents of which:
      • 28% were due to phishing
      • 21% due to compromised or stolen credentials
      • 21% due to ransomware
      • 17% hacking
      • 6% brute force attacks
      • 4% malware
    • 3 data breaches affected between 100,000 – 250,000.  The same number as the July December 2024 period.  3 data breaches affected 250,000 – 500,000 people. The same number as the July December 2024 period
    • Contact information was the most common information affected by data breaches (456),  Identify information was affected in 303 data breaches.  Financial details were involved in 194 and health information in 161 data breaches.
    • 56% data breaches were reported in 10 or less days from discovery.  27% of data breaches were reported more than 30 days after the data breachess.
    • 308 of the data breaches were caused by malicious/criminal attacks and 193 caued by human error.

    Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Groth v Herald & Weekly Times (VID 1130/2025) First directions hearing. Orders made for interlocutory hearing on 6 November 2025

    November 1, 2025

    At the first directions hearing on 30 October 2025 in the Federal Court proceeding of SAM GROTH and another v THE HERALD AND WEEKLY TIMES PTY LTD and others the Respondent succeeded to have an application to determine whether the journalist exemption applies. The hearing will occur on 6 November 2025. The directions hearing is reported by the Guardian in News Corp had no first-hand source suggesting Sam Groth’s wife underage at start of relationship, MP’s lawyer tells court, the AFR with News Corp allegedly claimed to be writing puff piece on Groths, and 9 News with ‘Salacious gossip’ or news? Tennis star turned MP to test new privacy law (to name but 3 stories).

    The orders made Justice MceLwaine are:

    1. The interlocutory application of the respondent accepted for filing on 2 October 2025 is set down for hearing at 30am on 6 November 2025.
    2. Any evidence proposed to be relied upon by the respondent at the hearing of the interlocutory application is to be in the form of an affidavit which is to be filed and served by 4pm on 4 Novemebr 2025.
    3. Any evidence proposed to be relied upon by the applicant at the hearing of the interlocutory application is to be in the form of an affidavit which is to be filed and served by 12pm on 5 November 2025.
    4. The matter be set down for hearing in Melbourne at 15am on 11 May 2026, with an estimate of 10 days.
    5. The parties are to attend a mediation to be organised by the parties, such mediation to take place on 7 November 2025.

    The Guardian article provides:

    Australia’s new privacy laws to be tested as Victorian Liberal MP and wife Brittany Groth sue over Herald Sun articles

    A News Corp journalist had “not one piece of information” to suggest the deputy Victorian Liberal leader, Sam Groth, began a relationship with his wife when she was underage, the MP’s lawyers have told a court.

    In what a federal court judge described as a “test case” for Australia’s new privacy laws, Groth and his wife, Brittany, are suing the Herald and Weekly Times (HWT), reporter Stephen Drill and the Herald Sun’s editor, Sam Weir, over a series of articles published in July.

    The articles allege the couple met at a tennis club in suburban Melbourne and began a sexual relationship when Brittany was 16 or 17 and Sam – then a professional player – was 23 or 24 and working as her coach, the court has been told.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »