Peter A Clarke

The Australian Information Commissioner has published its Annual Report.

The media release provides:

The overview from the Privacy Commissioner provides:

This has been my first full year in the role of Privacy Commissioner, and has been characterised by ever- increasing risks to the protection of Australian’s privacy. With data breaches continuing to mount, AI and other emerging technologies becoming part of our day-to- day reality, and novel scams and online harms creating community concern, the work of the OAIC has never been more important, or more challenging.

The period of 1 July to 31 December 2024 saw the OAIC notified of 595 data breaches, an increase of 15% compared to the previous 6 months. Across the 2024 calendar year, data breach notifications were up 25% year on year. Individual and representative complaints to the OAIC, arising out of data breaches as well as other privacy interferences, also increased this financial year, totalling 3,295. Health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.

In response to these building trends, the OAIC has focused on a dual-track regulatory response which prioritises both education and enforcement. Acknowledging the uplift required across the public and private sectors to ensure robust Privacy Act compliance, the OAIC has invested in and developed resources to support businesses and agencies to enhance their privacy governance. For example, in embodying the Privacy Awareness Week 2025 theme of ‘Privacy – It’s Everyone’s Business’ we released the Privacy Foundations self-assessment tool, a simple resource designed to help businesses who want to embed a culture of privacy and improve practices procedures and systems. Throughout the year, we issued new guidance clarifying the application of the Australian Privacy Principles (APPs) to a range of emerging technologies, including tracking pixels, facial recognition and AI, and we updated our charities and non-profits guidance. We launched a blog which we used to share information in a more accessible manner, and to explain the impact of some of the 10 determinations we issued in 2024–25. And together with our Digital Platform Regulators Forum partners, we released a working paper on multimodal foundation models. Read the rest of this entry »

The Privacy Commissioner has published notifications of data breaches in the first half of 2025 under the National Data Breach Notification Scheme. The health sector continues to have the most reported data breaches (18% of reported data breaches), followed by the finance sector (14%) and Australian Government agencies (13%).

The details are:

• Number of notifications: 532
• 33% of data breaches were caused by cyber security incidents of which:
  • 28% were due to phishing
  • 21% due to compromised or stolen credentials
  • 21% due to ransomware
  • 17% hacking
  • 6% brute force attacks
  • 4% malware
• 3 data breaches affected between 100,000 – 250,000.  The same number as the July December 2024 period.  3 data breaches affected 250,000 – 500,000 people. The same number as the July December 2024 period
• Contact information was the most common information affected by data breaches (456),  Identify information was affected in 303 data breaches.  Financial details were involved in 194 and health information in 161 data breaches.
• 56% data breaches were reported in 10 or less days from discovery.  27% of data breaches were reported more than 30 days after the data breachess.
• 308 of the data breaches were caused by malicious/criminal attacks and 193 caued by human error.

Read the rest of this entry »

One thing that is almost a given in data privacy law is that if the regulator starts investigating a discrete problem or data breach it will end up reviewing the entire entity’s operation and find problems worse than what it started looking at. Often the original problem ends up being a small fraction of the entity’s problem. And so it goes with American Express where the Privacy Commissioner found systemic failures with American Expresses security controls, potentially exposing more than a million cardholders to a privacy breaches. The initial complaint related to a customer complaining about a staff member spying on his personal financial information. It is reported in the Age story Sensitive personal information’: Leaked report reveals American Express security failures. What is unusual and reflects poorly on American Express is that two years ago the Age reported that the Australian Financial Complaints Authority found American Express had breached privacy laws when its employee accessed the complainant’s accounts on at least nine occasions without consent. Ironically the Privacy Commissioner’s interim report was leaked, not surprisingly, to the Age. That is quite unusual and is unlikely to impress the regulator or American Express.

Based on the article it appears that American Express does not track employee access to customer accounts across 78 per cent of its systems.  This is a classic exposure to  “insider threat” risks.  It is surprising that American Express did not have the technology to restrict staff access to certain customer accounts.  It cites operational complexity as a reason for not implementing those controls.  This is of course nonsensical.  Banks have long had such technology.  Rogue or even just foolishly inquisitive employees who access accounts not related to their job are summarily dismissed a matter of rigid practice.  American Express relied on internal policies and staff training to prevent misconduct. That should be part of the process but not the end of it. What was particularly disturbing is that staff  with basic privileges based in Australia and overseas had “full and unfettered access” to the private information of Australian customers, which includes celebrities, politicians, politically exposed individuals and vulnerable people.  This is quite extraordinary for a company of American Express’ size and profile and especially as it had an internal data breach revealed two years ago.  Unfortunately this level of complacency is all too common for many other entities to give employees broad and sometimes unfettered access to personal information even where they have no need to access that data.  Often companies do not log access so internal threats can’t be identified.

It is interesting to see American Express adopt Read the rest of this entry »

As 10 December approaches the regulators are releasing guidances. Last month the e safety Commissioner issued its guidance.  Last Friday the Privacy Commissioner issued a statement and guidance.  As the Guidance makes clear, more is expected of entities in handling and, importantly, destroying data. Part 4A of the Online Safety Act 2021 sets out quite detailed obligations upon Social Media Platforms.  For Social Media entities this will require a very thorough audit of data collection and use practices.  

The Statement provides:

1. Purpose Limitation – section 63F(1) Entities that hold personal information collected for, or including, SMMA purposes must not use or disclose that information for any other purpose.  There are limited Limited exceptions under APP 6.2(b)–(e) which permits use or disclosure, or where the individual gives voluntary, informed, current, specific and unambiguous consent under section 63F(2).  This standard goes beyond the general APP 6 framework. The inclusion of “unambiguous” as an element of consent precludes the use of pre-selected settings or opt-outs when seeking consent. Also the reuse of information is prohibited unless clearly authorised or in the exceptional circumstances set out in APP 6.2(b) – (e).
2. Information Destruction – section 63F(3) Once personal information collected for SMMA purposes which has been used or disclosed for those purposes that personal information must be destroyed.  De-identification is not permitted.  The destruction must happen as soon as all SMMA purposes are met.  This obligation is stricter than APP 11.2, which permits de-identification or retention for ancillary business needs. Pre-existing data used to support age assurance  remains governed by APP 11.2.
3. Enforcement. The Privacy Commissioner has the power to investigate and take action for breaches as a breach of section 63F constitutes an “interference with the privacy of an individual” under the Privacy Act.  Those actions include investigating, make determinations, and require remediation or compensation. Individuals may also lodge complaints directly with the Privacy Commissioner.
4. Part 4A does not replace the APPs.  It is an overlay of stricter duties in addition to the existing APPs.  The APPs still apply in their entirety.

Under the Guidelines Platforms cannot retain information “just in case” it is useful later. The OAIC can investigate and enforce directly, even against entities not previously regulated, such as small technology providers or overseas processors.

The OAIC expects age assurance solutions to be privacy by design, backed by an early-stage Privacy Impact Assessment (PIA) that examines proportionality, necessity and data minimisation.  That may be a new concept for some entities.  In establishing the processes and procedures the least privacy-invasive method should be used.  It should be teated through a PIA before deployment.

The OAIC recommends establishing a “ring-fenced SMMA environment” — a segregated technical and data structure where age assurance information is processed, stored and destroyed separately from other systems. Only minimal artefacts, such as a binary “16+ yes/no” result, method and timestamp, should persist. Inputs like ID scans or selfies must be deleted immediately after use.

The OAIC supports inference-based and AI-driven approaches but with clear restrictions: they must be transparent, demonstrably accurate, and not rely on continuous behavioural tracking or unnecessary sensitive data such as biometric or content analysis.

The process must be transparent. That includes:

• just-in-time notifications at the point of data collection,
• explaining what information is being collected, by whom, for how long, and why.
• having privacy policies which clearly describe SMMA-specific processing and destruction practices.

Legal, product and design teams need to collaborate. Poorly designed consent or information screens — even if legally accurate — can amount to non-compliance.

Part 4A sets a higher bar for consent to secondary uses of information collected for SMMA purposes than the standard APP test. It must be:

• voluntary,
• informed,
• current,
• specific and unambiguous and
• be able to be withdrawn.

The OAIC Guidance says that there should be:

• no:
  • bundled or pre-ticked consents,
  • reliance on general terms of use, and
• simple withdrawal mechanisms in dedicated privacy settings or contextually appropriate screens.
• purpose specific and time limited consent which is purpose-specific and time-limited.

Section 63F’s destruction requirement is specific and Read the rest of this entry »

First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Read the rest of this entry »

Another day, another data breach in Australia. This time iiNet has announced that it has suffered a data breach. Mode of entry, use of employee credentials to get into iiNet’s order management system. The breach is reported by the Australian in iiNet latest Aussie company to be hit by hackers. iiNet released a media release earlier today titled Cyber incident involving iiNet customers. As is the way the story has been covered across the media with News.com.au, Information Age, Australian Cyber Security Magazine, AFR, Cyber Daily amongst others.

This data breach will be hugely embarrassing for iiNet.  It’s whole image is based around being more accessible (not in that way) and different from other telco providers.  And better in a geekier more friendly but more efficient sort of way.  Now it finds itself suffering the sort of data breach other big organisations suffer.  

iiNet’s media statement is quite good.   For Australia.  It provides some detail of what happened and how though much is not revealed.  That will be revealed if the Privacy Commissioner takes action or there is a class action.  But being as transparent as possible is preferable to saying virtually nothing as Genea has done with its much more serious data breach.  iiNet provided detail of the nature of the personal information stolen; emails (280,000), phone numbers (20,000) and user names, streeet addresses (10,000) and modem set up passwords (1,700).  Distressing and damaging as that may be it did not involve financial information, dates of birth and any other personal information.  iiNet has been more specific than most in how it responded.  It can’t help itself in advising how it is liasing with the ACSC, the NOCS and the OAIC.  On a more relevant note it has set up a dedicated hotline.  That is an excellent initiative.  By contrast Genea has been very difficult to contact and responses have been wholly unhelpful, enraging patients.   It provided some preliminary advice on what to do and answering frequently asked questions.  Interestingly iiNet responds to the question as to why it was holding information on people who are no longer customers of iiNet.  The answer is somewhat mealy mouthed including being due “to legal, regulatory, or operational requirements.” Mmmm.  

The statement provides:

iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.

The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections. The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.

What we are doing

Upon confirmation of this incident on Saturday, 16 August 2025, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our investigation. Read the rest of this entry »

It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

The statement from the Information Commissioner provides:

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. Read the rest of this entry »

Today the OAIC released its regulatory action priorities for 2025 – 26. In the privacy sphere the Commissioner states that it is:

Rebalancing power and information asymmetries

The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

• • the rental and property, credit reporting and data brokerage, sectors
  • advertising technology (Ad tech) such as pixel tracking
  • practices that erode information access and privacy rights in the application of artificial intelligence
  • excessive collection and retention of personal information
  • systemic failures to enable timely access to government information

Rights preservation in new and emerging technologies

The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

• • facial recognition technology and forms of biometric scanning
  • new surveillance technologies such as location data tracking in apps, cars and other devices
  • the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

It is interesting to note that the Commissioner has previously flagged a focus on data collection by cars.  The Commissioner has already taken action in relation to facial recognition technology.  

The media release Read the rest of this entry »

The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious.  To call for a change to the law while appealing a decision involving the extant law is not illegal.  But it is quite arrogant.  Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act. 

Meanwhile in CBA using facial recognition logins to verify disputed payment the CBA is showing itself to be an enthusiastic user of facial recognition.  

The AFR article Read the rest of this entry »