Peter A Clarke

Today the Information Commissioner released the latest Notifiable Data Breach report.

It makes for grim reading. The key findings are:

• 497 breaches were notified compared with 393 in January to June 2022 – a 26% increase.
• There was a 41% increase in data breaches resulting from malicious or criminal attacks. Malicious or criminal attacks accounted for 350 notifications – 70% of all notifications.
• Human error was the cause of 123 notifications (25% of all notifications), down 5% in number from 129.
• Health reported the most breaches (71), followed by finance (68). That the health sector provides the greatest number of breaches is no surprise.
• Contact information remains the most common type of personal information involved in breaches.
• The majority (88%) of breaches affected 5,000 individuals or fewer.
• 71% of entities notified the OAIC within 30 days of becoming aware of an incident. This is quite an indictment on compliance. Almost 30% of entities did not notify the OAIC within the statutory maximum of 30 days. That bespeaks poor culture.

The Commissioner’s media release provides:

Several large-scale data breaches impacted millions of Australians’ personal information in the second half of 2022, as part of a 26% increase in breaches overall, according to the latest Notifiable data breaches report released today.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said cyber security incidents in particular can have significant impacts on individuals, and organisations need to be alert to the risks.

“We saw a significant increase in data breaches that impacted a larger number of Australians in the second half of 2022,” she said.

“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches.”

Thirty-three of the 40 breaches that affected over 5,000 Australians were the result of cyber security incidents.

“Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats,” Commissioner Falk said.

“This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”

Commissioner Falk said organisations need to be vigilant as large-scale compromises of personal information may lead to further attacks.

“As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase.

“Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said.

The Office of the Australian Information Commissioner has clear expectations of best practice with regard to data breach preparation and response, to ensure individuals are protected from harm.

“In response to a breach, organisations need to provide information to individuals that is timely and accurate.

“As well as setting out the kinds of information breached, the notification must include recommendations about clear steps people should take in response,” said Commissioner Falk.

The reporting period also saw the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Among other things, the Act:

• • provides the Commissioner with new and greater powers to share information with other authorities about data breaches
  • provides the Commissioner with a new power to obtain information and documents relevant to an actual or suspected eligible data breach
  • enables the Commissioner to conduct an assessment of the ability of an entity to comply with the Notifiable Data Breaches scheme, including the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches, and provide notice to the Commissioner and individuals at risk from such breaches
  • significantly increases penalties for serious or repeated privacy breaches, which includes non-compliance with the Notifiable Data Breaches scheme.

“While we will continue to work with organisations to facilitate voluntary compliance, we will use these regulatory powers where required to ensure compliance with the Notifiable Data Breaches scheme,” said Commissioner Falk.

“We also welcome the further proposals to strengthen the Notifiable Data Breaches scheme in the Attorney-General’s Department’s Privacy Act review report.”

The Report provides:

Notifications received July to December 2022 – All sectors

The OAIC received 497 notifications this reporting period – a 26% increase compared with January to June 2022. Read the rest of this entry »

The Privacy Act 1988 remains a very flawed piece of legislation.  Until 2014 there was no serious enforcement provisions available to the Commissioner.  The insertion of section 13G permitted the Commissioner to commence civil penalty proceedings for serious or repeated inferences with privacy.  Since 2014 there has been no civil proceeding prosecution commenced and brought to resolution.  Not one in 8 years. The Information Commissioner commenced a proceeding under section 13G against Facebook in 2020 arising out of the alleged misuse of data by Cambridge Analytica which is slowly working its way through the Federal court system .The US and UK have long finished litigation against Facebook in relation to the same issue and similar facts.

Not surprisingly the Commissioner has welcomed the passage of the amendments.  It will provide the Commissione with significantly more powers and more effective and efficient enforcement options. She can issue penalties.  That is more in line with the Monetary Penalty Notices that the UK Information Commissioner has been issuing for years.   A safe assumption is that the Commissioner will be more assertive and high profile in using these powers.  There is a long overdue need for a change of culture by those who collect personal information.  The Commissioner states that she hopes that the increased penalties will help incentivise compliance.  Without some high profile cases occurring that is unlikely to be the case.  The market has factored in the Commissioner being timid and more interested in talking compliance rather than taking enforcement action.

The Commissioner’s media release provides:

The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which enhances the OAIC’s ability to regulate in line with community expectations and protect Australians’ privacy in the digital environment.

The Bill introduces significantly increased penalties for serious and or repeated privacy breaches and greater powers for the OAIC to resolve breaches.

“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. Read the rest of this entry »

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced into the House of Representatives by the Attorney General earlier today.

The amendments will provide the Commissioner with new powers including, but not limited to:

• The commissioner will have “new information-gathering powers regarding  the notifiable data breache reporting and notification requirements.
• The commissioner will have … information-gathering powers to conduct assessments of organisations’ practices.
• the Commissioner will have powers to issue a direction for the entity to notify individuals who have been affected by a data breach
• the Commissioner will have infringement notice powers.

The Commissioner being provided with infringement notice powers brings the Australian regulation more in line with the UK legislation where the UK Commissioner can issue monetary penalty notices.  Similarly the Federal Trade Commission has a different process but has a similarly quicker way of imposing penalties.  It will be critical for businesses and organisations to understand their obligations otherwise they may be the subject of significant financial penalty, not to mention the reputational damage that comes with that.

Itnews has undertaken a reasonable summation, from a lay perspective, of the proposed amendments in  Privacy Act amendments land in parliament which provides:

The Bill Read the rest of this entry »

The Office of the Information Commissioner announced today that it was “making inquiries into Medibank.” The ostensible reason was to ensure that it complied with the Notifiable Data Breaches Scheme.  Given the circumstances it had ample power to do an own motion investigation in any event.  Given Medibank’s spluttering initial response to the data breach it is not surprising that this is the basis chosen.

The OIAC media release provides:

The Office of the Australian Information Commissioner (OAIC) is making preliminary inquiries with Medibank following its cyber incident, to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme.

As information is gathered and assessed, the number one priority is ensuring that Medibank customers have information and resources available to take steps to protect themselves from any risk arising as a result of their personal information being compromised.

“This matter is understandably of great concern, given the sensitive information that may be involved,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. Read the rest of this entry »

The Australian mandatory data breach notification regime while 4 years old has not attracted the overt public profile as other regimes overseas and has not resulted in high profile notifications until the Optus Data Breach.  In some American states notifications must be made to authorities who publish broad details of the data breach and how many residents of the state have been affected.  As such there is a better understanding of the frequency of data breaches and Read the rest of this entry »

The Australian Information Commissioner (the “Commissioner”) has released a brief but quite specific and detailed guidance on the retention and deletion of personal information. It is entirely reasonable to release a guidance now given restrictions throughout the country have largely been removed and there is no longer a requirement to collect masses of personal information. 

But now organisations and agencies have an enormous amount of personal information which was collected for the purpose of complying with various Public Health Orders and which was to be used for specific, narrow and defined purposes, such as contact tracing and vaccine status.  As the guidance makes clear there is now an obligation on organisations to delete much of that personal information.  With the orders no longer in place there is a real question of whether Read the rest of this entry »

The Australian Information Commissioner has made submissions to the Department of Prime Minister and Cabinet’s Australian Data Strategy.  

It is a more assertive submission than usually produced by the Information Commissioner. That may be because of the increased muscularity of other regulators who have an interest in data security and privacy, such as the ACCC.  Possibly also because there is a review of the Privacy Act 1988 with a government that has stated a greater interest in significant reform in the handling of data than its predecessor. 

It provides, absent footnotes:

Introduction

1. 1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Department of Prime Minister and Cabinet’s (the Department) Australian Data Strategy (the Strategy).
   2. The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).
   3. We welcome the Strategy’s focus on aligning with the range of existing legislation, strategies, policies, and reviews which regulate the use of data and the protection of personal information. The Strategy broadly intersects with the OAIC’s existing regulatory role and responsibilities under several laws and whole-of-government initiatives, including the Privacy Act (and its ongoing review), the FOI Act, the Consumer Data Right, the Data Availability and Transparency Act 2022, the Australian Cyber Security Strategy, the National Data Security Action Plan, and the Digital Identity scheme.
   4. Promoting and upholding privacy, information access rights and supporting the proactive release of government-held information are key strategic priorities for the OAIC. This recognises that data held by the Australian Government is a national resource which can yield significant benefits of the Australian people when handled appropriately, and in the public interest.
   5. The Strategy sets out a vision for the creation of a national ecosystem of data that is accessible, reliable, relevant and easily used to power Australia’s national endeavour towards a modern data-driven society.[2] The Strategy focuses on three key themes: maximising the value of data, trust and protection, and enabling data use.
   6. The Strategy acknowledges the importance of keeping data safe and secure and using and managing it in appropriate ways to earn and maintain public trust. This is particularly important in relation to data containing personal information, which is subject to specific statutory protection. Privacy issues that are not properly addressed can impact the community’s trust in an entity and undermine the success of new data initiatives. When people have confidence in how their data is handled, they are more likely to support the use of that information to provide the services and value promised by innovative data initiatives.
   7. The Privacy Act provides a well-established framework to minimise the privacy risks associated with personal-information handling activities and facilitate community trust and confidence in new data initiatives. It contains 13 Australian Privacy Principles (APPs), which are technology-neutral and applicable to changing and emerging technologies and data practices. This submission focusses on the role that privacy will play in achieving the Strategy’s vision and objectives, and our views on measures that can further support the Strategy’s ambitions by strengthening the existing privacy framework through the ongoing Privacy Act Review. It is also important to acknowledge the important role the FOI Act will play as part of a comprehensive Australian Data Strategy.

Read the rest of this entry »

In light of the finding of a breach of the Privacy Act 1988 by Clearview AI regarding its use of facial recognition technology in Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 there was always a reasonable chance that the Information Commissioner would respond to the comprehensive complaint made by Choice against Bunnings, Kmart and the Good Guys regarding their use of facial recognition technology.  

Today the Commissioner announced that her office had opened an investigation into Bunnings and Kmart.

The statement provides:

The Office of the Australian Information Commissioner (OAIC) has opened investigations into the personal information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology.

The investigations follow a report from consumer advocacy group CHOICE about the retailers’ use of facial recognition technology. Read the rest of this entry »

One of the most significant amendments to the Privacy Act 1988 in 2014 relating to credit reporting.  A key element of those amendments was the establishment of Credit Reporting Codes. On 7 June 2022, the Australian Information Commissioner approved a replacement to the Privacy (Credit Reporting) Code 2014 (Version 2.2) by introducing the Privacy (Credit Reporting) Code 2014 (Version 2.3) (Code). Version 2.3 of the Credit Reporting Code registered on 1 July 2022. It took effect on 1 July 2022.

For anyone involved practising in privacy law, particularly with a connection to banking and finance, it is worth reviewing the updated code carefully.

The release Read the rest of this entry »

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance Read the rest of this entry »