30 November 2022
In last week’s Privacy Summit in Sydney, Privacy Commissioner Angelene Falk spoke about a range of issues relating to the focus of her office, the Office of the Australian Information Commissioner (OAIC), over the next year and some of the key consequences of the recent Optus and Medibank data breaches.
The Commissioner spoke in clear and unequivocal terms about the Optus breach being a “wakeup call” for Australian businesses to focus on their investment in security in relation to their data and personal information holdings, and that having had this wakeup call, her office would be focusing on any under-investment in security that do not meet the reasonable standards required under the Australian Privacy Principles (APPs).
The Commissioner noted that there are three fundamental issues concerning privacy and data collection:
A comment was made about the need for attention to the data lifecycle and the deletion process, an area that is often missed. This is consistent with views among the media and concerns among the public around recent breaches relating to old information that does not necessarily need to be retained by the organisation holding it. This is a clear call to action for businesses.
The Commissioner also noted the priority in investigating the consequences of high impact technologies such as facial recognition and, in light of the recent Bunnings and Kmart situations, where organisations pause the use of facial recognition when brought to public attention. The Commissioner reiterated the need for proportionality in the use of technologies.
All of this comes at a time when the Government has managed to move new penalties for serious or repeated breaches of privacy through Parliament.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced to Parliament on 26 October, following the Medibank and Optus breaches to allow disclosure and sharing of information between the OAIC and other agencies in the event of a data breach. The proposed legislation also expands the enforcement powers of the OAIC and increases penalties for serious or repeated interferences with privacy.
The Bill passed the House of Representatives on 9 November and the Senate on 28 November. The new law increases penalties for serious or repeated infringements of privacy, a concept which is already well-established in the Privacy Act, to the greater of:
These are significant increases from the current maximum penalty of $2.2 million for corporates for breaches of the Privacy Act.
The Act also introduces a new system of infringement notice provisions which can impose a fine of up to $66,000 for corporates. At the conference, the Privacy Commissioner indicated that this simplified system of infringement notices and the provision of broader powers would allow the OAIC to be more effective.
Given many commentators have raised that the OAIC is significantly underfunded by comparison with other agencies, such as the ACCC and ASIC, it remains to be seen whether the theoretical maximum fines will be imposed at any point.
Further, the Commissioner indicated that the OAIC’s regulatory framework and approach is a collaborative one and that organisations can proactively approach the OAIC with issues. However, with this new penalty regime, it will be interesting to see whether organisations are willing to continue to engage as sharing information that may generate such a penalty will be a far less attractive option than when the maximum penalty was limited to $2.2 million.
The takeaway is to do a deep dive into your data collection, security and retention settings and if necessary, adjust them in light of this new risk profile.
If you have any questions about the new legislation or need assistance with reviewing your data collection and privacy policies, please contact Lyn Nicholson or a member of our Data & Privacy team in the Key Contacts section below.
Author: Lyn Nicholson
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.