Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

Privacy Commissioner calls out implications of the Optus and Medibank data breaches

30 November 2022

4 min read

#Data & Privacy

Published by:

Privacy Commissioner calls out implications of the Optus and Medibank data breaches

In last week’s Privacy Summit in Sydney, Privacy Commissioner Angelene Falk spoke about a range of issues relating to the focus of her office, the Office of the Australian Information Commissioner (OAIC), over the next year and some of the key consequences of the recent Optus and Medibank data breaches.

The Commissioner spoke in clear and unequivocal terms about the Optus breach being a “wakeup call” for Australian businesses to focus on their investment in security in relation to their data and personal information holdings, and that having had this wakeup call, her office would be focusing on any under-investment in security that do not meet the reasonable standards required under the Australian Privacy Principles (APPs).

The Commissioner noted that there are three fundamental issues concerning privacy and data collection:

  1. only collect that subset of data which is reasonably necessary for your business purposes and do not overreach in your collection
  2. ensure that data collected is subject to the right security settings, particularly if it is sensitive information which, if compromised, has the capacity to cause serious harm to individuals
  3. ensure that data is deleted when no longer required.

A comment was made about the need for attention to the data lifecycle and the deletion process, an area that is often missed. This is consistent with views among the media and concerns among the public around recent breaches relating to old information that does not necessarily need to be retained by the organisation holding it. This is a clear call to action for businesses.

Facial recognition technologies

The Commissioner also noted the priority in investigating the consequences of high impact technologies such as facial recognition and, in light of the recent Bunnings and Kmart situations, where organisations pause the use of facial recognition when brought to public attention. The Commissioner reiterated the need for proportionality in the use of technologies.

New penalty regime passes Parliament

All of this comes at a time when the Government has managed to move new penalties for serious or repeated breaches of privacy through Parliament.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced to Parliament on 26 October, following the Medibank and Optus breaches to allow disclosure and sharing of information between the OAIC and other agencies in the event of a data breach. The proposed legislation also expands the enforcement powers of the OAIC and increases penalties for serious or repeated interferences with privacy.

The Bill passed the House of Representatives on 9 November and the Senate on 28 November. The new law increases penalties for serious or repeated infringements of privacy, a concept which is already well-established in the Privacy Act, to the greater of:

  • $50 million;
  • the value of the benefit obtained by the corporation for the contravention; or
  • 30 per cent of the adjusted turnover of the corporation during the breach period when the contravention occurred.

These are significant increases from the current maximum penalty of $2.2 million for corporates for breaches of the Privacy Act.

The Act also introduces a new system of infringement notice provisions which can impose a fine of up to $66,000 for corporates. At the conference, the Privacy Commissioner indicated that this simplified system of infringement notices and the provision of broader powers would allow the OAIC to be more effective.

Given many commentators have raised that the OAIC is significantly underfunded by comparison with other agencies, such as the ACCC and ASIC, it remains to be seen whether the theoretical maximum fines will be imposed at any point.

Further, the Commissioner indicated that the OAIC’s regulatory framework and approach is a collaborative one and that organisations can proactively approach the OAIC with issues. However, with this new penalty regime, it will be interesting to see whether organisations are willing to continue to engage as sharing information that may generate such a penalty will be a far less attractive option than when the maximum penalty was limited to $2.2 million.

What should I do now?

The takeaway is to do a deep dive into your data collection, security and retention settings and if necessary, adjust them in light of this new risk profile.

If you have any questions about the new legislation or need assistance with reviewing your data collection and privacy policies, please contact Lyn Nicholson or a member of our Data & Privacy team in the Key Contacts section below.

Author: Lyn Nicholson

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Share this