Happy 30th anniversary to the Privacy Act – and the breaches keep coming…

In addressing highlights from its 2017 – 2018 Annual Report, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, said “the OAIC’s work across the reporting period has continued to enhance transparency and accountability for the community”.

Key statistics for the period noted by the OAIC included:

  • drafted 29 submissions on legislative proposals and other issues such as open banking and privacy in the digital age
  • conducted 21 privacy assessments in areas such as identity verification, telecommunications, digital health and government
  • received 305 reports under the Notifiable Data Breaches scheme, compared to 114 voluntary reports in 2016–17
  • received 19,407 privacy enquiries and 1,931 FOI enquiries, an overall increase of 13% on 2016–17
  • received 2,947 privacy complaints, up 18% on 2016–17, raising issues such as use or disclosure, security and access to personal information
  • closed 2,766 privacy complaints (up 11% on 2016-17) in an average time of 3.7 months, down from 4.7 months in 2016-17.
  • conducted 21 Commissioner-initiated investigations into potential privacy breaches
  • received 801 applications for FOI reviews, up 27% on 2016–17
  • finalised 610 FOI reviews (up 18% on 2016-17) in an average time of 6.7 months, up from 6.2 months in 2016–17
  • received 62 complaints about the handling of FOI matters
  • raised awareness of privacy and access to information through our annual campaigns for Privacy Awareness Week and Right to Know Day
  • hosted the 47th Asia Pacific Privacy Authorities Forum.

Significant changes to privacy regulation and heightened awareness of information handling and access issues were flagged as being the hallmarks of 2017 – 18.

The OAIC also released its Corporate Plan for 2018 – 19 detailing key priorities and planned activities for the agency.  A number of key deliverables were identified to assist the OAIC in promoting and upholding privacy rights:

  • Continue to administer the Notifiable Data Breaches scheme, and work with key stakeholders to build business and government capacity to reduce the potential for and to respond to data breaches, and to assist individuals who are affected by a data breach.
  • Engage in the development and prepare for commencement of the Consumer Data Right and work collaboratively with the Australian Competition and Consumer Commission (ACCC).
  • Work collaboratively with the National Data Commissioner to assist in the development of a new data sharing and release framework.
  • Work with credit providers, credit reporting bodies, consumers and external dispute resolution schemes to help ensure that changes to credit reporting under the proposed mandatory Comprehensive Credit Reporting (CCR) regime are implemented in a way that protects the privacy of individuals and facilitates an efficient credit reporting system.
  • Update existing guidance where required and develop new guidance on privacy rights and obligations.
  • Use discretionary regulatory powers in a proportionate and targeted way to ensure the protection of personal data.
  • Support compliance with the Australian Government Agencies Privacy Code.
  • Conduct targeted assessments in priority areas in order to monitor and improve privacy practices.
  • Promote Privacy Awareness Week 2019.

The latest statistics for the new Notifiable Data Breaches Scheme are also to hand.

The causes of breaches notified in the July to September 2018 quarter were:

  • 37% due to human error (36% in the previous quarter)
  • 57% due to malicious or criminal attack (59% in the previous quarter)
  • 6% due to system fault (5% in the previous quarter)

According to an article in Mondaq, ‘The majority of the notified breaches were the result of malicious or criminal attack (including phishing, malware, ransomware and social engineering, among other methods). More than half of these were the result of compromised or stolen credentials as a result of phishing attacks, brute force attacks or other unknown methods. Many of these attacks would have required some action with an unintended consequence by an employee of or individual associated with the impacted businesses (for example, clicking a link in a malicious email).

A significant number of breaches were also attributable purely to human error. This includes the disclosure of personal information by sending emails, mail or faxes to the wrong recipients, the failure to use BCC when sending emails, unintentionally releasing or disclosing publications, the loss of physical devices or papers.

While there will always be some level of human error, the above statistics demonstrate the need for continuous privacy and cyber security training to increase the broader understanding of the risks businesses and individuals face and the simple steps individuals can take as part of their day to day function to reduce cyber and privacy risk.

This includes, for example, being aware of key risk factors associated with phishing or social engineering, password best practice and confirming the recipients of any communications before they are transmitted or sent. Implementing policies and procedures to assist employees reduce cyber and privacy risk is therefore a critical area for business focus.’

DGA provides regulatory guidance to Members, subscribers and participants.  The information provided is general in nature only; it is not comprehensive and does not constitute legal advice.  You should obtain legal or other professional advice before acting or relying on this information.