Australia’s privacy commissioner has defended a failure to penalise any organisation for any of the 1,748 data breaches reported over the past two years as a decision based on “regulatory strategy”.
In an exchange with Greens Senator David Shoebridge during Senate estimates on Monday night, Australia’s information and privacy commissioner, Angelene Falk, revealed that the Office of the Australian Information Commissioner (OAIC) had received 1,748 reports of notifiable data breaches over the past two financial years.
She said a third of them were caused by human error as well as a “large proportion” by hackers.
“We’ve seen an increase in cyber intrusion and hence the major investigations that are ongoing now and the specific funding that we’ve received in order to advance those,” she said.
There would be an outcome from OAIC’s major investigations into data breaches at Optus, Medibank, Australian Clinical Labs Limited and Latitude group “shortly”, she said.
An incredulous Shoebridge asked what had “gone wrong” that her office had not sought a single penalty over the past two years.
Falk said the OAIC’s “regulatory strategy” had encouraged the resolution of investigations by means other than penalties. She said the purpose of the notifiable data breaches scheme was to ensure that Australians were told when their data was affected by a breach so that they could take steps to mitigate their risk — a result that she said had been “achieved”.
“It’s about ensuring that we’re using the right tool in the right circumstances,” she said.
Organisations are required under the Privacy Act to notify individuals and the OAIC about eligible data breaches, and they can be fined for “serious or repeated privacy breaches”. After a series of high-profile breaches last year, the Albanese government passed a bill that increased the size of the fines as well as giving new reporting powers to the information commissioner.
But even with the beefed-up penalty powers, the OAIC has lobbied for penalty powers for breaches that don’t meet the “serious or repeated” threshold. In a submission to a discussion paper for the Privacy Act review, the OAIC called for lower tiers of fines to give the office “more options so they can better target regulatory responses”.
Shoebridge responded to Falk’s explanation by linking the lack of penalties to the OAIC’s performance in its other functions: “Every part of the office, whether it’s FOIs [freedom of information] or prosecution for data breaches or investigation for privacy complaints, every part of your office is mired in endless delays, isn’t it?”
Falk replied: “No, that’s not the case, senator. But we have a very, very, broad remit across the economy and a very high workload.”
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.