In the past year, privacy has taken the spotlight with a number of high profile privacy breaches affecting millions of people being reported in the media, including the Optus, Medibank and Latitude Financial data and privacy breaches.
The Office of the Australian Information Commissioner (OAIC) is actively investigating many of these reported privacy data breaches and appears to have a renewed focus on strengthening the enforcement of the Privacy Act 1988 (Cth) (Privacy Act). No doubt, the OAIC's proactive stance and increased resolve has been aided by various new regulatory powers and substantially increased maximum penalties which commenced in December 2022 under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) (Privacy Enforcement Act).
Key Decisions
On the 24 October 2023 in the decision of Pacific Lutheran College (Privacy) [2023] AICmr, the Australian Information Commissioner and Privacy Commissioner determined that Pacific Lutheran College had breached s26WH(2) and s26WK(2) of the Privacy Act and Australian Privacy Principle (APP) 11.1.
Briefly, the proceeding concerned an incident involving a manager of the Pacific Lutheran College's Early Learning Centre and Outside School Hours Car Services (Pacific Lutheran College). An unidentified third party was able to compromise (through unauthorised access) the email account of the manager of the Pacific Lutheran College on 28 May 2020 (the incident). This email account retained personal information of individuals such as parents and guardians in addition to students and staff. The information stored in the email account included birth certificates, credit card details and Medicare card details of the parents and guardians; names, addresses, dates of birth and medical information of students; and other personal information of staff.
As a result of the unauthorised access, the third party was able to send over 8,000 phishing emails to various contacts listed in the email account. On 29 May 2020, Pacific Lutheran College became aware of the incident but only engaged a forensic investigator 26 days later on 24 June 2020. Relevantly, the forensic investigator's report was concluded on 28 August 2020 and the data review report was provided to Pacific Lutheran College on 29 September 2020. Pacific Lutheran College determined on 14 October 2020 an eligible data breach may have occurred and notified the OAIC on 15 December 2020.
The OAIC found that Pacific Lutheran College had not undertaken any steps "within the first 30 days to analyse the contents of the email account for personal information" and therefore breached s26WH(2) of the Privacy Act (at [85]). The OAIC also found Pacific Lutheran College could have "clearly communicated: to its employees, stakeholders and services providers that the assessment was required" and prioritised the assessment "above other routine decisions" (at [87]). Further, the OAIC found that Pacific Lutheran College breached s26WK(2) of the Privacy Act by delaying its notification to the OAIC, noting that once Pacific Lutheran College determined there was eligible data breach on 14 October 2020, the OAIC should have been notified the next day on 15 October 2020 (at [103]).
The OAIC also found that the Pacific Lutheran College had breached APP 11.1 by not implementing reasonable security steps to protect the personal information from misuse, interreference, loss and unauthorised access.
In another decision handed down on 24 October 2024, the OAIC found that Datateks Pty Ltd (Datateks) had breached both s26WH(2) and 26WK(2) of the Privacy Act, in Datateks Pty Ltd (Privacy) [2023] AICmr 97. The proceedings concerned three email accounts (one general account and two individual accounts) which were compromised by the unauthorised access by a third party on 26 June 2020 resulting in a phishing campaign (the incident). Datateks became aware of the incident on the same day (26 June 2020) however only engaged lawyers and a cyber security specialist on 23 July 2020 with the forensic investigation concluding in September 2020. The following year, on 18 January 2021, Datateks notified the OAIC of the data breach.
The OAIC found that Datateks had only engaged the cyber security specialist within the first 30 days of the incident and therefore had failed to take all reasonable steps to complete the assessment breaching s26WH(2) of the Privacy Act. The OAIC found that by 21 October 2020 Datateks had reasonable grounds to believe that there was an eligible data breach and was able to complete the statement to the OAIC within "a day or two" (at [98]). Therefore, the delay to submit the notification until 18 January 2021 constituted a breach of s26WK of the Privacy Act.
Takeaways
Both decisions demonstrate the clear need for businesses to be aware of their obligations if a privacy breach was to occur. It is clear that simply engaging the forensic and/or cyber expert within the 30 days of the privacy breach will not be enough to discharge their obligations under the Privacy Act. Importantly, there should be a focus for businesses to prioritise the assessment of the privacy breach once detected within 30 days and swiftly respond.
Recent Developments
In a more recent development on 3 November 2023, the OAIC brought proceedings against Australian Clinical Labs Limited (ACL) over its February 2022 privacy breach which had reportedly resulted in the unauthorised access of personal information, sensitive health information and credit card information of over 100,000 individuals. ACL collects and holds the health information of millions of Australians to provide tests through its pathology business. Relevantly, the ACL only notified the OAIC of the privacy breach on 10 July 2022. According to its press release, OAIC alleges that the privacy breach at Australian Clinical Labs "seriously interfered with the privacy of millions of Australians" and had breached APP 11.1 and ss26WH(2) and 26WK(2) of the Privacy Act by "failing to take reasonable steps to protect their personal information from unauthorised access or disclosure". It has also been reported that the OAIC is seeking a civil penalty in connection with the company's response to the data breach alleging that ACL contravened section 13G of the Privacy Act. This case may provide useful judicial guidance in relation to the interpretation of the legislation and the standards to be applied in consideration of what reasonable steps are required to protect personal information from unauthorised access.
Should the OAIC be successful in these proceedings, we may see the Court make one of the first civil penalty orders under s13G which in this case will be up to A$2.2 million for each contravention (based on the penalty regime applicable at the time of the alleged conduct). Of note, substantially increased maximum penalties commenced in December 2022 under the Privacy Enforcement Act which for a serious or repeated breach of privacy by a body corporate has been increased to the greater of:
- $50 million
- three times the value of any benefit obtained through the contravention
- if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the 'breach turnover period'
Also of great interest will be the recent response by the Australian Government released on 28 September 20231 to the 116 recommendations made in the Privacy Act Review Report 2022.2
In their response, the Australian Government has agreed or 'agreed in principle' with the majority of the recommendations aimed at strengthening enforcement of the Privacy Act including:
- extension of the definition of 'personal information';
- introducing a requirement for processing of personal information to be "fair and reasonable";
- creation of tiers of civil penalty provisions;
- providing the OAIC with the power to undertake public inquiries and review at the direction of the Attorney-General;
- requirement for an APP entity to identify, mitigate and redress actual or reasonably foreseeable loss;
- provide the Courts the power to make any order it sees fit after a civil penalty provision after an interference with privacy has been established.
The Government's response to the Privacy Act Review Report is sending a clear message that while the legislation to implement these changes is not yet drafted, we can expect it to happen in the near future. The Australian Government has also agreed that the OAIC should be reviewed to ensure that there is a greater enforcement focus. As such, prudent businesses should consider implementing a range of system measures and existing practices now to minimise the disruption and cost to system upgrades once the new changes are legislated.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific circumstances. It is intended for information purposes only and should not be regarded as legal advice. Further professional advice should be obtained before taking action on any issue dealt with in this publication.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific circumstances. It is intended for information purposes only and should not be regarded as legal advice. Further professional advice should be obtained before taking action on any issue dealt with in this publication.
Footnotes
1 https://www.ag.gov.au/sites/default/files/2023-09/government-response-privacy-act-review-report.pdf.
2 https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.