Privacy and the use of personal information have been issues of increasing concern for most of the Australian population for many years now. With privacy concerns becoming a greater priority for Australian consumers, many businesses are opting to conduct an organisation-wide review to ensure that their own data collection, use and disclosure practices, such as their data storage, retention and destruction policies, comply with the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs).

Why is a privacy audit important?

With businesses facing increasing compliance costs across the board, many are asking whether an audit is actually worthwhile. The short answer is yes. Non-compliance with the privacy law is a liability for an organisation. The civil penalties payable for serious or repeated interference with an individual's privacy are not insignificant and can cost an organisation up to $2,220,000. Those penalties however are dwarfed by the financial cost of cleaning up after a data breach and the direct and indirect cost of rebuilding trust with consumers. This is to say nothing of the risk that a class action is instituted by the affected individuals, which is an increasing trend both here and overseas.

What is the trend in penalties and why should this be concerning?

The current review of the Privacy Act is considering various options for increasing penalties for breach of privacy. Two proposals are to bring the penalties into line with those imposed under the gold standard General Data Protection Regulation (GDPR) in the European Union (EU) - the GDPR imposes penalties of up to 4 per cent of annual revenue - or, alternatively, to bring the penalties into line with those imposed by the Australian Competition and Consumer Commission (ACCC) for breaches of consumer law.

In recent years, both the privacy regulator and the consumer protection regulator have taken action to protect the privacy of individuals in Australia. This convergence of regulatory activity means that there will ultimately be more opportunities for businesses to be subject to enforcement activity. In the US, for a number of years, the Federal Trade Commission has taken effective actions against privacy breaches under their equivalent of the "misleading and deceptive conduct" provisions of their consumer law in relation to privacy breaches.

It would be unsurprising if that were to happen here, particularly given the ACCC's interest in digital platforms and the expanding delivery of consumer goods and services through those platforms. Companies operating outside of Australia are subject to additional foreign regulations and foreign regulators to comply with. It would not be unheard of for GDPR regulators in the EU to seek to enforce against Australian companies. With greater global cooperation in this space, it seems increasingly likely that failure to voluntarily comply with mandated standards will result in some form of penalty through a regulatory mechanism being applied by one or more regulators.

The Privacy Act review is also considering how to better enforce privacy compliance locally. For example, whether individuals should be given a direct right of action against businesses for breach of privacy and whether there are more and better enforcement powers and mechanisms available. To date, there have been very few claims by individuals for breach of privacy. 

In 2018, a representative action on behalf of several thousand superfund employees in relation to breaches of their privacy rights in 2013 failed in an action to obtain compensation.[1]  However, that decision was given before the most recent amendments to the Privacy Act and it is likely that a class action taken now would potentially generate a benefit to claimants. A range of relevant actions taken in the UK and the US are such that privacy-related class action claims can be considered an emerging risk area for businesses.

It's far less damaging to an organisation's reputation to identify and rectify any non-compliance internally rather than having it publicly exposed by a data breach or a regulator such as the Office of the Australian Information Commissioner (OAIC).

Historically, the OAIC has been a significantly underfunded regulator. Since the first enforceable undertaking was issued in 2015, there have only been 10 such undertakings and the number of decisions is also relatively small. While historically assessing privacy as a low-risk area of the business may have been justified, for the reasons set out above in relation to emerging regulation that situation is changing and the lessons from the case studies below are worth learning and triggering the investment in a privacy audit.

Will the time and cost of an audit be worth the investment?

Two case studies of an external audit provide some lessons for businesses. Multiple privacy and data protection blunders within government agencies were uncovered in recent years in external audits conducted by the Audit Office of NSW. We take a look at the two examples of Service NSW and Transport for NSW, unpack the systemic contributing factors identified by the Audit Office and break down the lessons for businesses. While these are government agencies, a number of the themes and practical issues that arose are just as common for the private sector.

Case study one: The Service NSW audit following a very public data breach

In March 2020, Service NSW experienced two cybersecurity attacks which resulted in third parties gaining access to the email accounts of 47 staff members, causing a significant breach of personal customer information contained in those email accounts. In December 2020, the Audit Office released a report on Service NSW's handling of personal information and identified poor data practices, ineffective privacy mitigation, IT weaknesses and use of legacy systems and processes as the primary factors contributing to the data breach. Rectifying and responding to the breach was incredibly costly for Service NSW and was, at the time of the audit, expected to exceed $30 million. This included spending on legal and investigative resources and external consultants and did not extend to the costs of compensation to affected individuals (such as the cost of replacing licences or passports of affected individuals).

Audit findings

The Audit Office made six key findings as to the cause of the data breaches.

1. Rapid growth had exacerbated Service NSW's risk profile

Service NSW had experienced significant growth leading up to the 2020 data breach, both naturally and due to increased demands on the agency to facilitate the government's bushfire and pandemic responses. By 2020, Service NSW was handling the personal information, including some sensitive data, of more than four million individuals.

The Audit Office considered that the agency's "significant and rapid growth" had "outpaced the establishment of a robust control environment" capable of responding to privacy risks.

It is vital, as an organisation experiences rapid growth, that it ensures its privacy plans and responses are consistently reviewed and re-developed to keep up with the organisation's changing risk profile.

The Audit Office found that, as Service NSW grew, it faced increasing demands on its resources which limited its capacity for revisiting and redesigning business practices. The failure or inability to take the time and use the resources to ensure privacy controls were fit for purpose was a theme of the Audit Office's report.

2. Service NSW's privacy controls and responses were inadequate

The Audit Office also found that when privacy risks were identified, the controls implemented to address them had been inadequate. For example, to mitigate the risks associated with emailing personal information, staff were required to manually delete emails on a regular basis. The Audit Office considered this response was ineffective and that it would have been preferable to implement technical solutions, such as a secure mechanism for transferring personal information, rather than relying on manual processes and staff training.

3. IT systems suffered from systemic weaknesses

The Audit Office determined that, as Service NSW grew, the cloud software it used to manage client relationships, Salesforce, should have been upgraded or replaced to suit the volume and sensitive nature of customer information increasingly handled by Service NSW. The report found that the software, while appropriate for Service NSW's risk profile when it was first acquired, was not designed for storing sensitive information or the volume and variety of transactions that Service NSW increasingly undertook as it grew.

Other IT weaknesses included deficient protocols for managing user access levels. This exposed the agency to a greater risk of unauthorised access to customers' personal information. The lack of multi-factor authentication for accessing Service NSW's email system was also considered to have been a key contributing factor to the breach because the third party hackers had been able to access the email server more easily. The risk associated with a lack of multi-factor authentication had previously been identified but not addressed.

4. Insufficient detail in third party agreements

Service NSW's agreements with other agencies dealt with privacy in a very high-level sense and did not assign responsibilities between the parties. For example, they did not set out which party would issue a collection notice to customers, how long Service NSW would retain information, planning for data breach responses or how data would be stored securely. Assigning responsibilities ahead of a breach incident ensures both parties can respond quickly and effectively.

5. The privacy management plan did not reflect the current risk profile or governance structure

Service NSW had failed to update its privacy management plan to reflect the variety of transactions and personal information it increasingly handled. For example, the plan did not include processes for handling sensitive health information and had not been updated to reflect governance changes associated with the incorporation of Service NSW within the Department of Customer Service (DCS).

6. Service NSW did not regularly review its legacy systems and processes

While Service NSW adopted a privacy protective approach to designing new projects, for example, by routinely undertaking privacy impact assessments, there had been no comprehensive or regular review of whether the agency's existing  processes posed any risks to the security of personal information. This meant that processes such as the scanning of emailing of personal information were allowed to persist as common practice despite an awareness that they were risky.

What issues identified here might apply to your business?

Two standout issues are the consequences of rapid growth, which for business might be organic or by acquisition, and the use of legacy systems. If through growth legacy systems are asked to do more than originally planned, they may well not be fit for purpose. In a privacy context, the security and accessibility of personal information may fall short of current standards. Stepping back and interrogating or auditing the system can bring these problems to light so that they can be managed internally before a problem arises. However, as the next case study shows, simply identifying an issue is not enough.

Case study two: Transport for NSW

Public transportation systems, such as those operated by Sydney Trains and Transport for NSW, are part of the country's critical infrastructure and as such face specific risks of cyberattack. In 2020, the Audit Office undertook an assessment of the agencies' preparedness for a cyberattack and their compliance with the NSW Cyber Security Policy, including the quality of their cybersecurity risk identification and management capabilities. The report found that cybersecurity risks were not being effectively managed by Transport for NSW and Sydney Trains. In a self-assessment, the agencies had failed to identify all relevant risks and both agencies were found to have low maturity in relation to risk management.

Audit findings

1. Agencies had failed to identify their "crown jewels"

Under the NSW Cyber Security Policy, agencies are required to identify their "crown jewels" being the most valuable or operationally vital systems or information within the organisation. The Audit Office found that Transport for NSW had not maintained a comprehensive record of their IT systems nor had they assigned any classification to systems based on their value to the organisation. While this is a public sector concept, private sector entities should also consider what the essential "crown jewel" systems of their organisation are and allocate appropriate resources to their protection.

2. Agency staff do not have sufficient cybersecurity training

The Audit Office found that staff at both Transport for NSW and Sydney Trains had low cyber awareness. In testing of agency staff via a "scam simulation", 24 per cent of Transport for NSW staff and 32 per cent of Sydney Trains staff had clicked on a link from a simulated scam email. The low cybersecurity awareness reflects low training levels across both agencies. For example, only 4.2 per cent of Sydney Trains staff assigned the Cyber Security Safety for New Starters training program had completed it.

3. Poor communication of risk information to executives

Agency executives were not sufficiently involved in cybersecurity risk identification and management. For example, the Audit Office found there were no procedures for regularly updating agency executives as to potential cyber risks. Without such reporting mechanisms, there was no comprehensive response to or management of cybersecurity risks.

4. Implementation of cybersecurity plans was significantly delayed

Sydney Trains had developed a cybersecurity plan but, one year on, had not implemented any of the privacy law bulletin relevant processes. Despite public transportation systems being identified as part of Australia's critical  infrastructure and at risk of cyberattack, the Audit Office  determined the agencies had a low level of maturity in  their compliance with cybersecurity standards set by the  Australian Cyber Security Centre.

5. Funding for cybersecurity risk mitigation was inappropriately allocated

The agencies had not allocated cybersecurity-specific funding in a way that prioritised issues of greatest risk to the organisations.

6. Failure to audit third party contractors

The agencies had not exercised their contractual rights to routinely audit third party contractors in respect of their cybersecurity obligations.

What issues identified here might apply to your business?

Not that we thought a privacy article would ever talk about "crown jewels" but do you know your key systems that need the most protection, and then, have you implemented that level of security? If you can't answer this fundamental threshold question, then the entire business is potentially at risk. This case study also highlights the issues around training and human error, the lack of training for staff generally to be aware of phishing and other scams was compounded by executives not having a deep understanding of the risk and consequent need for training and other controls. Finally, implementing plans had been delayed. There is always something urgent, but cybersecurity is important and can't be pushed back for any extended period.

Lessons from the case studies as to why you should do your own audit

1. It's more cost-effective to comply in advance than to suffer a breach or regulatory action

Conducting an internal audit gives your organisation the opportunity to identify systemic privacy and cybersecurity issues before they play out in the public domain, for example, in the event of a data breach or investigation by a regulator. The cost of undertaking an audit is relatively insignificant compared with the potential cost of rectifying a data breach, paying pecuniary penalties and rebuilding trust amongst the customer base. Recall that Service NSW's cost of remedying its 2020 data breach was expected to cost more than $30 million.

2. Governance and accountability drive action

It's important to ensure your organisation's privacy plans and controls are updated to reflect changes to the governance structure. When Service NSW was subsumed into the DCS, its privacy management plan was not updated to reflect relevant changes such as the fact that its audit functions were moved to the DCS. The result being that its internal accountability framework lost integrity. While this type of restructure may not occur in a business environment, regularly checking reporting lines and coordination on privacy matters is essential. Do you have a senior executive with responsibility and a reporting line to ensure issues are reported and dealt with?

3. Business growth should be a trigger for privacy reviews, not a distraction

As a business grows, it's vital that the increased demands on the business do not distract from the need to ensure that privacy practices, systems and procedures are fit for purpose. Periods of growth should trigger a review of existing software, personal information handling processes and privacy controls.

4. When investing in a pro-privacy future, don't forget to look back

Businesses are increasingly taking a "privacy by design" approach to future projects. However, it is equally important to examine existing processes which may undermine that approach and present a hidden liability for the business. Does your business have any "legacy systems" or procedures for handling personal information? If so, consider a privacy impact assessment to determine the risk of continuing "as is". For example, the use of emails to transmit personal information and storage of sensitive information in unencrypted plain text fields are common causes of data breaches and costs.

Where to start?

Organisations looking to interrogate their own cybersecurity and data protection maturity should ask themselves the following:

  • have you done an organisation-wide data mapping exercise? Understanding when, where and how personal data is collected, stored, used and disclosed through-out your organisation will tell you where your risk lies and where to start.
  • has your board and/or senior leadership assessed its "risk appetite" and allocated appropriate resources for mitigating privacy risk?
  • do you know what your "crown jewels" are and how they are protected?
  • do your contracts clearly allocate risk and responsibility for information security? If you share personal information with third parties, including your suppliers and contractors, allocating roles and responsibilities for privacy compliance in a contract can help avoid a bigger headache in the event of a breach.
  • do you embed "privacy by design" in systems and processes as much as possible, so "human error" can be reduced?

Footnote

See "PB" and United Super Pty Ltd as Trustee for Cbus (Privacy)  [2018] AICmr 51 (23 March 2018).

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.