Privacy watchdog primed for action on data breaches
At a time of high privacy awareness, the public expects those entrusted with their information to act as ethical stewards.
Human error and deception. Compromised credentials. One-off incidents.
This is the reality of most data breaches notified to the Office of the Australian Information Commissioner since mandatory reporting began in February.
Unlike the serial offending corporates portrayed in The Australian last week, the statistics highlight the human factor in data breaches.
At a time of high privacy awareness, the community expects those entrusted with their personal information to act as ethical stewards. They also expect regulators to take action to prevent breaches and to detect and remedy their issues.
Our focus as privacy regulator is to deliver outcomes for those affected by breaches of the Privacy Act.
Each year we receive close to 3000 complaints from individuals. These are resolved through a range of approaches, including conciliation and determination. These outcomes frequently involve compensation and drive improvements to privacy practice.
Our frontline staff assisted the public with almost 20,000 inquiries about privacy in 2017-18, and we audit a range of industries and agencies for compliance with the Privacy Act.
We apply our resources strategically to probe major incidents, including our ongoing commissioner-initiated investigation into Facebook.
Our work has led to enforceable undertakings that have driven systemic change within organisations where personal information practices have been deficient.
We take an evidence-based and proportionate approach, and we will not shy away from using the full range of our regulatory powers. That includes seeking civil penalties of up to $2.1 million per privacy breach through the Federal Court.
Privacy by design is critical to achieving compliance with the Privacy Act. This means embedding privacy from the top down to achieve best practice and cultural change. This requires a senior executive to act as privacy champion, a privacy management plan and privacy impact assessments to guide product development and day-to-day business.
It also demands customer communications about privacy issues that are transparent and meaningful, and allow an individual’s consent to be informed and freely given.
Businesses handling personal information should consider the ethical implications of their practices, and whether they line up with community expectations. Increasingly, privacy is not just a compliance issue, it’s about the bottom line.
Our 2017 survey on Australian community attitudes to privacy found 58 per cent of people have decided to avoid dealing with a private company because of privacy concerns. Last week, the HP Australia IT security study found 46 per cent of small to medium Australian businesses surveyed said customers were increasingly opting out of data collection and sharing.
Regulatory developments both here and overseas, such as our notifiable data breaches scheme, the Australian government agencies privacy code and the EU’s general data protection regulation, are also requiring greater transparency and accountability.
Australia’s notifiable data breaches scheme has the goal of ensuring that organisations notify affected individuals so they can take steps to minimise the risk of serious harm. It also holds entities accountable to their customers.
We help ensure breaches are contained and remedial action is taken, and we report quarterly on common causes to help regulated entities take preventive action.
Along with human error ‒ such as emailing the wrong person or losing documents ‒ compromised credentials are a key cause of the data breaches reported so far.
Whether to address the risk of a phishing incident or an insider threat (like the Westpac breach mentioned last week), all businesses handling personal information need a data breach response plan. This should outline steps to contain, assess, notify and mitigate the risk of serious harm.
We also identify serious and systemic issues that require further investigation and we will continue to take proactive regulatory action where required.
Angelene Falk is Australian Information Commissioner and Privacy Commissioner.
‘We need Chinese EVs’ to combat climate change: Uber
The ride sharing giant is partnering with Chinese electric vehicle maker BYD to make EVs more affordable and says high tariffs and US-style bans are not helpful in combating climate change.
Uber urges Aussies to give up second car to fight climate change
Ride share giant Uber says transitioning to EVs is not enough to slash automotive emissions and congestion as it urges Australians to consider giving up their second car.