The Australian Information Commissioner's Federal Court proceedings against
Recent major data breaches have affected millions of Australians, with their sensitive personal information exposed to the risk of identity fraud and scams. This has created a renewed focus on strengthening the enforcement of the Privacy Act 1988 (Cth) (Privacy Act). The proceedings demonstrate the Commissioner's shift to a more proactive approach, following the granting of new regulatory powers, increased penalties and additional funding.
The Commissioner commenced the proceedings on
ACL collects and holds the health information of millions of Australians to provide tests through its pathology business. Personal information held includes contact details and copies of Medicare cards and numbers. The Commissioner conducted an investigation of ACL's privacy practices following a data breach in
The rarity of cases relating to section 13G was highlighted in the Australian Government's Privacy Act Review Report, which noted the lack of judicial consideration of section 13G and difficulties in identifying when the threshold of 'serious interference' had been breached. The Commissioner has only taken action for civil penalties on one other occasion (against
The maximum penalty for a breach of section 13G applicable in this case is
Under the Privacy Enforcement Act, the penalty for a serious or repeated breach of privacy by a body corporate has been increased to the greater of:
- three times the value of any benefit obtained through the contravention
- if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the 'breach turnover period' (i.e. 12 months from the start of the month in which the offence occurred, or the duration of the contravention, whichever is longer).
The Privacy Enforcement Act also introduced reforms to the Notifiable Data Breach Scheme to provide the Commissioner with new powers to obtain information in relation to an actual or suspected eligible data breach, expand the Commissioner's powers to assess an entity's compliance with the Privacy Act to include notification of eligible breaches and require entities to set out the kinds of information involved in an eligible data breach.
Strengthening enforcement of the Privacy Act is one of five key focus areas identified in the Australian Government's Response to the Privacy Act Review released in
The Australian Government has agreed that the OAIC should conduct a strategic organisational review to ensure it is structured to have a greater enforcement focus, which will include consideration of its resourcing requirements. Going forward, we can expect to see the Commissioner making use of the full range of their new powers to enhance the effectiveness of
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
Ms
Holding Redlich
Level 8
3000
Tel: 39321 9999
Fax: 39321 9900
E-mail: inquiries@holdingredlich.com.au
URL: www.holdingredlich.com.au
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source