Focus: Privacy Commissioner's tough new approach to information leaks
5 December 2011
In brief: The Australian Privacy Commissioner has outlined strict new tactics to deal with companies that are careless with customer or user data. Partner Michael Pattison (view CV) and Lawyer Luke O'Sullivan report.
How does it affect you?
- Businesses are now on notice that the Privacy Commissioner intends to take a much tougher approach to privacy breaches.
- This includes a greater readiness to seek court orders for compensation where conciliation has failed.
- Businesses will need to ensure that they have rigorous data protection systems in place and instil a culture of information privacy.
In a speech to the International Association of Privacy Professionals Australia/New Zealand (iappANZ), delivered on 30 November, the Australian Privacy Commissioner summarised the tough new approach he will take to deal with companies that are careless with customer or user data. He intends to deliver his first determination under section 52 of the Privacy Act 1988 (Cth) (the Act) within seven days from the date of his iappANZ address. Under the current law, the Commissioner's determinations are enforceable in the Federal Court.
The Act confers upon the Commissioner broad powers for interferences with privacy. These range from investigations of an act or practice of an agency or organisation, to the referral of a determination for formal adjudication. On a proactive basis, the Commissioner is empowered under s27(1)(ab):
to investigate an act or practice of an organisation that may be an interference with the privacy of an individual ... and, if the Commissioner considers it appropriate to do so, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation.
The Office of the Privacy Commissioner has traditionally exercised its investigatory and settlement powers under s27 of the Act in a conciliatory manner and has come under attack for taking this approach to dealing with infringing conduct. The Office has been criticised for being reluctant to exercise its powers and not being sufficiently proactive in progressing complaints through to formal determinations.
However, that approach is set to change. In his speech, the Commissioner vowed that:
For particularly serious privacy breaches, or where conciliation is not appropriate, I am prepared to use my power to make determinations directing how complaints should be resolved. My determinations are enforceable in the Federal Court. 1
Section 52 of the Act sets out the provisions for the issuance of a determination. Under that section, the Commissioner may, in response to a substantiated claim:
- make a declaration of his findings;
- declare that the respondent should perform acts to remedy the situation or practice, including the payment of compensation for loss; and
- in the case of a representative complaint, specify the amount payable for a claim.
Section 55A of the Act provides that proceedings may be commenced in the Federal Court or Federal Magistrates Court to enforce a determination.
If there was ever any doubt, it is clear that there is now a real and present need for the private sector to adhere to the National Privacy Principles (the NPPs).
For a business, there are two major risks that arise as a consequence of a failure of its systems and practices to deal adequately with information.
The first is the scope for reputational damage as a result of an adverse determination and declaration by the Commissioner. If the prospect of negative media reports and angry customers were not enough of a deterrent to lax information management practices, a formal declaration by the Commissioner against a business would be even more serious.
The second is the issue of monetary compensation. Although, on the face of it, this would seem a less serious issue than the damage to an organisation's reputation, it must be remembered that a large-scale breach of the NPPs may, in turn, lead to a large number of people suffering losses and, therefore, to an order to pay significant compensation.
In his 15 November address to the Office of the Australian Information Commissioner Information Policy Conference2 , the Commissioner stated that the Federal Government intends to legislate for the Commissioner's Office to have the formal power to make determinations arising out of its own investigations, without the need for a complaint by an individual. This would also remove the requirement under the current law for the Commissioner to refer a matter to the Minister in the absence of a complaint by an individual. The effect of this would be that the Office of the Commissioner would be empowered to investigate and proactively pursue organisations that it suspects are in breach of the Act.
All businesses must have in place robust processes for the collection, storage, use and disclosure of information. This includes rigorous and ongoing training for all employees, the completion and retention of compliance records, and firm strategies in relation to managing contractual arrangements and, particularly, outsourcing provisions. This is especially, though not exclusively, so for transborder data flows and is particularly relevant for businesses considering using cloud computing services. Businesses should also strive to engender a culture of privacy awareness, confidentiality, data protection and best practice in dealing with personal information.
- M Lee, 'Privacy Commissioner to hit leakers hard', retrieved 1 December 2011 from: http://www.zdnet.com.au/privacy-commissioner-to-hit-leakers-harder-339327067.htm.
- T Pilgrim, 'Information Policy Conference address', retrieved 1 December 2011 from http://www.oaic.gov.au/news/speeches/timothy_pilgrim/timothy_pilgrim_OAICconf_Nov_11.html.
- Michael PattisonPartner,
Ph: +61 3 9613 8839
- Niranjan ArasaratnamPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 3 9613 8324
- Gavin SmithPartner,
Ph: +61 2 9230 4891
- Ian McGillPartner,
Ph: +61 2 9230 4893