The Office of the Australian Information Commissioner (‘OAIC’) has released its 2020–21 annual report and performance statement.
In the past 12 months, the OAIC has sought to establish strong privacy protections to both increase public confidence in the use of personal information, and minimise the public health risks associated with COVID-19.
In the quarter ended 30 June 2021:
General
- There were 975 notifications under the Notifiable Data Breaches scheme;
- Privacy complaints fell by 7% to 2,474;
- There were 151 Freedom of Information (‘FOI’) complaints;
- Applications for Information Commissioner reviews increased by 15% to 1,224; and
- There were 11,645 privacy enquiries and 1,824 FOI enquiries.
Complaint Processing
- 1,018 Information Commissioner reviews were completed, with over half finalised within 120 days;
- 174 FOI complaints were finalised;
- There was a record 17 privacy compliant determinations.
- 2,151 privacy complaints were resolved.
Of the 17 privacy complaint determinations, the Information and Privacy Commissioner Angelene Falk (‘the Commissioner’) found 13 contraventions of the Privacy Act 1988 (Cth) (‘Privacy Act’).
One case of note was 'WP' and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2, in which the Commissioner handed down the first representative award compensating non-economic loss for interference with privacy.
The Commissioner ordered the Department of Home Affairs to compensate more than 1,297 asylum seekers for inadvertently publishing their personal information online in 2014. Critically, the Commissioner set out a procedure to assess each class member’s loss on a ‘case-by-case’ basis, reflecting a view that it is crucial to consider individual circumstances when assessing losses of this nature.
Continuing Reform and Legislative proposals
Since October 2020, the OAIC made 70 recommendations to ensure that the Privacy Act is fit for purpose in the post-pandemic digital age. The OAIC also made 16 formal submissions related to online privacy, including the Online Safety Bill 2020.
On 25 October 2021, the Attorney-General Michaelia Cash released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (‘the Online Privacy Bill’). The Online Privacy Bill seeks to provide further protection for Australians online through the introduction of a binding online privacy code for social media and certain other online platforms.
The online platforms subject to the code would need to comply with strict new privacy requirements, including stronger protections for children on social media. Under the code, social media platforms will be required to take all reasonable steps to verify the users’ age, and give primary consideration to the best interests of the child when handling children’s personal information.
The code will require platforms to obtain parental consent for users under the age of 16.
The Online Privacy Bill will also introduce tougher penalties and enforcement powers to enable the OAIC to resolve matters more effectively and efficiently.
Written submissions on the Online Privacy Bill were due on 3 December 2021 and submissions to the discussion paper on 7 January 2022. Submissions will be considered as part of finalising the Online Privacy Bill for introduction to Parliament.
Key Takeaways
The OAIC report emphasises the need for entities to continually improve their approach to preventing data breaches.
In order to avoid data breaches, entities should:
- Implement and maintain policies and infrastructure to address cyber incidents, especially ransomware;
- Adhere to their reporting obligations to the OAIC; and
- Notify the OAIC and affected individuals of a notifiable data breach as soon as it is practicable to do so.
If you have a query relating to any of the information in this article, or you would like to speak with someone in Holman Webb’s Business, Corporate and Commercial Group in respect of a privacy-related matter of your own, please don’t hesitate to get in touch today.