Serious privacy breaches - mandatory notification introduced

Privacy as a central concern in the modern technological age has become an almost hackneyed expression.  Indeed, in its three volume report on privacy in 2008 the Australian Law Reform Commission (ALRC) even posed the question “is privacy passé?”  Despite this, with effect from 12 March 2014 the Commonwealth Government enacted legislation to enable the Privacy Commissioner to seek a civil penalty up to $1.7 million against an organisation held to be in breach of the Privacy Act.
More importantly, on 22 February 2018 the Commonwealth Parliament proclaimed legislation to require the mandatory notification to the Office of the Australian Information Commissioner of data breaches involving serious harm and the potential imposition of penalties on corporations of up to $2.1million by the Federal Court.
In its first quarterly report for 2018 the OAIC made some telling findings in relation to notifiable data breaches.   Unsurprisingly, just over half of the eligible data breach notifications indicated that the cause of the breach was human error.  The top five sectors which made notifications were health (24%), legal, accounting and management services (16%), finance (13%), private education (10%) and charities (6%). Ninety percent of notifications involved personal information of less than 1,000 individuals.

 

Nigel Wilson