Finance the worst privacy offender: report

The finance sector is the most commonly complained about sector in regards to privacy, with the Office of the Australian Information Commissioner (OAIC) revealing in its first annual report how many complaints it receives and how many are actually resolved.

The OAIC draws together the Privacy Commissioner and the new roles of the Australian Information Commissioner and the Freedom of Information Commissioner.

In the report, the office found that the finance sector continues to be the most commonly complained about sector on matters of privacy. The Australian Government ranked second, while the telecommunications sector came in fourth under debt collectors, credit and tenancy databases.

(Credit: Office of the Australian Information Commissioner, CC3.0)

However, on an individual basis, Telstra stood out as the second most complained about organisation, racking up 54 complaints in the past financial year. The Commonwealth Bank had 26 complaints, Optus had 22 complaints, while Vodafone had a lower 17 complaints despite recent issues surrounding the privacy of customer details. Credit reporting organisation Veda Advantage was the most complained about organisation.

(Credit: Office of the Australian Information Commissioner, CC3.0)

Complaints by themselves do not indicate that an organisation was actually in breach of the Privacy Act or that a full investigation was undertaken. In fact, 56.9 per cent of complaints were declined, commonly because there were no privacy issues, the complaint wasn't about the individual who was raising the issue, the problem hadn't been raised with the respondent before contacting the OAIC, or the individual hadn't given the respondent enough time to deal with the complaint. In these cases, the complaints are not resolved.

About 32 per cent of complaints did make it to a preliminary inquiry before being closed. In these cases, the majority were closed as the firms hadn't interfered with privacy or the respondent had adequately dealt with the complaint. The most common actions respondents took to deal with complaints at this stage was to amend records, provide access to records, apologise and change their procedures. Other less common actions included compensation of up to $5000.

About 11 per cent of complaints were investigated further, but two thirds of complaints had already resolved by the respondent before the OAIC had completed this more detailed investigation. The respondents that had reached this level of investigation took similar actions to ease privacy problems, such as amending or providing access to records, apologising and changing its procedures. There were fewer cases of compensation, but these included higher amounts being paid to complainants.

(Credit: Office of the Australian Information Commissioner, CC3.0)

The OAIC also received, separately, 56 voluntary data breach notifications, representing a 21 per cent increase from the previous financial year. A lack of legislation around data breach notifications has meant that organisations are not required to report them. Forensic investigators have reported that Australian data breaches have doubled compared to the previous financial year, highlighting the number of breaches that go unreported.

The OAIC's full report (PDF) is available online.