Privacy Commissioner to hit leakers harder

The Australian Privacy Commissioner Timothy Pilgrim is set to get tougher on those that are careless with users' personal information by exercising more of his existing powers.

(The many eyes of Big Brother image by Quinn Dombrowski, CC BY-SA 2.0)

In his speech for the iappANZ (International Association of Privacy Professionals Australia/New Zealand) 2011 Privacy Summit held today in Melbourne, Pilgrim said that he would be changing the approach that the commissioner would take in response to serious privacy breaches in the current absence of data breach-notification laws.

Currently, the commissioner is unable to force organisations that leak personal information to do anything unless the complaint was made from an individual. This means that although the Commissioner can conduct its own investigations, of which 59 were carried out in the last financial year, it cannot direct companies to secure their systems.

"Under the current Privacy Act, we are unable to impose a sanction on an organisations when we have initiated an investigation on our own motion without a complainant."

Even in cases where individuals have complained, and the commissioner is able, under section 52 of the Privacy Act, to make a determination, Pilgrim said that historically, the commissioner adopts a conciliation-focused approach.

This approach has been met with criticism, with Pacific Privacy Consultant Nigel Waters stating at a previous iappANZ event that he had been "disappointed with the vigour with which successive privacy commissioners have exercised their existing powers", and thought that they "could have been more proactive, particularly in actually taking complaints through to formal determinations".

However, Pilgrim indicated today that this is set to change.

"For particularly serious privacy breaches, or where conciliation is not appropriate, I am prepared to use my power to make determinations directing how complaints should be resolved. My determinations are enforceable in the Federal Court."

He stated that he "will soon be issuing the first determination under section 52 of the Privacy Act in seven years" against a private sector organisation, and intends to publicly release his findings within the next week.

The stricter approach to privacy could put weight behind the commissioner's push for greater powers, which will allow the commissioner's office to make determinations on its own investigations, and accept undertakings from other agencies or organisations. While the government hasn't committed to the powers by the way of exposure draft legislation, it has stated that it intends to make appropriate amendments to the Privacy Act.

"Additional powers will provide added credibility for enforcement of privacy law, reinforce the significance of privacy compliance, and give departments and agencies an even greater incentive to take their privacy responsibilities seriously," Pilgrim stated.