Australian Privacy Commissioner Timothy Pilgrim reappointed

Timothy Pilgrim has been reappointed as Australia's privacy commissioner, having served in the privacy office for 17 years.

Australian Attorney-General George Brandis has announced that Timothy Pilgrim has been reappointed as privacy commissioner for another 12 months, beginning on October 19.

Pilgrim operated as privacy commissioner from July 2010 until July 2015, and added the three-month role of acting information commissioner to his portfolio last month. Previously, he had served as deputy privacy commissioner from 1998 until 2010.

"As privacy commissioner, Mr Pilgrim has developed [a] good working relationship with the businesses (sic) community, consumer groups, and Australian government agencies in building awareness of privacy rights and obligations," Brandis said in a statement on Friday afternoon.

"An example was his extensive consultation with industry and consumer groups before the 2014 amendments to the Privacy Act commenced, and his continued focus afterwards on working with businesses to implement the changes to the Act."

Pilgrim has championed privacy and security for years in the face of the growing risks inherent in the digital world.

In regards to the recently passed mandatory data-retention legislation -- which will see all telecommunications customers' call records, location information, IP addresses, billing information, and other data stored for two years, accessible without a warrant by law-enforcement agencies -- Pilgrim fought for the inclusion of a provision whereby data-breach notifications would be mandatory should a leak of the data occur.

"By creating a large repository of personal information, the proposed data-retention scheme increases the risk and possible consequences of a data breach," Pilgrim stated in January.

"This is because the challenge of effectively securing that information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure will become more difficult as technology evolves."

He pointed out that telcos already receive a high number of complaints, with 13 investigations having taken place since he took the office in 2010 -- such as when Telstra made the details of 734,000 customers accessible online in 2011.

Pilgrim has historically taken a hard line against companies that cover up data breaches, saying in November last year that the concealment of a data breach "will not be looked well on by our office".

"I am disappointed when I hear comments that there is an attitude within some organisations of waiting for the [data] breach to happen, waiting for the complaint to be made, and, equally concerning, waiting to see an organisation taken to the courts for a civil penalty -- before taking the appropriate steps to manage and protect their personal information holdings. I personally hope this is just gossip," Pilgrim said last year.

Prior to its passing, Pilgrim also attempted to argue that the two-year retention period contained within the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 be assessed against the risk to privacy of storing such a large amount of personal data. He pointed out that 90 percent of investigations relying on retained data only use data that is less than one year old.

"If a decision is made to implement a scheme such as this which is going to require, as I said, the holding or the collection and retaining of huge volumes of data and personal information about people for a long period of time, we need to look at what else we can put in place to do our best to secure that information."

Such a risk would increase with the huge amount of data to be stored acting as a honey pot for would-be hackers. This is compounded by the fact that national security agencies will be accessing and sharing the customer data -- despite these organisations having a long history of privacy breaches through carelessness.

In February last year, the Immigration Department published the details of almost 10,000 asylum seekers, including their full names, dates of birth, genders, nationalities, periods of immigration detention, locations, boat arrival information, and the reasons why an entrant was classified as having travelled into Australia "unlawfully".

The information was available on the department's website for just over eight days, remaining on Archive.org for 16 days, and was removed from both sites only once The Guardian had alerted the department of the breach.

"This incident was particularly concerning due to the vulnerability of the people involved," Pilgrim said in November.

The breach occurred due to a staff member who had copied and pasted from a Microsoft Excel chart into a Word document, with the underlying data rendering the chart in Excel then embedded in the Word document.

"The commissioner found that had DIBP appropriately trained departmental staff involved in the creation of the detention report to understand the risks of embedded data and how those risks could arise, and in how to copy and paste graphs as pictures, the staff may have avoided making the error," the report [PDF] said.

KPMG's investigation into the breach [PDF] in June found that the document had been accessed 123 times from 104 IP addresses before being pulled down, with a report by the Office of the Australian Information Commissioner (OAIC) in November finding that this constituted a breach of the Privacy Act.

In a similar gaffe by Department of Immigration staff, the passport numbers, dates of birth, and visa information of world leaders attending last year's G20 summit in Brisbane -- including those of US President Barack Obama and Russian President Vladimir Putin -- were accidentally emailed to a member of the Asian Cup Local Organising Committee.

The department, however, did not deem it necessary at the time to inform those involved that their privacy had been breached -- despite the mandatory data-breach notification laws of some of those involved.

"Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach," the staff member was reported to have written.

The department subsequently established a task force into its own accountability and information management practices.

The Privacy Regulatory Action Policy, which details the privacy commissioner's powers and course of action in regards to data breaches and the failure to disclose them, was released last year.

OAIC has also been creating a "Guide to privacy regulatory action", which would further describe the office's powers, with an exposure draft having been released for scrutiny and submissions.