​OAIC received 114 voluntary data breach notifications in 2016-17

The office led by Information and Privacy Commissioner Timothy Pilgrim received 114 voluntary data breach notifications, 35 mandatory digital health data notifications, and 2,494 privacy-related complaints during the 12-month period.
Written by Asha Barbaschow, Contributor

During the 2016-17 financial year, the Office of the Australian Information Commissioner (OAIC) received a total of 114 voluntary data beach notifications, with a further 35 mandatory digital health data breach notifications also reported, the agency's 2016-17 Annual Report [PDF] has revealed.

With the number of breach notifications made voluntarily increasing by 29 percent over last year, the OAIC said its hand in increasing awareness on the existence of the scheme -- as well as the publication of resources -- helped encourage entities to come forward.

The top five sectors that were the source of the reported breaches were the Australian government, finance and superannuation, retail, health service providers, and telecommunications providers.

While the 114 notifications were made willingly, from February next year, organisations in Australia will need to disclose incidents involving personal information, credit card information, credit eligibility, and tax file number information of individuals that would put them at "real risk of serious harm" under the country's impending data breach notification laws.

The OAIC is currently responsible for mandatory digital health data breach notifications, and as a result received six data breach notifications from the My Health Record System Operator. These notifications related to unauthorised My Health Record access by a third party, the report explained, with a further 29 notifications received directly from the chief executive of Medicare.

Of these, nine involved separate breaches related to intertwined Medicare records of individuals with similar demographic information, which the OAIC said resulted in Medicare providing data to the incorrect individual's My Health Record.

My Health Record -- the Australian government's e-health record system -- was in August given the go-ahead from the Council of Australian Governments Health Council to begin automatically signing up Australians.

In addition, while investigations into reports originally from the Guardian that Medicare card details were being sold on the dark web were getting started, 20 notifications involving 123 separate breaches resulted from findings under the Medicare compliance program. In these instances, certain Medicare claims made in the name of a healthcare recipient but not by that healthcare recipient were uploaded to their My Health Record, the OAIC explained.

Commissioner-initiated investigations were also up from the 2015-16 total, with Information and Privacy Commissioner Timothy Pilgrim kicking off a total of 29 reviews without the organisation first confessing the breach to his office.

"Commissioner-initiated investigations are often conducted in response to significant community concern or discussion, formal referrals from other government agencies, or in response to notifications from third parties about potentially serious privacy problems," the report says.

"Our key objective in undertaking a [commissioner-initiated investigation] is improving the privacy practices of investigated entities."

Speaking at the iappANZ 2017 Summit in Sydney earlier this month, Pilgrim revealed the number of privacy complaints made to OAIC increased this year to total 2,494. At the time, he said the "upward swing of public interest" highlighted Australia's increasing trust in the OAIC and comfort with their right to lodge such a complaint.

"The most common issues raised were use and disclosure, security, and individual's ability to access their personal information, collection, and the quality of the information being held by industry," he explained.

"Australian government agencies have a unique position in terms of their ability to collect and hold vast amounts of personal information, and so it is fair that they demonstrate the highest standards of personal information protection."

In its annual report, the OAIC said it investigated all of the allegations made pertaining to the ill treatment of people's data, and offered up a handful of case studies.

In December, the National Australia Bank (NAB) apologised and took full responsibility for the sending of personal data of 60,000 customers to an "incorrect email address". NAB approached the OAIC once it immediately became aware, and the OAIC said the bank corrected its systems to contain the breach and prevent recurrence.

Also during the year, the OAIC assessed a range of sectors including loyalty programs, identity verification, telecommunications, education, and government, in addition to assessments conducted in the digital health sector.

As mentioned in the OAIC's Corporate Plan 2017-18 published in August, Pilgrim's office will be conducting assessments of Australian government agencies over the next 12 months, requiring the commissioner to encourage agencies and businesses to "respect and protect" the personal information of citizens that they handle.

During 2016-17, the OAIC looked into the tax file number (TFN) practices of six specified Australian government agencies -- the Australian Taxation Office, Australian Prudential Regulation Authority, Department of Human Services, Department of Education and Training, Department of Veterans' Affairs, and the Department of Social Services -- that all have obligations to make a range of information publicly available in relation to how TFN information is handled.

The OAIC commenced an assessment that looked at how well the agencies meet their obligations under the Privacy (Tax File Number) Rule 2015, and will report in the coming months on its findings.

The agency's annual report also explained that the OAIC performs a number of functions to ensure that government agencies understand their privacy requirements and adopt best privacy practice when undertaking data-matching activities.

"It's my observation that developments in technological, social, commercial and government service delivery environments continue to drive increasing community and professional interest in privacy and privacy governance," Pilgrim wrote in the report's overview.

"A successful data-driven economy needs a strong foundation in privacy. That message is now as vital to the public sector as to private, as the Commonwealth seeks to build community trust for the future success of data, cyber, and innovation agendas."

In the report released on Thursday, Pilgrim said the Australian Public Service (APS) Privacy Governance Code, which comes into effect on July 1, 2018, will provide a clear outline on what the public can expect from agencies handling their personal information.

"It will help build public trust and confidence in government information-handling practices -- by creating a clear, compulsory privacy standard across all of government," he explained.

During the year, the OAIC handled a total of 16,793 privacy enquiries, which was a 12 percent decrease on last year. Of those, 14 were made in-person to the OAIC.

Pilgrim said the upcoming data breach notification legislation, coupled with the APS code, will "jointly strengthen Australia's privacy governance" in both public and private sectors.

"The OAIC has long been an advocate for more open, accountable, and responsive government," the commissioner added.

"As Australians understand privacy rights more and more they are increasingly likely to enforce them -- so it is not surprising that complaints registered for resolution with our office have increased by 17 percent this year."


Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack

Around 30 gigabytes of ITAR-restricted aerospace and commercial data was exfiltrated by an unknown malicious actor during the "Alf's Mystery Happy Fun Time" attack.

How Europe's GDPR will affect Australian organisations

Failure to comply with the data protection regulations could result in a €20 million fine, and Australian organisations with links to Europe will not be exempt.

Review asks for tighter Medicare card privacy controls from Human Services

Moving the authentication platform, educating citizens, and stricter privacy controls were among the steps recommended to the Department of Human Services by a review into heath providers' access to the Health Professional Online Services system.

Editorial standards