Over 100 data breaches voluntarily reported to OAIC in past year

The Office of the Australian Information Commissioner received over 100 voluntary data breach notifications, and saw a 43 percent increase in privacy complaints in the 12 months since changes to the country's Privacy Act came into effect.
Written by Leon Spencer, Contributor

The Office of the Australian Information Commissioner (OAIC) has revealed that it received more than 100 voluntary data breach notifications in the 12 months since changes to the country's Privacy Act 1988 came into effect in March 2014.

The OAIC said on Thursday that it had received 104 voluntary data breach notifications from the industry, 14,064 privacy enquiries, and commenced 13 privacy assessments.

The agency also revealed that it had seen a 43 percent increase in privacy complaints for the year, compared to the previous year, reporting 4,016 privacy complaints.

Late last year, the OAIC released its annual report, revealing that it had received 4,239 privacy complaints during the 12-month period ending June 2014, a marked increase from the 1,496 complaints it received the previous year.

Now, the "privacy law reform report card" represents the first 12 months of new privacy legislation that applies to Australian government agencies, private sector businesses, and not-for-profit organisations covered by the Privacy Act.

The changes to the Act included the introduction of a new set of unified privacy principles -- dubbed the Australian Privacy Principles -- changes to the credit reporting provisions, and new enforcement powers for the commissioner.

The reforms allowed the public to request access to their personal information held by an organisation or agent; request a correction to their personal information held by an organisation or agency; opt out of receiving direct marketing communications from organisations; ask an organisation where they collected their personal information from; and find out whether their personal information will be sent overseas.

It was the second time the Privacy Act had been reformed, with the legislation initially altered in 2001, to be extended to include the private sector. Initially, it was only applicable to Australia's federal public sector and the credit reporting agencies.

The changes also saw the privacy commissioner -- one of two commissioners that operate under the OAIC -- given the power to proactively seek out whether businesses are being compliant, accept written undertakings that are enforceable through courts, and issue fines of up to AU$1.7 million if consumer data is not adequately protected.

Australian Privacy Commissioner Timothy Pilgrim said that he has been pleased to see private organisations and government agencies respond positively.

"This is recognition that good privacy practices are good for business, particularly in building customer trust," he said. "For the next 12 months, our focus will be on governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements.

"My message for all organisations and agencies is: It is more effective, and ultimately cheaper, to embed privacy in day-to-day processes than it is to respond to issues such as data breaches as they arise," he said.

The OAIC had been facing extinction at the end of last year, following funding cuts outlined in the federal Budget 2014, delivered last May. However, the Bill proposing its closure was not considered in parliament before the end of the 2014 sitting period, offering it a reprieve.

"The OAIC continues to process information commissioner reviews and extension of time applications. We are operating with reduced resources in anticipation of closure, and we will continue to review our processes to provide a limited service within our reduced capacity," the agency said in a statement in January.

Editorial standards