Our first Information Matters for 2021 coincides with Data Privacy Day, or Data Protection Day as it is known in some regions.

The day aims to raise awareness about the importance of respecting privacy, safeguarding data and enabling trust.

These 3 objectives are at the core of the OAIC’s work to advance online privacy protections for Australians and influence and uphold privacy frameworks. They have also been integral to the global response to the COVID-19 pandemic and remain as relevant as ever.

Building trust in the community that contact tracing and health data would be protected was vital to the response to the virus and will continue to be as we work to reopen borders and seek to return to a more normal way of life.

We begin 2021 cautiously optimistic that the arrival of vaccines will bring significant benefits, both locally and internationally.  As was the case with the COVIDSafe app, we will continue to engage on information-handling aspects of national COVID-related initiatives such as the vaccine program.

This year will be a significant one for advancing privacy protections for Australians, with a conclusion expected to the Attorney-General’s Department’s review of the Privacy Act.

This is an opportunity for Australia to strengthen its privacy framework to ensure fair information handling and prevent harm in the digital age, protect fundamental human rights, and build public trust to support a successful data-driven economy.

Central to that theme of trust, one of the key features of our submission to the review is a greater emphasis on the rights of individuals and the obligations of entities to protect those rights to ensure the public interest is served by privacy law into the next decade.

In 2021, the OAIC will also work with stakeholders to develop a binding code of practice for online platforms and social media that provides stronger privacy protections for Australians in these spheres, including people with particular needs, such as children.

While the pandemic response focused attention on the importance of protecting personal information, it also highlighted issues of information access. Providing expert information to the community proactively has been a feature of the COVID response, enabling individuals to play their part.

However, during the past 12 months, redeployment of resources may have impacted FOI processing times for some agencies. It is important that resources are adjusted to ensure timely processing of requests for access to documents as we return to a COVID normal. 

FOI is a whole-of-agency responsibility, requiring the support of senior staff to ensure policies and procedures are adequate and operationalised. In 2021 the OAIC will continue to support agencies to realise this goal and to proactively disclose and publish information, to help streamline agency FOI operations and assist meeting statutory timeframes.

Next month marks the 3-year anniversary of the Notifiable Data Breaches scheme, which is now well-established and an important mechanism for motivating organisations that handle personal information to take a proactive stance when it comes to preventing and mitigating data breaches. Our continued focus on personal information security will also be reflected in our regulatory activities.

The more recently established Consumer Data Right commenced in the banking sector in July 2020, giving consumers greater choice and control over their data. The OAIC will continue to provide guidance to participants and consumers about the system’s privacy safeguards and how we will exercise our regulatory powers, as we work with the ACCC and Treasury to bring the energy and other new sectors on board.

And finally, Data Privacy Day provides a great opportunity at the start of the year for everyone to check in on privacy protections and personal information handling practices. Our website has some great resources to help individuals reboot their privacy, and to assist organisations with privacy best practice.

Our best wishes for a safe and secure 2021.

Angelene Falk
Australian Information Commissioner and Privacy Commissioner

Data breaches attributed to human error continue to increase, our latest Notifiable Data Breaches Report shows.

Commissioner Falk said the OAIC received 539 data breach notifications from July to December 2020, an increase of 5% on the previous 6 months.

“In the past 6 months, we saw an increase in human error breaches both in terms of the total number of notifications received – up 18% to 204 – and proportionally – up from 34% to 38%,” she said. 

“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to the OAIC.

“Organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising training staff on secure information handling practices.” 

Commissioner Falk has determined the Department of Home Affairs (formerly the Department of Immigration and Border Protection) interfered with the privacy of over 9,000 detainees in immigration detention by mistakenly releasing their personal information.

The Commissioner has ordered Home Affairs to pay compensation to almost 1,300 class members who made submissions or provided evidence of their loss or damage, provided they have demonstrated that they suffered loss or damage as a result of the data breach.

The representative complaint followed the publication of a detention report on the department’s website in 2014, in error. The report contained embedded personal information that could identify all persons in immigration detention on 31 January 2014.

“This matter is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach,” Commissioner Falk said.

“It recognises that a loss of privacy or disclosure of personal information may impact individuals and depending on the circumstances, cause loss or damage.” 

The full determination can be found on AustLII.