Publication
Financial services monthly wrap-up: October 2024
In October 2024, the Australian Securities and Investments Commission (ASIC) was successful in its action against a life insurer in relation to misleading statements.
Author:
Australia | Publication | March 2020
If the reporting of data breaches in online news sources and Office of the Australian Information Commissioner quarterly reports during 2019 is anything to go by, Australian Government agencies continue to perform well relative to the private sector in terms of privacy compliance. However, as some of the data breach incidents which occurred in 2019 in other jurisdictions indicate, agencies must continue to be vigilant in their approach to ensuring compliance with privacy obligations and protecting against data breaches.
For example, in one of 2019’s particularly unsettling international cyber incidents, Ecuadorian authorities began an investigation in September into the leak of approximately 20 million citizens’ personal information – potentially Ecuador’s entire population, plus millions of deceased citizens. The data, exposed online via an unsecured database, reportedly included information that could enable the reconstruction of entire family trees, as well as personal information of millions of children.1
The next month, a database up for auction on the dark web was reported to contain personal information relating to 92 million Brazilian citizens. Just in case navigating such a large database unaided proved challenging for potential purchasers, the business-savvy perpetrators even claimed to offer a “look-up” service upon request.2
These incidents share a particularly alarming characteristic, even against the backdrop of another bumper year for worldwide data breaches: in both cases, a significant portion of the compromised data, if not all of it, appears to have been gathered from government databases.
Just like the private sector, Australian Government agencies are subject to the Privacy Act 1988 (Cth) and Australian Privacy Principles. However, additional requirements bind Australian Government agencies under the Privacy (Australian Government Agencies – Governance) APP Code 2017 which are practical and tailored to the government context. The intention is that Australian Government agencies should be model organisations in terms of privacy compliance, reflecting the vast amounts of personal information held by agencies.
In this article, we consider three key ways in which agencies can make the most of existing privacy obligations to maximise protection of the personal information entrusted to them, namely privacy impact assessments, vendor security and staff training.
The Australian Government Agencies Privacy Code requires agencies to conduct a Privacy Impact Assessment for all “high risk” projects, namely projects that the agency reasonably considers to involve any new or changed ways of handling personal information that are likely to have a significant impact on individuals’ privacy.3
During the latest 12 months, Australian Government agencies undertook PIAs in respect of a range of projects and issues. Although they are not required to publish the PIAs which they conduct, agencies must maintain a register of PIAs on their websites.4 Some common themes arise from a review of the PIA registers of Australian Government agencies. Agencies are conducting PIAs in connection with large IT projects (often involving the storage of information in the cloud), data sharing and data matching projects, the roll out of new HR, payroll and finance systems as well as customer / user surveys. This is in addition to privacy issues or projects that are unique to a particular agency.
Conducting a PIA in respect of a project that may have a significant impact on individuals’ privacy offers a vital means of embedding privacy considerations at the foundational stage of a new project. We recommend the following for agencies looking to get the most out of their PIAs:
Non-corporate Commonwealth entities and prescribed corporate Commonwealth entities must, under the Public Governance, Performance and Accountability Act 2013 (Cth), comply with the Commonwealth Procurement Rules when procuring goods and services. Paragraphs 8.2 and 8.3 of the CPRs require those entities to establish mechanisms for identifying and managing risk when conducting procurement, including through the application of the Australian Government’s Protective Security Policy Framework.5 Maintaining the confidentiality, integrity and availability of official information is one key outcome of that framework.6 The Privacy Act also requires that agencies entering into Commonwealth contracts take contractual measures to ensure that contracted service providers do not engage in acts or practices that would breach the APPs if done or engaged in by the agency.7
Undertaking advance due diligence in respect of prospective service providers’ security processes is, of course, crucial. However, regularly reviewing your agency’s relationship with service providers can also help to prevent minor issues escalating into serious incidents. To improve your agency’s position, you may wish to consider expanding contractual provisions to include:
Agencies must conduct privacy education and training as part of new staff induction programs, and take reasonable steps to provide appropriate privacy education or training annually to all staff who have access to personal information in the course of their duties.8
According to the Office of the Australian Information Commissioner’s most recent report on the subject, human error accounted for approximately one-third of notifiable data breaches from 1 April to 30 June 2019.9 Building employee preparedness is, therefore, a key way to reduce the risk of data breaches occurring.
An effective training program involves different types of knowledge-building. For example:
The last decade has proven time and again that no organisation or agency is immune from data breach incidents. However, taking these measures will put your agency in a good position to not only ensure it complies with its obligations at law, but that, should a data breach occur, its response will be informed, timely and effective.
Palko Karasz and Anatoly Kurmanaev, ‘Ecuador Investigates Data Breach of Up to 20 Million People’, The New York Times (online), 17 September 2019 (https://www.nytimes.com/2019/09/17/world/americas/ecuador-data-leak.html); Catalin Cimpanu, ‘Database leaks data on most of Ecuador’s citizens, including 6.7 million children’, ZDNet (online), 16 September 2019 (https://www.zdnet.com/article/database-leaks-data-on-most-of-ecuadors-citizens-including-6-7-million-children/); Catalin Cimpanu, ‘Arrest made in Ecuadaor’s massive data breach’, ZDNet (online), 17 September 2019 (https://www.zdnet.com/article/database-leaks-data-on-most-of-ecuadors-citizens-including-6-7-million-children/)
Scott Ikeda, ‘Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum’, CPO Magazine (online), 10 October 2019 (https://www.cpomagazine.com/cyber-security/citizen-data-of-92-million-brazilians-offered-for-sale-on-underground-forum/).
Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) section 12.
Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) section 15.
Commonwealth Procurement Rules, 20 April 2019 (online) (https://www.legislation.gov.au/Details/F2019L00536/Html/Text#_Toc2325479).
Australian Government Attorney-General’s Apartment, Information Security, Protective Security Policy Framework (https://www.protectivesecurity.gov.au/information/Pages/default.aspx).
Privacy Act 1988 (Cth) section 95B(1).
Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) section 16.
Office of the Australian Information Commissioner, Notifiable Data Breach Statistics Report: 1 April to 30 June 2019 (27 August 2019) (https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019/).
See note 10.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023