OAIC issues first report card on Privacy Act

The Office of the Australian Information Commissioner has issued its report on the first 12 months of operation for Australia's new privacy law, revealing it received more than 100 voluntary notifications of a data breach.

The OAIC released its report card today on the one-year anniversary of the introduction of the new Privacy Act.

The Act introduced a new set of Australian Privacy Principles (APPs) as well as changes to credit reporting provisions and new powers for Privacy Commissioner Timothy Pilgrim.

Pilgrim today said he was pleased with how organisations and agencies had responded to the challenge of implementing the changes required under the Act.

"This is recognition that good privacy practices are good for business, particularly in building customer trust," he said in a statement.

The OAIC revealed it had received 104 voluntary data breach notifications over the 12 month period.

Pilgrim and the OAIC have been lobbying the Government in recent years to legislate a mandatory data breach notification scheme to increase transparency and security.

Such a scheme looks set to arrive this year after the Government agreed to introduce the legislation as part of recommended changes to its data retention bill.

"Increasingly, data breaches are due to issues of technology and connectivity — hacking, malware, online scams. But you only have to look at these data breaches to understand the vital importance of privacy governance," Pilgrim said in a speech to the iappANZ conference today.

"In many cases there is a clear failure of governance, creating a vulnerability that is able to be exploited. The maturity of an organisation’s governance and leadership can be clearly seen in the importance placed on privacy, the way in which it is invested in, and how an organisation responds to a data breach."

The OAIC also received 4016 privacy complaints - a 43 percent rise on the previous year - and 14,064 privacy-related enquiries. It commenced 13 privacy assessments.

"For the next 12 months our focus will be on governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements," Pilgrim said.

"My message for all organisations and agencies is it is more effective, and ultimately cheaper, to embed privacy in day-to-day processes than it is to respond to issues such as data breaches as they arise."

The OAIC is currently working to a May deadline to roll out a privacy management framework, which will help organisations develop or review their privacy program.

The framework will also help businesses meet requirements under APP 1.2, in which organisations must take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs.

Principal consultant at infosec and privacy consulting firm Fortian Marcus Wong said the new legislation had had a positive effect on privacy efforts within Australian businesses.

"Since the new legislation has been in place, we have seen an improvement in privacy practices and awareness amongst Australian businesses, and observed greater focus on IT security measures aimed at protecting customer data," he told iTnews.

"The emphasis on privacy and security contributes significantly to building trust, which is a positive outcome for both businesses and their customers."