We spent months speaking about it and now the report is in. On Wednesday, 11 April 2018, the Office of the Australian Information Commissioner (OAIC) released their first quarterly report on the changes to the Privacy Law which commenced on 22 February 2018 relating to notifiable data breaches.
The figures speak volumes. Within 6 weeks of the changes becoming law, 63 data breaches were notified to the OAIC. During the 2016-2017 financial year, a total of 114 data breaches were made on a voluntary basis. One can safely assume, the number of data breaches this year will far exceed any other year.
While it might be surprising to some, the trend remains that the majority of data breaches occurred as a result of human error. The OAIC’s full report can be found here.
The Commissioner has been busy in recent months with the announcement last week, that the OAIC will be launching a formal investigation into Facebook’s conduct, following confirmation from Facebook that personal information of users was accessed by political media giant Cambridge Analytica, without the consent of users.
More than 300,000 Australian Facebook users had their friends, religious and political beliefs, locations, Facebook activity and other such information passed on to Cambridge Analytica without their express consent. This figure contributes 0.4% to the total of 87 million users who have been affected by the breach. It has since been revealed that this data was used for political purposes, to manipulate demographics and conduct targeted campaigns during the 2016 US presidential election.
Mark Zuckerberg fronted the US Congress to discuss the breach, in which Zuckerberg revealed that his data was also disclosed to Cambridge Analytica.
Although it’s refreshing to not see Facebook publicly fall back on their “catch-all” terms and conditions to allow them to use and disclose data in a certain way, it appears they know that the negative media publicity is causing them more damage than a legal stoush regarding the scope of the terms. Though, reports have commenced of a class action against the social media platform.
Facebook might be one of the most publicised investigations into privacy compliance, but sure to only be the start for the Commissioner regarding compliance with the privacy law.
The acting Australian Information Commissioner, Angelene Falk, has used the recent publicity to publicly affirm the importance of a good privacy framework. Organisations need to understand their privacy obligations and take the utmost care in handling, storing and disclosing the personal information of members and customers.
Your call to action is to ensure that your organisation:
(b) uses collection notices;
(c) has a data breach plan in place; and
(d) has employee policies and training in place that support each of the above.
Contact our office for more information regarding the recent changes to the Privacy Law.