On 12 March 2014, the amended Privacy Act 1988 (Cth) (Privacy Act) and the associated Australian Privacy Principles (APPs) and APP Guidelines (Guidelines) came into effect. One of the most significant changes under the amended Privacy Act is the new and considerable power of the Australian Information Commissioner and the Privacy Commissioner to hold businesses and organisations responsible for the breach of and or the unauthorised access of the personal information it holds.
Case study: Telstra - fined, disciplined and made to behave
On 11 March 2014 the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority found that Telstra breached privacy laws in related investigations. Essentially, between February 2012 and March 2013, the personal information of 15,775 Telstra customers from 2009 and earlier was easily accessible on the internet via simple Google searches. This information included sensitive information such as names, telephone numbers and home and business addresses. Although you might initially think that no one would have necessarily come across that information, Telstra stated that there appears to have been at least 166 unique downloads of those records.
What Telstra breached in this case was the National Privacy Principles (NPPs) - the predecessor of the APPs. The OAIC found that Telstra had breached the NPPs by failing to take reasonable steps to ensure the security of the personal information it held, failing to take reasonable steps to destroy or permanently de-identify the personal information it held and by disclosing personal information, other than for a permitted purpose.
For its pains, Telstra was required to pay a fine of $10,200 and to amend its practices and mechanisms by auditing its systems, closing down software platforms on which the incident occurred, establishing a clear policy for central software management and to renew contracts with third parties relating to personal information handling.
What does this all mean?
While Telstra was prosecuted pursuant to the old set of laws, its experience serves as a timely reminder for organisations and businesses of the obligations they have pursuant to the APPs with regard to ensuring the security of the personal information they hold. Timothy Pilgrim, the Privacy Commissioner stated:
All entities bound by the Privacy Act must have in place security measures to protect personal information.
The reality is that the new legislation will not just extend to business giants such as Telstra, but rather also to the every day small business and will give the OAIC new enforcement powers and the ability to issue fines of up to $1.7 million to companies found to breach sensitive company data.
But my company or organisation isn't large!
Some media outlets have suggested that organisations and businesses that experience data breaches as a result of cyber attack or hacking may be "let off the hook" - particularly those which are smaller and or are not national organisations.
The OAIC delivered a press release on 6 March 2014 which clearly establishes that the idea that a company may be “let off the hook” is inaccurate and does not reflect the APPs or the Guidelines. Further, the OAIC suggested that a failure to comply with the new legislation may result in black marks being put against the name of the infringing entity and expose that entity to a heightened chance of being the subject of a costly government audit.
APP 6 outlines in what circumstances an entity may use or disclose personal information. Pursuant to this provision, an entity will not be held to have "disclosed" personal information where a third party intentionally exploits the entity's security measures and gains unauthorised access to the information. Nonetheless, the entity may still be found to be in breach of APP 11 when this occurs.
APP 11 requires entities that hold or store personal information to take reasonable steps to protect that information from misuse, interference, loss, unauthorised access, modification or disclosure. If an entity should fail to take "reasonable steps" to prevent unauthorised access, such as hacking, they may be held to be in breach of APP 11.
In effect, even small or family based companies or organisations who are large enough to be covered by the Act will not be excused for seeking to cut costs by failing to implement and maintain appropriate security measures to protect sensitive personal information.
Lavan Legal comment
It is worthwhile noting, by way of a caveat, that the Privacy Commissioner has also stated that:
We would take into account the size of an organisation, but it is only one factor... We would be looking at what [security and risk] standards have been applied... to see what may be applicable to the size of the entity in terms of availability of systems and their cost.
In spite of the Privacy Commissioner's willingness to apply these considerations, it is essential that you and your business or organisation make sure that appropriate and reasonable steps are taken to ensure the security and protection of any personal information you may store or hold. This may be achieved by:
conducting regular reviews of information security measures - as in how regularly your organisation changes its processes, information, personnel, applications and infrastructure;
implementing and maintaining information security measures; and
regularly monitoring the operation and effectiveness of measures and strategies.