The 2019-2020 year has been an eventful one in the privacy environment. In particular:
- The COVID-19 pandemic and subsequent COVIDsafe measures presented some unprecedented challenges for the regulation of personal information in Australia.
- Following a lengthy investigation, the OAIC launched its first civil penalty action against Facebook, in relation to the This is Your Digital Life app.
- In collaboration with the ACCC, the OAIC worked on the launch of the Consumer Data Right, which commenced on 1 July 2020.
The OAIC's 2019-2020 annual report (OAIC Report) was published on 15 October 2020, and provides a thorough review of the OAIC's functions over 2019-2020. This post details some of the key items set out in the OAIC Report.
The OAIC Report was published shortly before the release of the Review of the Privacy Act – Issues Paper, which seeks feedback on potential issues relevant to privacy reform. Submissions on that issues paper are due by 29 November 2020. We will be publishing a post on the issues paper shortly.
The OAIC's regulatory action and functions
The OAIC Report outlines the OAIC's strategic priorities for 2019-2020, which include:
- advancing online privacy protections for all Australians;
- upholding privacy rights frameworks;
- taking a contemporary approach to regulation; and
- a willingness to take steps that deter and rectify breaches of privacy where they occur.
Privacy complaints to the OAIC decreased by 19% from 2018-2019 (3,306) to 2019-2020 (2,673).
Most privacy complaints came from the following sectors:
- 12% Australian Government
- 11% Finance (including superannuation)
- 11% Health service providers
- 6% Retail
- 6% Telecommunications
- 5% Online services.
The majority of privacy complaints received by the OAIC were in respect of the handling of personal information under the Australian Privacy Principles (APPs). The most prevalent issues were:
- use or disclosure of personal information (APP 6);
- security of personal information (APP 11);
- access to personal information (APP 12); and
- collection of solicited personal information (APP 3).
During the 2019-2020 reporting period, the most common privacy enquiries received by the OAIC were in relation to access to an individual's own personal information (APP 12), exceptions to the APPs, security of personal information (APP 11) and the use and disclosure of personal information (APP 6).
The NDB scheme commenced in February 2018, and requires relevant organisations to assess suspected 'eligible data breaches' and then notify the OAIC and any affected individuals of an 'eligible data breach' (see our previous posts on the NDB scheme Q&A on the NDB scheme with the Australian Information Commissioner and Insights one year on from Australia's Notifiable Data Breach scheme).
The OAIC’s report highlights an 11% increase in notifications to the OAIC under the NDB scheme from 2018-2019 (950) to 2019-2020 (1,050).
During 2019-2020, the OAIC assessed 55 entities in the government, finance, telecommunications, health and education sectors, closing 14 assessments during this reporting period.
The OAIC's assessments ranged from obligations under APP 1 (open and transparent management of personal information) and APP 5 (notification of the collection of personal information) to APP 11 (security of personal information). Some of the OAIC's notable assessments include:
- COVIDSafe: As part of the Australian government's response to the COVID-19 pandemic, the OAIC's assessment powers were expanded to conduct an assessment of whether the acts or practices of an entity or a state or territory health authority comply with Part VIIIA of the Privacy Act in relation to COVIDSafe app data.
- Digital health: The OAIC finalised four assessments and initiated a further assessment with two targets in relation to health information and the My Health Record system.
- Telecommunications service providers: The OAIC also reviewed information security obligations under APP 11 in respect of Telstra, Optus, Vodafone and TPG.
Submissions and advice
The OAIC made a total of 22 submissions in 2019-2020, including to:
- the Australian Competition and Consumer Commission in relation to BP Rewards, Qantas Frequent Flyer and Qantas Business Rewards loyalty programs;
- the Senate Standing Committee on Legal and Constitutional Affairs regarding the Inquiry into the provisions of the Anti-Money Laundering and Counter-Terrorism Financing and Other Legislation Amendment Bill 2019;
- the Department of Health in relation to the Exposure Draft: Health Legislation Amendment (Data-matching and Other Matters) Bill 2019; and
- the Australian Government regarding the Digital Platforms Inquiry final report.
More insights in 2020?
The OAIC is making full use of its powers and responsibilities with respect to privacy regulation, and we expect to see an even more pro-active approach by the privacy regulator moving forward. As the OAIC's assessments of entities' privacy compliance progress, we also expect to see more investigatory action, particularly via Commissioner-initiated investigations.
If you are a private sector organisation, a health service provider or a Commonwealth agency that is subject to the Privacy Act, speak to us about how best to implement appropriate privacy and data security strategies to minimise your organisation's risk of a breach, and what steps you can take to proactively deal with your notification obligations should a breach occur.