Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Article by Australian Information Commissioner and Privacy Commissioner in The Australian

Human error and deception. Compromised credentials. One-off incidents.

This is the reality of most data breaches notified to the Office of the Australian Information Commissioner since mandatory reporting began in February.

Unlike the “serial offending corporates” portrayed in the Australian Technology section last week, the statistics highlight the human factor in data breaches.

At a time of heightened awareness of privacy, the community expects those entrusted with their personal information to act as ethical stewards. They also expect regulators to take action to prevent, detect and remedy their issues.

Our focus as privacy regulator has always been to deliver tangible outcomes for individuals affected by breaches of the Privacy Act.

Each year we receive close to 3,000 complaints from individuals. These are resolved through a range of approaches, including conciliation and determination. These outcomes frequently involve compensation, and drive improvements to privacy practice.

Our frontline staff assisted the public with almost 20,000 enquiries about privacy in 2017-18, and we audit a range of industries and agencies for compliance with the Privacy Act.

We apply our resources strategically to probe major incidents, including our ongoing commissioner-initiated investigation into Facebook.

Our work has led to enforceable undertakings which have proven highly effective in driving systemic change within organisations where personal information practices have been deficient.

Above all, we take an evidence-based and proportionate approach, and we will not shy away from using the full range of our regulatory powers. That includes seeking civil penalties of up to $2.1 million per privacy breach through the Federal Court.

Privacy by design is critical to achieving compliance with the Privacy Act. This means embedding privacy from the top down to achieve best practice and cultural change. This requires a senior executive to act as privacy champion, a privacy management plan and privacy impact assessments to guide product development and day-to-day business.

It also demands customer communications about privacy issues that are transparent and meaningful, and allow an individual’s consent to be informed and freely given.

Businesses handling personal information should be considering the ethical implications of their practices, and whether they line up with community expectations. Increasingly, privacy is not just a compliance issue – it’s about the bottom line.

Our 2017 Australian Community Attitudes to Privacy Survey found 58 per cent of people have decided to avoid dealing with a private company because of privacy concerns. Last week, the HP Australia IT Security Study found 46% of small to medium Australian businesses surveyed said customers were increasingly opting out of data collection and sharing.  

Regulatory developments both here and overseas ‒ such as our Notifiable Data Breaches scheme, the Australian Government Agencies Privacy Code and the EU’s General Data Protection Regulation ‒ are also requiring greater transparency and accountability.

Australia’s Notifiable Data Breaches scheme has the goal of ensuring that organisations notify affected individuals so they can take steps to minimise the risk of serious harm. It also holds entities accountable to their customers.

We help ensure breaches are contained and remedial action is taken, and we report quarterly on common causes to help regulated entities take preventative action.

Along with human error ‒ such as emailing the wrong person or losing documents ‒ compromised credentials are a key cause of the data breaches reported so far.

Whether to address the risk of a phishing incident or an insider threat (like the Westpac breach mentioned in the Technology section last week), all businesses handling personal information need a data breach response plan. This should outline steps to contain, assess, notify and mitigate the risk of serious harm.

We also identify serious and systemic issues which require further investigation – and we will continue to take proactive regulatory action where required. 

For more information about the OAIC’s role see our Annual Report at