10 May 2023

The Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) today commenced a joint investigation into the personal information handling practices of the Latitude group of companies (Latitude[1]).

This decision follows preliminary inquiries into the matter by both offices. This is the first joint privacy investigation by Australia and New Zealand and reflects the impact of the data breach on individuals in both countries.

The investigation will allow the efficient use of both agencies’ resources and reduce the regulatory impact on Latitude. It does not preclude the OAIC and OPC reaching separate regulatory outcomes or making separate decisions regarding the most appropriate regulatory response to a breach.

The OAIC investigation will focus on whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

The investigation will also consider whether Latitude took reasonable steps to destroy or de-identify personal information that was no longer required.

If the investigation leads to a finding that Latitude has breached one or more of the Australian Privacy Principles, then the Australian Information Commissioner and Privacy Commissioner may make a determination that can include requiring Latitude to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $50 million for each contravention.

Given that the breach may involve sensitive information, we remind any Latitude customers affected that they may seek assistance through Latitude’s helpline.

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

[1] The Latitude group of companies includes:

  • Latitude Financial Services Australia Holdings Pty Ltd
  • Latitude Finance Australia
  • Latitude Personal Finance Pty Ltd
  • Latitude Automotive Financial Services Pty Ltd
  • Hallmark General Insurance Company Ltd
  • Hallmark Life Insurance Company Ltd.

About OAIC Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Privacy Act 1988.

Preliminary inquiries will continue with Latitude regarding compliance with the Notifiable Data Breaches scheme.

Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

See the Office of the Privacy Commissioner New Zealand’s media release.