Published: 3 November 2023
The Australian Information Commissioner has commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited (ACL) resulting from an investigation of its privacy practices. The investigation arose as a result of a February 2022 data breach of ACL’s Medlab Pathology business that was notified to the Office of the Australian Information Commissioner (OAIC) on 10 July 2022. The OAIC’s investigation commenced in December 2022.
The Commissioner alleges that from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988. The Commissioner alleges that these failures left ACL vulnerable to cyberattack.
ACL’s business centrally involves collecting and holding millions of individual patients’ health information. ACL collects other personal information from patients in order to provide test results and issue invoices, such as personal identifying and contact information, and copies of Medicare cards and numbers. ACL generated revenue of $995.6 million in the financial year ending June 2022.
The Commissioner also alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable. These are steps it was required to take under Part IIIC of the Privacy Act.
The Commissioner alleges that ACL contravened section 13G of the Privacy Act by reason of the following:
- breaches of Australian Privacy Principle (APP) 11.1(b), which requires an APP entity to take such steps as are reasonable in the circumstances to protect personal information it holds from unauthorised access
- contravention of section 26WH(2), which requires an APP entity to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach and to take all reasonable steps to ensure that the assessment is completed within 30 days
- contravention of section 26WK(2), which requires an APP entity to notify the Australian Information Commissioner of an eligible data breach as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.
The February 2022 data breach resulted in the unauthorised access and exfiltration of personal information, sensitive health information and credit card information of in excess of 100,000 individuals.
“Organisations are responsible for protecting the information they hold, including effectively managing cyber security risk,” Australian Information Commissioner Angelene Falk said.
“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.
“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach.
“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web.
“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime,” said Commissioner Falk.
- Concise statement [531 KB] (added 28 November 2023)
The Privacy Act includes 13 legally binding Australian Privacy Principles (APPs). The APPs apply to organisations and government agencies covered by the Privacy Act (APP entities).
Under section 13G of the Privacy Act, an APP entity will be liable for a civil penalty if it does an act, or engages in a practice, that is a serious interference with the privacy of an individual.
The Australian Information Commissioner may apply to the Federal Court for a civil penalty order alleging that an APP entity has engaged in serious and/or repeated interferences with privacy in contravention of section 13G. Under current legislation, the OAIC is unable to impose a penalty. Rather, the OAIC must lodge proceedings in the Federal Court.
The Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G (as per the penalty rate applicable from May 2021 to September 2022). Whether a civil penalty order is made and the amount are matters before the court.
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which commenced in December 2022, increased the maximum civil penalties for a serious and/or repeated interference with privacy for a body corporate to an amount not more than the greater of:
- $50 million
- if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit
- if a court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.
These new penalties will not be applicable to the Australian Information Commissioner’s proceedings against ACL given the alleged conduct occurred before the commencement of the updated penalty provisions.
The OAIC commenced a Commissioner-initiated investigation into ACL in relation to its data breach in December 2022.
In its response to the Privacy Act review report, the Australian Government agreed that section 13G of the Privacy Act, which deals with ‘serious or repeated’ breaches of privacy, should be amended to remove the word ‘repeated’ and clarify that a ‘serious’ interference can include repeated interferences with privacy.
The Australian Government also agreed that a new mid-tier civil penalty provision should be introduced to cover interferences with privacy that do not meet the threshold of being ‘serious’ and a new low-level civil penalty provision for specific administrative breaches of the Privacy Act and APPs should be introduced with attached infringement notice powers for the OAIC with set penalties.