14 November 2022

Remarks by Australian Information Commissioner and Privacy Commissioner Angelene Falk

Check against delivery

Thank you, Michael, and good afternoon everyone.

I would like to begin by acknowledging the Traditional Custodians of the land from which I join you in Sydney, the Gadigal people of the Eora Nation, and pay my respects to their Elders past, present and emerging and First Nations people with us today.

As acknowledged in the description of this session today, the digital landscape presents enormous potential for innovation and reward. But it also presents risks, and we as a society won’t fully realise the rewards unless we deal with the risks.

My number one message today is that companies need to know what these risks are and proactively mitigate them. It’s what the community expects and it’s what we as the regulator expect.

Indeed, the digital economy is a major focus for Australian regulators, and we are constantly considering ways we can continue to work together to comprehensively regulate organisations in a coordinated manner and in order to achieve the best outcome for the community. I will share more on this with you later.

But first, I would like to share what my office sees as three of the biggest risks that corporate Australia needs to manage.

It won’t surprise you to hear the first is data breaches.

The significant impact of recent data breaches on millions of Australians, together with the volume of notifications my office continues to receive, stress the need for companies to have robust information handling practices and up-to-date data breach response plans.

These are clear areas for ongoing attention.

We see breaches that could have been avoided by companies taking simple steps, such as enabling multi-factor authentication, or training staff on handling information securely and being alert to common tactics used by cyber criminals, like phishing. These are known risks and strategies that my office has brought to the attention of organisations.

We have published detailed statistics on common causes of breaches over 4 years. We expect companies to know the risks and be focused on continually improving systems, processes and your people capability to ensure the security of the personal information of citizens you are entrusted with.

Too often we see organisations are ill prepared when a breach does occur, because they don’t have a sufficient data breach response plan.

Having a data breach response plan, and regularly testing and revising it, is paramount, as the faster a company responds to a breach, the more likely it is to contain the breach and limit negative consequences, for both affected individuals and for the company.

One area where this is growing in importance is where more than one entity holds personal information that is breached.

We call these multi-party breaches and they are occurring more frequently. They highlight the importance of assigning the roles and responsibilities of each entity in the event of a data breach, upfront.

The second area where we see the potential for significant risk is the over collection of data.

In the bourgeoning digital economy, companies were told data was the new oil and data was currency.

This perception of data risks organisations collecting personal information without carefully considering whether it is actually necessary and without consideration of how to protect it through the lifecycle of holding that information.

Under the Privacy Act, entities must only collect personal information that is reasonably necessary for their functions and activities. There are laws in certain sectors that mandate the collection of certain categories of data. But beyond legal requirements, companies must assess what’s reasonable in the circumstances and should not be collecting data just because it may be useful in the future.

Recent high profile data breaches have highlighted the risks of holding rich data sets. It’s also resulted in a shift in some of the language used around data; indeed I’ve seen data likened to asbestos and uranium in recent weeks.

Collecting more data than is necessary may increase the risk of harm to an individual in the event of a data breach, and trigger your notification obligations under the Notifiable Data Breaches scheme.

By collecting more data you may also be inadvertently creating a honeypot for malicious actors, increasing the risk of a data breach.

The third risk is being out of touch with the community’s expectations with regard to their personal information.

Information privacy has come of age, in part due to the COVID-19 pandemic which spotlighted it as a critical issue.

We have an increasingly privacy aware community. We have recently seen the high level of community concern about the protection of their personal information. Even before that, privacy was steadily increasing as a factor in purchasing decisions.

There is a high cost for those companies found not to be trusted custodians of Australians’ personal information, while companies that have strong privacy foundations can make privacy part of their competitive advantage.

That brings me to my office’s role as the regulator.

Our focus is identifying how we can prevent problems from arising in the first place and enable the regulated community to be proactive.

That also brings me to privacy law reform and the review of the Privacy Act by the Attorney‑General’s Department that’s underway.

Many of our recommendations to the Privacy Act review seek to shift the focus to proactive obligations on businesses, with the regulator as the backstop.

For example, among our key recommendations is the introduction of a baseline standard that all personal information handling is fair and reasonable. This would shift the conversation from ‘can we?’ towards ‘should we’?

Good organisational accountability goes beyond a check-box exercise of compliance.

Companies should do three things:

  1. consider upfront how your information handling practices impact individuals
  2. anticipate potential privacy risks and harms
  3. and build in privacy by design to mitigate these risks.

But as a regulator, we also need a robust regulatory toolkit that can enable us to achieve the right outcome in the circumstances. We’ve recommended a number of changes to make regulatory and enforcement action more efficient and effective.

So, I welcome the targeted measures in the Privacy Legislation Amendment Bill currently before Parliament, ahead of the broader Privacy Act review, that will enhance my office’s ability to regulate in line with community expectations and protect privacy in the digital environment.

In particular, the increased penalties will help to incentivise compliance and ensure that privacy breaches are not just seen as a cost of doing business.

Of course, another key part of our toolkit is cooperation and collaboration with other regulators – both domestic and abroad – which is more important than ever.

Our work increasingly intersects with that of other regulators around the online environment, including the ACCC, eSafety, the ACMA, APRA, the Office of the National Data Commissioner and others.

A cohesive and seamless view of regulation externally requires purposeful cooperation among regulators. It’s important that we work together to get the best outcome in the public’s interest and prevent harms, and to avoid any unnecessary or inadvertent overlap.

We collaborate and cooperate with complementary regulators through arrangements such as MOUs, forums and co-regulation arrangements.

The Consumer Data Right is a good example of a reform aimed at balancing individuals’ right to control and use their data with strong accountability measures, to enable greater competition, consumer benefits and economic growth.

In that case, the OAIC and ACCC have distinct but complementary roles in regulating the CDR. The ACCC enforces serious or systemic breaches of the CDR and my office is responsible for the privacy aspects of the system, as well as being the primary complaint handler.

We’ve published a joint compliance and enforcement policy, so our approach is clear and transparent to the regulated community.

Another example is the Digital Platform Regulators Forum which the OAIC, ACCC, ACMA and eSafety formed earlier this year.

The forum aims to promote proportionate, cohesive, well-designed and efficient digital platform regulation. We’re collaborating through initiatives such as joint engagement with stakeholders, submissions and advice to government, joint research as well as training and other capacity-building programs.

Our approach to areas where there are synergies is to work in an ‘eyes-wide-open-way’ – to promote information sharing and collaboration; to be purposeful in our regulatory activities while considering other regulators with which our activities may intersect; and to take a consistent approach to regulation, with individuals at the centre.

I look forward to discussing these topics further.