Keynote Address, iappANZ 2018 Summit
Keynote address by Australian Information Commissioner and Privacy Commissioner, Angelene Falk, at the International Association of Privacy Professionals Australia and New Zealand 2018 Summit in Melbourne
[Note: This is an edited version of the address for web publication]
Good morning privacy professionals, Australia and New Zealand.
I would like to acknowledge the traditional custodians of the land upon which we meet today, and pay my respects to elders past, present and future.
It is a pleasure to be here to open my first iappANZ Summit as Australian Information Commissioner and Privacy Commissioner.
As many of you might already know, I was appointed to the position in August this year, and hasn’t it been a huge year for privacy in Australia and around the world?
This year’s Summit has as its theme “Privacy – Handling the Seismic Shift.” A shift is said to be “seismic” when it is sudden or dramatic, of enormous proportions or having significant consequences. I would be interested in your views as practitioners as to whether this year feels like such a shift. As the regulator, I can tell you that I think the description is apt!
Last week I attended the International Conference of Data Protection and Privacy Commissioners in Brussels. Giovanni Buttarelli, European Data Protection Supervisor said this:
“…we are now living through a new generational shift in the respect for privacy….driven by the digitisation of almost everything in our economy and services sector, our social relations, politics and government.”
Elizabeth Denham, the UK Information Commissioner, described these times as the “decade of data”.
And from my perspective, following the Facebook Cambridge Analytica incident, I saw Australians witnessing what I describe as the “dawning of digital data”, and all its implications.
2018 marks 30 years since the Australian Privacy Act was enacted, and it has indeed been a landmark year for privacy reform in Australia. The Notifiable Data Breaches scheme and the Australian Government Agencies Privacy Code both commenced earlier this year – two significant reforms providing greater transparency and accountability for personal information handling.
And of course in global developments we saw the commencement of the General Data Protection Regulation in Europe. In the US, California has moved on additional privacy reform, and we have seen increased focus and debate around a comprehensive federal US privacy law from politicians, civil society and industry. Only last week we heard Apple, Facebook and Google indicating support for such a law in front of hundreds of data protection authorities and thousands of privacy practitioners in Brussels.
And as our interconnectedness continues to grow as a result of global data flows across digital economies, the necessity of global regulatory cooperation is reinforced. That is why I am very pleased to have been elected to the Executive Committee of the International Conference of Data Protection and Privacy Commissioners last week and I would like to thank the New Zealand Privacy Commissioner John Edwards, who is here today, for his support in that regard.
My office is focused on promoting privacy protection, preventing privacy breaches, detecting areas of risk, and providing remedies. This morning I would like to take you through how the OAIC’s implementation of the NDBs scheme and the Australian Government Agencies Privacy Code achieves these objectives. I will also touch on other key privacy developments and cases. And I’ll share some regulatory priorities and thoughts on where to next.
Notifiable Data Breaches and international trends
First the Notifiable Data Breaches scheme.
At its core, the scheme’s purpose is to increase transparency and accountability. It ensures that individuals are made aware when their personal information is caught up in a data breach and serious harm is likely to result. And through the requirement to notify the OAIC, we help ensure entities contain breaches and put in place steps to prevent reoccurrence, and we become alert to systemic issues. The requirement to notify, is also a strong motivator to improve security practice.
The scheme has now been in force since the end of February, and I released the latest quarterly statistics report earlier this week.
The purpose of these reports is to build a picture of the trends in personal information security risks.
This insight allows for more targeted and effective prevention. Our aim is to help elevate the security posture across the economy. This is a regulatory priority.
And we are already seeing some consistent trends.
245 data breach notifications were made to my Office between July and September this year. This is comparable to the previous quarter, from April to June, when we received 242 notifications.
Globally, there has been a significant increase in activity.
Prior to the introduction of the GDPR, the UK Information Commissioner’s Office received fewer than 400 notifications per month. In June, immediately after the GDPR commenced on 25 May, they received 1,700 notifications.
Canada’s public sector saw a 49 per cent increase in notifications last financial year.
And as of today, November 1, Canada’s private sector is also subject to mandatory privacy breach reporting requirements, so inevitably we expect their notifications to increase further.
There are other insights we can draw from the quarterly reports, beyond raw notification numbers.
Most data breaches reported to the OAIC involved the personal information of fewer than 100 individuals.
Consistent with international trends to date, the health care sector was the top sector reporting data breaches. This is a regulatory priority. We are working with peak bodies to elevate security awareness and practice in that sector.
It is worth noting that all private health care providers are required to notify eligible data breaches, the 3 million dollar annual turnover threshold that applies to other organisations does not apply to them.
This was followed by the financial services sector, the legal and accounting services sector and then the education sector.
In terms of the causes of eligible data breaches, we have seen a steady trend emerge since February.
57 per cent of data breach notifications we received last quarter were caused by malicious or criminal attacks compared to 59 per cent in the April to June quarter.
37 per cent of notifications were the result of human error, a slight increase from 36 per cent the previous quarter. And six per cent were the result of a system fault, up from five per cent.
The dominant theme is the human factor.
The majority of malicious or criminal breaches reported were cyber incidents that resulted from compromised credentials - that is, stolen usernames and passwords.
This usually involves someone being phished or otherwise tricked into handing over their login details.
The most common human error was sending emails containing personal information to the wrong recipient.
The human element is also evident in other jurisdictions.
In the UK, the majority of data breaches were the result of cyber incidents, again with people being tricked into handing over their credentials.
In the Netherlands, the most common cause was accidentally sending personal information to the wrong recipient.
This is the first key lesson we can take away from the NDB scheme – that an organisation may significantly reduce risks related to personal information handling by addressing the human factor.
Organisations need to promote staff awareness about secure information handling – and look for technological solutions that will assist staff.
This could include multi-factor authentication and system requirements that force users to choose a strong password that must be changed regularly.
The second lesson is the value of having an effective data breach strategy.
The faster a data breach can be identified and contained, the lower the costs to customers and the organisation.
My office has published a guide to the regulatory requirements and expectations for best practice data breach response.
It is titled ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act’ and is available on the OAIC’s website.
It provides a valuable resource for any staff member involved in compliance and risk management.
Recent notifications have also highlighted the importance of considering how organisations will work with third parties if a breach involves jointly-held personal information.
An example of this was the Page Up data breach, which affected dozens of organisations.
The NDB scheme contains a number of mechanisms to avoid duplicate obligations, so that compliance by one entity will also be taken as compliance by each of the entities that hold the information.
A major learning from our NDB reports is the need to establish clear procedures for compliance when multiple entities are involved.
This includes considering communication processes for suspected breaches, how an assessment will be conducted, and the responsibility for containment, remediation and notification. This can be achieved through contractual measures.
Complaints and investigations
As I mentioned, more and more countries around the world are formalising data breach assessment and notification obligations by making them a legal requirement.
This has elevated community expectations and awareness.
We see the heightened community awareness in the increased number of complaints being made to my Office.
In 2017-18, the OAIC received almost 3,000 privacy complaints [2,947], which is an 18 per cent increase on the previous financial year. We also closed more than 2,700 privacy complaints [2,766], up 11 per cent, in an average time of 3.7 months, down from 4.7 months through taking an early resolution approach.
And representative complaints can also be made to my office.
Earlier this year the previous Commissioner determined a representative complaint in the Cbus superannuation matter, which involved the use of secondary information without consent.
Cbus was ordered to issue an apology and change its processes.
Of note, compensation was not ordered in this matter, without evidence of harm being suffered as a result of the breach.
This is a key learning from the representative complaint – that there does need to be actual proof of loss or damage for compensation to be awarded.
We are currently handling another representative complaint involving the Department of Home Affairs. In 2014, there was a data incident that involved the details of nearly 10,000 people in immigration detention. We have had an extended period of time this year for individuals to provide their evidence of loss.
We have also received a representative complaint against Facebook.
The Privacy Act also enables me to initiate investigations into possible privacy breaches on my own initiative. In 2017-18, my Office conducted preliminary inquiries or commenced investigations in relation to 21 matters.
One remedy that is available is the power to accept an enforceable undertaking offered by a respondent.
In March, the OAIC accepted an enforceable undertaking from the Department of Health, after a Medicare and Pharmaceutical Benefits Schedule dataset was published online for third-party research purposes.
This enforceable undertaking requires an independent external review of the Department of Health’s policies and procedures for compliance with Australian Privacy Principles 1 (systems and processes) and 11 (security) for the release of data based on personal information. A follow up audit and report on the adequacy of the Department’s implementation and response to any recommendations made is also required.
There has been some criticism of regulators using enforceable undertakings following the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
It is a tool that has been effectively used by the OAIC and one that I will continue to use in appropriate circumstances.
An enforceable undertaking can require organisations to undertake a third party review of their processes, learn from them and change them.
This not only mitigates compliance risks, but also provides a vehicle for organisations to consider how to best meet community expectations.
I also have the power to seek civil penalties in the Federal Court of up to $2.1 million per breach.
This would be in circumstances of repeated or serious breaches of privacy.
This could include a history of repeated interferences with privacy or a one off serious privacy breach.
As Commissioner, my focus is on ensuring the OAIC regulates effectively through preventing, detecting and remedying interferences with privacy. Part of this is to ensure we are connected and informed by our international and domestic landscape.
In April, I opened a formal investigation into Facebook following confirmation that the information of over 300,000 Australian users was potentially misused.
I am conferring with international authorities about the case, particularly the UK Information Commissioner’s office.
Last week, the ICO confirmed a fine of 500,000 pounds against Facebook ‒ the maximum possible penalty under the UK law at the time the activity occurred.
Under the GDPR, potential fines increase significantly to 20 million euros or four per cent of annual global turnover – whichever amount is greater.
The UK Commissioner commented that a company of Facebook’s size and expertise should have known better and it should have done better.
Whatever the outcome of my investigation under Australian law, I think it has certainly elevated the awareness and expectations of privacy across the digital world.
In particular, the community’s desire to understand how their personal information may be subsequently used and disclosed, and for what purposes.
That has ramifications, not only for me as a regulator, but for all of you in terms of the way in which you handle personal information and the expectations of your clients and the community.
Government Agencies Code
Our regulatory approach will continue to be evidence-based and proportionate.
We are also focused on engaging constructively with stakeholders, including organisations and agencies.
Over the past year we’ve provided more advice to government, business and the community than ever before.
Part of that is our work to implement and administer the NDB scheme, as I mentioned earlier.
It also relates to our work to support the implementation of the Australian Government Agencies Privacy Code which commenced in July this year.
The Code sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle 1.2 (APP 1.2). It requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.
The OAIC has developed a very useful resource to help agencies assess the current state of their privacy practices and set privacy goals and targets. It is called the ‘Interactive Privacy Management Plan’ and is available on our website.
While the Code currently only applies to Government agencies, I believe this is an excellent resource for all organisations. The requirements of the Code are a good indicator of my expectations for businesses, especially in regard to privacy by design.
The Code particularises the concept of building in privacy, which is reflected in Australian Privacy Principle 1. And you will note synergies with the GDPR.
What is also clear is the need for ongoing privacy consideration throughout the evolution of products and services.
We saw this recently when Facebook discovered a vulnerability in their code that impacted their ‘View As’ feature, allowing attackers to steal Facebook access tokens, which they could then use to take over people’s accounts.
Privacy by design should not just be undertaken at the start of a new project.
It requires continuous and ongoing consideration of the impact on personal information holdings.
Consumer Data Right and Digital Platforms Inquiry
As technology continues to change, building in privacy by design will increasingly require a multi-disciplined approach.
This is especially relevant in relation to the new Consumer Data Right.
My office is working closely with the ACCC to develop the Consumer Data Right framework. The Consumer Data Right will enable individuals to transfer their data to accredited recipients through a secure means and by consent.
We are also preparing to implement additional regulatory functions under that scheme.
There are of course synergies between consumer and privacy laws.
For instance, collection of information under the Privacy Act must be by fair and lawful means, while the Australian Consumer Law makes misleading or deceptive conduct unlawful.
There are also similar issues that surround the need for informed consent about how information is being collected and used, and whether a consumer contract is unconscionable or misleading.
This calls for greater cooperation between regulators as these two regimes start to converge globally.
We are seeing it in Europe and we may also see it in the United States, where as I said, there is talk of a new uniform national privacy law.
If that comes to fruition, it would sit alongside the well-established consumer protection regime in the US, and could provide for positive transparency, accountability and security obligations relating to personal information, as well as privacy rights and remedies for individuals.
Consumer protections on their own are not enough.
Privacy and consumer protection regimes both need to be used in conjunction to efficiently and effectively protect the public interest.
As privacy practitioners, we need to recognise this and anticipate how regulation might develop.
It is no longer enough to be an expert in the Privacy Act or the GDPR – practitioners need a broader understanding of consumer and other legislative regimes.
The common concept of fairness, whether it is in relation to the collection of data from a privacy perspective or consumer protections, illustrates that compliance with the law can also have reference to notions of ethics, and where we draw the line.
I believe this is one of the most important privacy issues of our time and it was clearly articulated by European Data Protection Supervisor in Brussels last week.
Giovanni Buttarelli described us as being at a “tipping point for our digital society”. He called for a sustainable code that will define our values into the future.
These ideas of right and wrong, fairness and unfairness–relate directly to Australian Privacy Principle 3, which governs the collection of personal information. And to what is meaningful consent. These are regulatory priorities.
I think we all need to consider – what does the fair collection of data look like in the new digital context of pervasive technologies and algorithmic non-transparency? And how can we support individuals including vulnerable groups like children, in the context of complex data flows? I will be focusing on these issues. I am interested in exploring the role certifications, trust marks or seals could play to support innovation, competition and better privacy practice. I’m also interested in whether we can develop a common language to assist individuals to understand and make informed decisions around the handling of their personal information.
The practical application of concepts of fairness and the role of consent will be central to the future of privacy in Australia. It is a key issue that unites my regulatory priorities and, accordingly, I also think it should be a key focus point for every organisation moving forward.