OAIC

• 21 February 2024
  The Australian Information Commissioner has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023.
• The OAIC’s investigation is into HWLE’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.
• In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.
• Under the Notifiable Data Breaches scheme in the Privacy Act, in certain circumstances organisations are required to take such steps as are reasonable to notify affected individuals of an eligible data breach and do so as soon as practicable.

1 November 2023
Read the keynote address prepared for delivery by Australian Information Commissioner and Privacy Commissioner Angelene Falk for the Australian Government Solicitor FOI and Privacy Law Conference on 31 October 2023.
Prepared speech – check against delivery

Acknowledgement of Country

• I acknowledge and respect their continuing culture and the contribution they make to the life of this city and this region.
• I also acknowledge and welcome other Aboriginal and Torres Strait Islander people attending today.

Fundamental human rights

• Both are fundamental human rights.
• Privacy is recognised in Article 12 of the UN Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, and in many other regional and international agreements.
• So, access to information is also a fundamental principle that enables us to exercise other rights.
• Both rights are also challenged by the digital environment, and today I will share how we can stand up to this challenge.

Privacy’s wake-up moment

• First, I would like to turn to privacy, as it has been a wake-up year for the protection of personal information.
• The data breaches turned attention to the mass amounts of data that organisations can collect and store, and the risks this creates.
• We see the increased community’s awareness and experience of privacy issues reflected in the matters to my office.

Community attitudes

• And we know the community cares about their privacy as they told us in our Australian Community Attitudes to Privacy Survey (ACAPS).
• ACAPS is a survey we conduct every three years to gain a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them.
• - Nine in 10 Australians told us they have a clear understanding of why they should protect their personal information.
• - 62% see the protection of their personal information as a major concern in their life.

AI

• The increasing adoption of AI – including generative AI – could have broad-ranging benefits and risks for Australia’s economy and society.
• The Australian Government identified AI as a critical technology in the national interest and has several initiatives underway to promote trusted, secure and responsible AI.

Privacy law reform

• Last month, the Australian Government responded to the Attorney-General’s Department’s proposals for reform to the Privacy Act.
• Other important developments include enabling individuals to exercise new privacy rights, including an enhanced right to access their personal information and a right of erasure, and take direct action in the courts if their privacy is breached.
• There are also changes proposed to ensure privacy policies and collection notices are clear and easy to understand, including the development of standardised templates.
• And the government has agreed in principle that organisations should be required to establish maximum and minimum retention periods for personal information, and specify these in their privacy policies.
• This will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to address systemic privacy issues.

Evolution, not a revolution

• It is a time of change, but I want to emphasise that what has been proposed is an evolution, not a revolution.
• Because these obligations have existed for government agencies since 2018, we expect most are already at best practice status.

Privacy: how to, not don’t do

• But one of the key messages that I hope you will leave with today is that privacy shouldn’t be viewed as a compliance exercise.
• Protecting privacy is about treating an individual’s personal information with respect and care, and remembering you are only its custodian.

Access to information

• Timely access to information promotes public scrutiny of government policy, participation in democratic processes, and allows individuals and governments to make informed decisions.
• The FOI Act also seeks to facilitate:
  - providing access to information in effective and efficient ways
  - that government-held information is used for the public’s benefit, as it can inform evidence-based policy making and support innovation.

From compliance to proactive release

• We advocate for administrative access schemes that provide individuals with fast access to their personal information, without having to make a formal FOI request.
• A quarter (25%) of FOI requests were granted in full, 52% were granted in part, and 23% were refused.
• Australians had the most success accessing their personal information and policy and procedural documents held by Australian Government agencies.

Open by design

• It requires agencies and ministers’ offices to be open by design, or move more to a ‘push’ model where information is proactively provided.
• The OAIC and our state and territory counterparts established the open by design principles in 2021 to encourage the proactive release of information and promote open government.
• - Implement a best practice open by design approach to proactive disclosure.
• I would also encourage those involved in the IPS review to use it as an opportunity to look more closely at proactive release in your agency and how it could be improved to foster an open by design culture.

Digital inclusion

• But in our increasingly digital world, it is imperative that we make government information easily accessible – by all Australians.
• And in thinking about making information available, and accessible, we must also consider what barriers people may face to digital access and inclusion, and factor these into the work we do at all times.
• In this digital age, we must ensure that access to government information is not only upheld, but continually improved.
• The premise of digital inclusion is that everyone should be able to make full use of digital technologies and the benefits they bring, while avoiding their potential negative consequences.

Conclusion

• Published: 10 November 2023
  The Australian Information Commissioner Angelene Falk has advised the Attorney-General that after having the privilege of serving two terms she will not be seeking a third term.
• The Australian Information Commissioner said: “I am greatly honoured to have led the Office of the Australian Information Commissioner (OAIC) through a time of exponential growth, technological development, heightened community expectations and great domestic and international change in the regulatory landscape.
• I remain focused on the protection and promotion of privacy and information access rights and ensuring the OAIC is well positioned for the challenges of the future.”
  Commissioner Falk said the move to a three Commissioner model marked an exciting chapter for the OAIC.
• The Attorney-General’s Department has advertised the position ahead of the conclusion of the Australian Information Commissioner’s term in August 2024.

Published: 13 December 2023
The OAIC has received multiple representative complaints following the major data breaches.
As at the date of publication, the Australian Information Commissioner (
AIC) has accepted two representative complaints; one against Medibank Private Limited in respect of its October 2022 data breach, the other against Singtel Optus Pty Limited in respect of its September 2022 data breach.

What is a representative complaint?

• To make a valid representative complaint the requirements of sections 36 and 38 of the Privacy Act must be met.
• This means that information gathered in the Medibank Commissioner-initiated investigation will be used for the purposes of the Medibank representative complaint.
• Similarly, information gathered in the Optus CII will be used for the purposes of the Optus representative complaint.

Current court proceedings in respect of the representative complaints