Medibank

Published 7 May 2024
Read the keynote address prepared for delivery by Privacy Commissioner Carly Kind for the Office of the Information Commissioner Queensland Privacy Awareness Week launch event on Tuesday 7 May 2024.

Introduction

• This shaped fundamentally how I came to understand abuses of state power and the importance of human rights law.
• Over time, I came to understand that the right to privacy is a key means by which power is mediated, limited and expressed.
• Infringements into privacy were one way in which power was exercised over individual journalists, activists and advocates.

Privacy is about power

• Notions of power cut in every direction in the digital ecosystem – the power wielded by tech monopolies and duopolies; the power concealed in political microtargeting and misinformation campaigns; the lack of power and agency consumers feel when they’re using digital technologies.
• The result is that today we see increasingly high levels of interest in and value placed on personal and data privacy.
• ‘You have zero privacy anyway’, said Scott McNeally, ‘Get over it.’ In the same year, Pew Research surveys showed that only 16% of online users were worried about privacy.
• If we compare that to today, a study also by Pew Research shows much, much higher levels both of privacy literacy and privacy concerns.
• Of course, there is even now draft privacy legislation under contemplation in the US, a jurisdiction historically adverse to federal privacy legislation, and it seems possible that the country will enact a privacy law before the end of the year.

Privacy Awareness Week

• It is against this backdrop, then, that we celebrate Privacy Awareness Week.
• This year, awareness of privacy is higher than ever before, arguably.
• We would also like to see government power up privacy Australia-wide by introducing the reforms to the Privacy Act that are so overdue.

Law reform

• It is an especially ideal time for businesses and government agencies covered by the Commonwealth Privacy Act and Queensland public sector agencies to power up existing privacy practices and culture, in advance of privacy law reform.
• The Australian Government responded in September, agreeing or agreeing in principle to all but 10 of the 116 proposals for reform.
• The federal Attorney-General shared last week that at the request of the Prime Minister, he will bring forward legislation in August to overhaul the Privacy Act.
• We see the positive obligation that personal information handling is fair and reasonable as a new keystone of the Australian privacy framework.

Privacy and technology

• In that role, I thought a lot about the role of data privacy regulation and regulators in grappling with new and emerging technologies, particularly AI.
• Online privacy and high privacy impact technologies, including practices involving the use of generative AI, facial recognition and the use of other biometric information, are also high on our regulatory priorities.
• The OAIC also has ongoing investigations into the use of facial recognition technology by Bunnings Group Limited and Kmart Australia Limited.
• We’ve also begun scoping what other new and emerging technologies might create privacy risks and harms that warrant our intervention.
• These all go to accountability – and there’s good reason to do them and show privacy leadership.

Data breaches and security

• Since the Commonwealth’s Notifiable Data Breaches scheme began in 2018, the OAIC has been notified of around 5,800 data breaches.
• There are high levels of public concern about data security as a result of the number and scale of recent breaches, and a strong appetite in the community for organisations and agencies to be held accountable.
• Mandatory reporting of breaches strengthens the protections afforded to everyone’s personal information and improves accountability and transparency in the way organisations respond to serious data breaches.
• Around 40% of data breaches notified to the OAIC have been the result of cyber security incidents.

Conclusion

• Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.
• “Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation.
• This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.
• Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.
• “The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”
  Read the
  OAIC Annual report 2022–23.

Key 2022–23 statistics

Footnotes

[1] During 2022-23, the OAIC ceased classifying certain communications about FOI as ‘enquiries’ where these are more complex, or require a specific response, and are therefore dealt with by the FOI Branch instead of the OAIC’s enquiries team. This has reduced the numbers of FOI enquiries reported this financial year.

• "One part of that approach should be strengthening internal controls and ensuring that digital fraud prevention is built into finance processes."
• To help businesses strengthen those controls, Eftsure has released a comprehensive guide for finance leaders.
• The Financial Controls Guide walks through a collaborative, multi-functional approach for assessing, upgrading and correcting an organisation's financial processes.
• As owners of these processes, Chazan says that Chief Financial Officers (CFOs) are in the best position to drive stronger anti-fraud controls.

• Most of the payments were for small amounts (less than A$5,000) and were not flagged by the ATO’s own monitoring systems.
• The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.

How these scams work

• Setting up a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”.
• It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.
• Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

How government can improve

• This ensures salaries, tax and superannuation contributions are all paid at once.
• Most people who have received a tax refund will have provided bank account details where that payment can be made.
• Indeed, many people use precisely those bank account details to identify themselves to myGov.
• If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented.

Protecting yourself

• As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.
• It also helps to protect your Tax File Number.
• There are only four groups that ever need this number.
• Most importantly, know your bank will not send you emails containing links, nor will the ATO.