104 Australian orgs report breaches to privacy commissioner

Australian organisations have voluntarily submitted 104 data breach notifications over the last year, the Privacy Office says.

News of the breach disclosures arrived today, the first anniversary of the country's tougher privacy policies, among reports of 4,016 privacy complaints, a 43 percent increase over the prior year. Australians also made 14,046 inquiries about privacy-related matters over the last year.

Australia's reformed Privacy Act requires organisations to implement better security and information protection regimes for the collection of private consumer data, and threatens penalties of up to AU$1.7 million for serious and repeat breaches.

Privacy Commissioner Timothy Pilgrim says he is pleased with the industry response.

"I’ve been particularly pleased with how organisations and agencies have responded positively to the challenge of implementation," Pilgrim says in a statement.

"This is recognition that good privacy practices are good for business, particularly in building customer trust."

Pilgrim conducted 13 privacy assessments and this year will begin a "targeted" compliance assessment for online privacy policies this year.

"My message for all organisations and agencies is: it is more effective, and ultimately cheaper, to embed privacy in day-to-day processes than it is to respond to issues such as data breaches as they arise," he says.

Human Services

The Department of Human Services is undertaking what could be one of the country's largest privacy assessment works under the reforms.

Documents obtained by The Guardian under Freedom of Information detail large-scale reforms including 14 measures identified as of November 2013 as requiring "immediate action" to mend department IT functionality or manual processes that posed "significant compliance risks".

Those changes if not applied could result in "significant and or systemic" breaches that could incur penalties of up to $1.7 million.

The Department is still undergoing privacy reforms this year which are said to allow the collection of personal information to continue.

Broad areas of IT are impacted including ICT management, applications, and the department's infamous mainframes. Many agencies including Centrelink, Medicare and Legal Services are affected.

The documents, which redact the cost of the reforms, indicate most high risk privacy reforms were slated to be addressed by December last year, with lower risk areas including forms and letters to be amended according to compliance requirements this month.

Projects include short and long form privacy notices, changes to gather express consent for information collection; the ability to update customer personal information within a month of requests; upgrading shared drives to make updating customer data easier, amendments to policy statements on telephone IVR systems, and unspecified works to SAP deployments.

"The reforms would help demonstrate to customers and the Privacy Commissioner that the Department is pursuing information management best practice," the documents read.

The Department held briefings with general and national managers and with Office of the Australian Information Commissioner Professor John McMillan over two days from April 30, 2013. ®