Own motion investigations
The Privacy Commissioner’s powers to enforce compliance with the Privacy Act focuses on the Privacy Commissioner’s powers to commence, on the Commissioner’s own motion, an investigation into an act or practice that may be an interference with privacy. This own motion investigation power complements the Commissioner’s power under the Privacy Act to investigate complaints. A significant limitation on the Commissioner’s own motion investigation power, however, is the inability to prescribe or enforce remedies where the Commissioner finds that an agency or organisation has contravened the privacy principles. The ALRC recommends that the Privacy Commissioner be empowered to impose remedies where he or she finds a breach of the principles following an own motion investigation.
Strengthening the enforcement pyramid
This also considers the question whether there needs to be further remedies or penalties available under the Act to enforce compliance. the ALRC recommends that civil penalties be introduced for serious or repeated interferences with the privacy of an individual. This recommendation is intended to strengthen the overall enforcement pyramid underpinning the Privacy Act, and should provide strong incentives for increased compliance by agencies and organisations.
It is crucial that there be an element of public enforcement in the OPC’s regulation of privacy, consistent with Parliament’s expectation that the Commissioner ‘be the means by which there will be accountability to the public on the use by government of their personal information’. This expectation applies equally to the use of personal information by organisations.
A clear enforcement policy that outlines what the OPC’s usual response to a particular type of breach will be and how that response can be addressed—such as by evidence of a good internal compliance program—can provide incentives for agencies and organisations to put in place those mitigating practices. Such a policy also allows the regulator to discriminate between agencies and organisations that are genuinely trying to comply and those that are not. The regulator can then adopt enforcement responses that send a strong message of general deterrence to the regulated community. This will or is likely to encourage agencies and organisations to keep complying (or at least keep trying to comply), as they will realise that non-compliance, combined with no effort to comply, will attract strong sanctions from the regulator.
Consistent with the compliance-oriented regulatory design underpinning the Privacy Act, the OPC should implement a compliance policy that adopts an explicit enforcement pyramid approach to restoring compliance with, and enforcing, the Privacy Act. The OPC should use, and should be seen to be using, a wide range of strategies to ensure compliance with the Privacy Act, recognising the benefits of specific and general deterrence that can be generated by a transparent, balanced and vigorous enforcement approach.
Data breach notification
The security of personal information is a growing concern in privacy regulation around the world. One regulatory response to the increasing number of data breaches has been to require agencies or organisations to notify individuals affected where there has been an unauthorised acquisition of personal information.
The ALRC considers the rationale behind mandatory reporting of data breaches, and examines some of the models for data breach notification laws. The key issues considered are the triggering event, the general exceptions to notification and the scope of the responsibility to notify.
New data breach notification provisions
There is a strong regulatory justification for introducing a requirement for agencies and organisations to report data breaches to individuals affected and to the OPC. The ALRC recommends a model where notification would be required if specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual. In determining whether there is a real risk of serious harm, consideration should be given to whether the information was encrypted adequately and whether the breach was internal and there was no further disclosure. Notification is not required where the Privacy Commissioner does not consider that it would be in the public interest. To provide strong incentives for compliance with the data breach notification provisions, the ALRC recommends that failure to notify the Commissioner of a data breach attract a civil penalty.