Welcome to the biggest week in privacy in the ANZ region — IAPP ANZ Summit 2023 week.

As I write this article, the region's privacy pros are jetting into Sydney for the two-day gathering where they will have the opportunity to reconnect with friends and colleagues and share in networking, content and community. By the time you read this, the ANZ Summit will be over, but the excitement for those among the lucky cohort to attend the sold-out event will no doubt linger and help demonstrate to all that this is a must-attend gathering.

Turning to privacy matters, there have been several significant updates from the Office of the Australian Information Commissioner. 

The OAIC commenced civil penalty proceedings in the Federal Court of Australia against Australian Clinical Labs Limited stemming from an investigation of its privacy practices. The investigation, which began in December 2022, arose as a result of a February 2022 data breach of ACL's Medlab Pathology business that was notified to the OAIC in July of that year. 

In a press release, Australian Information Commissioner Angelene Falk alleged that "from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988," adding, "these failures left ACL vulnerable to cyberattack."

The commissioner alleged ACL violated the Privacy Act by failing to take reasonable steps to "protect personal information it holds from unauthorised access," failing to conduct a "reasonable and expeditious assessment" of the breach, and not properly notifying the OAIC of the breach. 

On 19 Oct., around the time of my last submission, the OAIC released its Annual report 2022-23, highlighting the work of the office. Some significant points worth noting:

  • The OAIC saw a 34% increase in privacy complaints, 3,402 total, and finalized 2,576 privacy complaints, up 17% from 2021-22.
  • The OAIC received 895 notifications under the Notifiable Data Breaches scheme, an increase of 5%, and finalized 77% of notifications within 60 days against a target of 80%.
  • The OAIC handled 11,672 privacy enquiries, a 7% increase, and 1,647 freedom of information inquiries, a drop of 15%. 
  • The OAIC received 1,647 applications for review of FOI decisions, down 16% compared to 2021–22, and finalized 1,519 reviews, up 10% from the previous year.
  • The OAIC received 212 FOI complaints, down 2% from 2021-22, and finalized 124, a drop of 44%. The fall in complaints finalized was attributed to a focus on finalizing reviews received in 2018 and 2019.

Finally, in a statement 10 Nov., Commissioner Falk announced she will not be seeking another term as information commissioner and will be stepping down at the end of her current term in August 2024.  

"I am greatly honoured to have led the Office of the Australian Information Commissioner through a time of exponential growth, technological development, heightened community expectations and great domestic and international change in the regulatory landscape. I remain focused on the protection and promotion of privacy and information access rights and ensuring the OAIC is well positioned for the challenges of the future," Falk said.

Earlier this week, the OAIC announced the appointment of Carly Kind as privacy commissioner and Elizabeth Tydd as FOI commissioner. 

I would like to take this opportunity to acknowledge the work of Commissioner Falk and her team over her term, and to thank her for this contribution and for supporting the privacy community as a whole through her regular contributions to IAPP gatherings. The organization is being handed to the next leadership team at a critical time for ANZ privacy.