We are in the midst of an ever-changing digital ecosystem where mischievous bad actors constantly test the resilience of personal and organizational data management practices. State actors equipped with the most advanced, malicious technology and methods are putting individuals, companies and governments under immense pressure to secure their assets and upgrade security and governance frameworks.
Within this context, the Office of the Australian Information Commissioner was created in 2010 to bring together federal information regulation, oversight and enforcement — including freedom of information and privacy activities. Since that time, the agency has contracted and expanded with the political tides and now finds itself in a period of critical evolution.
The digital era has shifted into a higher gear with the proliferation of artificial intelligence applications and the development of generative AI platforms. The agency's mandate is determined under Australia's existing Privacy Act 1988, which is showing its age and is generally acknowledged as inadequate to apply to a digital economy.
As we now move closer to the anticipated reform of this legislation it appears the OAIC will finally get the tools and powers it needs to do this job to the standard most Australians expect and deserve. The amendments to the act, which began under the conservative Coalition government and are now moving forward under a Labor government, are a clear demonstration of the bipartisan reality that Australian society cares about its personal privacy. And that both public and private organizations should be held to a higher standard when it comes to the collection, governance and use of citizens' personal information.
During Senate Public Accounts and Estimates Committee hearings in May 2024, the OAIC highlighted significant progress on four major investigations, while initiating seven investigations in the current financial year. The office also noted continued efforts to shift to a more proactive and enforcement-focused regulatory posture.
More tangible evidence of the immense challenge facing the regulator is seen through the Notifiable Data Breaches Scheme. In the past 30 months, the OAIC's scheme has received over 2,000 notifications. Some trends emerge from these statistics.
The number of breaches is on the rise with more than 500 reports every six months becoming typical. The sectors seeing most breaches include health care, financial services, insurance, retail and government. Most breaches result from malicious or criminal attacks — 65 to 70% — and human error — 25 to 30%. Where these incidents were cyber in nature, they generally arose through a phishing attack, compromised or stolen credentials or ransomware.
This data is simple to understand and highlights a crucial fact — bad actors who gain access to individual, customer or organizational data are succeeding in using this to steal, disrupt and cause harm to Australians and Australian organizations.
The response to this constant and growing threat is multi-layered — it requires the efforts of the security and cyber community to bolt the doors and lock the gates. It also requires the privacy community to embed a culture of awareness, education and respect for the data of customers and the intellectual property of the organization.
When an organization reaches a level of maturity such that privacy practices become a continuous state of well-being and not simply a regulatory compliance box-ticking exercise — only then will they fulfill their obligations to build and maintain customer trust and safety.
As the professionals on the front lines, your commitment to these values drives the IAPP forward.
Adam Ford is the managing director, Australia, New Zealand, for the IAPP.
