The Privacy Commissioner and Own-Motion Investigations into Serious Data Breaches: A Case of Going Through the Motions?

41 Pages Posted: 9 Sep 2015 Last revised: 28 Oct 2015

See all articles by Jodie Siganto

Jodie Siganto

Independent

Mark Burdon

The University of Queensland - T.C. Beirne School of Law

Date Written: August 20, 2015

Abstract

Data breaches resulting from information security failures continue to be an issue of pressing concern. The Office of the Australian Information Commissioner (‘OAIC’) recognises that data security is a major challenge for organisations. Starting in February 2011, the OAIC commenced a series of ‘high profile’ investigations into alleged data breaches. Each of these investigations was commenced by the Privacy Commissioner (the ‘Commissioner’) with reference to the OAIC’s Own Motion Investigation (‘OMI’) powers. These powers allow the Commissioner to conduct an investigation without any prior complaint being made. The Commissioner heralded the use of OMIs and the subsequent publication of reports as a change in its enforcement approach to ‘particularly serious or high profile privacy incidents’. All of these incidents related to data breaches. The new strategy was partially developed to increase the transparency of the OAIC’s investigation process and to help organisations and agencies to better understand their privacy responsibilities. Surprisingly, the Commissioner’s change in approach has received little scholarly attention given the heightened concern about data breaches and past criticisms of the Commissioner’s failure to pursue a robust enforcement approach. Previous research has focused on the way the OAIC has used its investigation powers generally, with only limited consideration of the use of powers in relation to data breach incidents. This article fills a gap in the current literature and examines the actual investigatory and decision-making procedures adopted in six data breach-related OMIs undertaken between February 2011 and July 2012. They involve a range of different respondents, different types of security incidents and different findings regarding breaches of privacy principles, with a particular focus on National Privacy Principle (‘NPP’) 4. NPP 4 required entities covered by the Privacy Act 1988 (Cth) (‘Privacy Act’) to implement reasonable security measures in order to protect personal information.

JEL Classification: K00

Suggested Citation

Siganto, Jodie and Burdon, Mark, The Privacy Commissioner and Own-Motion Investigations into Serious Data Breaches: A Case of Going Through the Motions? (August 20, 2015). (2015) 38 (3) University of New South Wales Law Journal 1145-1185; University of Queensland TC Beirne School of Law Research Paper. Available at SSRN: https://ssrn.com/abstract=2657959

Jodie Siganto

Independent ( email )

No Address Available

Mark Burdon (Contact Author)

The University of Queensland - T.C. Beirne School of Law ( email )

The University of Queensland
St Lucia
4072 Brisbane, Queensland 4072
Australia

HOME PAGE: http://law.uq.edu.au/academic-staff/staff.php?nm=markburdon

Register to save articles to
your library

Register

Paper statistics

Downloads
24
Abstract Views
449
PlumX Metrics