Privacy mid-year review: Regulatory activity in 2023

In the first half of 2023 we witnessed:

• the launch of a joint investigation into Latitude Finance by the OAIC and New Zealand's Office of the Privacy Commissioner
• the announcement of a standalone Privacy Commissioner
• the publication of the OAIC's bi-annual Notifiable Data Breaches Report.

Investigation into Latitude Financial Services

In March 2023, Latitude Financial Services (Latitude) experienced a data breach that affected 7.9 million individuals across Australia and New Zealand.

The following types of personal information about Latitude's customers were compromised (in approximate numbers):

• 7.9 million driver licence numbers and some personal information (name, address, telephone number and date of birth)
• 103,000 copies of driver licences or passports
• 53,000 passport numbers
• 100 monthly account statements
• Income and expense information for 900,000 loan applications (including bank account and credit card numbers).

A large amount of the data was compromised in part. For example, only some but not all of the names, addresses and dates of birth of individuals were compromised together with driver licence numbers. Additionally, a number of the credit card numbers had expired.¹

On 10 May 2023, the OAIC announced an investigation into the Latitude Group, together with the New Zealand Office of the Privacy Commissioner. This is the first joint privacy investigation by the Australian and New Zealand privacy regulators.

Standalone Privacy Commissioner

On 3 May 2023 the Attorney General, the Hon Mark Dreyfus KC MP announced that a standalone Privacy Commissioner will be appointed to perform the privacy functions under the Australian Information Commissioner Act 2010 (Cth) (AIC Act).

This will result in a return to a three-Commissioner model of the OAIC, with three standalone statutory office holders:

• Australian Information Commissioner
• Privacy Commissioner
• Freedom of Information Commissioner.

Currently, the Australian Information Commissioner, Ms Angelene Falk, holds a dual appointment as the Privacy Commissioner under the AIC Act.

The new standalone Privacy Commissioner appointment ties in with the Federal Government's budget allocation of $45.2m over four years from 2023–24 (and $8.4m per year ongoing) for stronger privacy protection and enforcement. This funding is primarily allocated to the OAIC to support the standalone Privacy Commissioner appointment, progress investigations and enforcement, and enhance its data and analytics capability. This initiative will drive a stronger focus on board oversight of data governance.

The Federal government's commitment to privacy is notable given the 46% increase in malicious attacks cited in the OAIC's latest Notifiable Data Breaches Report.

Notifiable Data Breaches Report July to December 2022

The OAIC released the Notifiable Data Breaches Report for the period of July to December 2022, published on 1 March 2023 (the NDB Report).

The key findings in the NDB Report include:

• a 26% increase in notified breaches
• a 41% increase in malicious or criminal attacks resulting in data breaches
• a 5% decrease in breaches caused by human error
• the health sector experienced the most breaches, closely followed by the finance sector
• the most common type of compromised personal information was contact information
• 88% of breaches affected 5,000 individuals or fewer
• 71% of entities notified the OAIC within 30 days of being aware of a data breach.

The NDB Report provides a useful snapshot of the types and scale of data breaches affecting APP entities. It also provides useful scenarios, guidance and insights into the OAIC's regulatory approach. Again, the OAIC reinforces the importance of:

• implementing the Australian Cyber Security Centre Essential Eight mitigation strategies for protection against online threats
• having a data breach response plan in place that incorporates the Notifiable Data Breaches Scheme requirements, and
• timely notification.

Given the OAIC's increased powers to enforce compliance with the Notifiable Data Breaches Scheme, implementing systems and processes to ensure timely notification to the OAIC and affected individuals of a data breach will be vital to reduce the risk of regulatory intervention in the midst of a data breach.

Return to Privacy: Mid-year review 2023

¹ Latitude Financial, Latitude Cyber Response: Information, updates and support for those affected