Data breaches resulting from information security failures continue to be an issue of pressing concern. The Office of the Australian Information Commissioner (‘OAIC’) recognises that data security is a major challenge for organisations. Starting in February 2011, the OAIC commenced a series of ‘high profile’ investigations into alleged data breaches. Each of these investigations was commenced by the Privacy Commissioner (the ‘Commissioner’) with reference to the OAIC’s Own Motion Investigation (‘OMI’) powers. These powers allow the Commissioner to conduct an investigation without any prior complaint being made.
The Commissioner heralded the use of OMIs and the subsequent publication of reports as a change in its enforcement approach to ‘particularly serious or high profile privacy incidents’.
All of these incidents related to data breaches. The new strategy was partially developed to increase the transparency of the OAIC’s investigation process and to help organisations and agencies to better understand their privacy responsibilities.
Surprisingly, the Commissioner’s change in approach has received little scholarly attention given the heightened concern about data breaches and past criticisms of the Commissioner’s failure to pursue a robust enforcement approach. Previous research has focussed on the way the OAIC has used its investigation powers generally, with only limited consideration of the use of powers in relation to data breach incidents.
This article fills a gap in the current literature and examines the actual investigatory and decision-making procedures adopted in six data breach-related OMIs undertaken between February 2011 and July 2012. They involve a range of different respondents, different types of security incidents and different findings regarding breaches of privacy principles, with a particular focus on National Privacy Principle (‘NPP’) 4. NPP 4 required entities covered by the Privacy Act 1988 (Cth) (‘Privacy Act’) to implement reasonable security measures in order to protect personal information.
We examine how these investigations were conducted and the basis for the decisions made, including the publication of final investigation reports. Our framework for examination includes the OAIC’s own published guidance as to how it should undertake investigations and publish reports, and generally recognised principles for the exercise of regulatory powers. Part II provides background to the Commissioner’s investigations and interest in data breach cases and then outlines the methodology adopted. Part III details the reasoning behind the OAIC’s investigatory processes including the reasons for undertaking the OMIs, the process of evidence collection, the decision-making process adopted, and the reasons for the publication of final results in OMI reports. Our findings indicate that the investigation process followed in these six cases could be described as high-level, and lacking in both balance and vigour. Part IV then puts forward reasons for the standard of these investigations by critically questioning whether the OAIC had sufficient powers and resources to adequately conduct the OMIs. We also consider whether the Commissioner pursued these OMIs as a means to further the OAIC’s policy agenda regarding the development of a mandatory data breach notification scheme.
We conclude that the OAIC’s decision to conduct these OMIs was to highlight and support its policy interests, without having the requisite resources or powers to conduct the investigations effectively. In other words, in the interests of pursuing a data breach policy agenda, the OAIC seems to have been going through the motions in its data breach investigations.The authors conclude
In terms of the six OMIs reviewed, the selection of the particular cases to investigate (all involving a data breach), the ongoing media engagement highlighting both the investigations being undertaken and the investigation results once available, and the Commissioner’s personal involvement in the decision to publish reports, all suggest that these OMIs were part of a policy imperative to focus on investigating data breach cases. The Commissioner drew the specific link between these investigations and data breach notification in our interview, saying that ‘we are seeing breaches on a large scale’ and that a mandatory reporting scheme was required ‘to give people the ability to know they need to take steps to protect [their personal] information when something goes wrong’.
Based on the above, it could be argued that one of the motivations for undertaking these OMIs and publishing investigation reports might have been to provide further support for the introduction of a mandatory data breach notification scheme, or at the very least, to highlight the issue of data breaches in Australia. This would be consistent with the Commissioner’s stated policy position and may explain why the Commissioner has elected to dedicate increasingly scarce resources to the pursuit of these investigations, in preference to other regulatory activity. It may also explain why the investigations themselves lack the rigour that might otherwise be expected. It is possible that the real purpose for these investigations was to raise the profile of data breaches and to highlight the role of the Commissioner in resolving issues as part of a more general policy imperative. If that is indeed the case, then it is not so important that the investigations themselves be conducted in line with the OAIC’s own guidance or in accordance with general principles for the use of regulatory powers, including the principles of transparency, balance and vigour. ...
Our investigation of the six OMIs suggests that the OAIC’s decisions to commence the investigations were in response to media and were perhaps motivated by an interest in raising the profile of data breaches in Australia to support the introduction of a mandatory notification scheme. Whether this is in fact correct or not, there are clearly issues with the process followed in each investigation. In all of the OMIs, an ‘on the papers’ approach was used, based on written responses to largely generic requests for information. There was virtually no second-round questioning, independent evidence gathering or confirmation of the facts as asserted by the respondents, whether directly or via third-party investigation reports commissioned by the respondents. The decision-making process used is also not clear. The change in the outcome of the Medvet investigation, after the initial outcome was communicated to the respondent, in particular raises issues as to the basis for the OAIC’s decision-making in these cases.
We assert that these issues arise, in part, as a consequence of the limited powers, skills and resources available to the OAIC at the time. Given the OAIC’s new powers and increased accountability, these issues may be addressed in future Commissioner-initiated investigations. However, without the allocation of significant additional resources, it seems unlikely that there would be any significant change in process. Reliance on third-party investigation reports commissioned by the respondent in a future investigation may not be an appropriate resolution.
The OAIC is right to emphasise that the problem of data breaches is likely to remain. However, the examination of the six OMIs reveals that the investigatory approach adopted can lead to the situation where the OAIC investigators are simply going through the motions. On that note, given the issues we highlight in this article, the OAIC’s data breach investigations as a body of work are unlikely to be of assistance in regulatory efforts to prevent data breaches, unless significant changes are undertaken. Such changes would herald a major policy shift regarding the role of the OAIC, characterised by the need for a supported, adequately resourced and thus proactive Australian privacy regulator. In that regard, our examination of six relatively recent OMIs sounds a warning not just as to what has happened, but also for the future