'The Privacy Commissioner and Own-Motion Investigations Into Serious Data Breaches: A Case of Going Through The Motion?' [
PDF] by Jodie Siganto and Mark Burdon in (2015) 38(3)
UNSW Law Journal comments
Data breaches resulting from information security failures continue to
be an issue of pressing concern. The Office of the Australian Information
Commissioner (‘OAIC’) recognises that data security is a major challenge for
organisations. Starting in February 2011, the OAIC commenced a series of ‘high
profile’ investigations into alleged data breaches. Each of these investigations
was commenced by the Privacy Commissioner (the ‘Commissioner’) with
reference to the OAIC’s Own Motion Investigation (‘OMI’) powers. These
powers allow the Commissioner to conduct an investigation without any prior
complaint being made.
The Commissioner heralded the use of OMIs and the
subsequent publication of reports as a change in its enforcement approach to
‘particularly serious or high profile privacy incidents’.
All of these incidents
related to data breaches. The new strategy was partially developed to increase the
transparency of the OAIC’s investigation process and to help organisations and
agencies to better understand their privacy responsibilities.
Surprisingly, the Commissioner’s change in approach has received little
scholarly attention given the heightened concern about data breaches and past
criticisms of the Commissioner’s failure to pursue a robust enforcement approach.
Previous research has focussed on the way the OAIC has used its investigation
powers generally, with only limited consideration of the use of powers in
relation to data breach incidents.
This article fills a gap in the current literature
and examines the actual investigatory and decision-making procedures adopted
in six data breach-related OMIs undertaken between February 2011 and July
2012. They involve a range of different respondents, different types of security
incidents and different findings regarding breaches of privacy principles, with a
particular focus on National Privacy Principle (‘NPP’) 4. NPP 4 required entities
covered by the Privacy Act 1988 (Cth) (‘Privacy Act’) to implement reasonable
security measures in order to protect personal information.
We examine how these investigations were conducted and the basis for the
decisions made, including the publication of final investigation reports. Our
framework for examination includes the OAIC’s own published guidance as to
how it should undertake investigations and publish reports, and generally
recognised principles for the exercise of regulatory powers. Part II provides
background to the Commissioner’s investigations and interest in data breach
cases and then outlines the methodology adopted. Part III details the reasoning
behind the OAIC’s investigatory processes including the reasons for undertaking
the OMIs, the process of evidence collection, the decision-making process
adopted, and the reasons for the publication of final results in OMI reports.
Our findings indicate that the investigation process followed in these six
cases could be described as high-level, and lacking in both balance and vigour.
Part IV then puts forward reasons for the standard of these investigations by
critically questioning whether the OAIC had sufficient powers and resources to
adequately conduct the OMIs. We also consider whether the Commissioner
pursued these OMIs as a means to further the OAIC’s policy agenda regarding
the development of a mandatory data breach notification scheme.
We conclude that the OAIC’s decision to conduct these OMIs was to
highlight and support its policy interests, without having the requisite resources
or powers to conduct the investigations effectively. In other words, in the
interests of pursuing a data breach policy agenda, the OAIC seems to have been
going through the motions in its data breach investigations.
The authors conclude
In terms of the six OMIs reviewed, the selection of the particular cases to
investigate (all involving a data breach), the ongoing media engagement
highlighting both the investigations being undertaken and the investigation
results once available, and the Commissioner’s personal involvement in the
decision to publish reports, all suggest that these OMIs were part of a policy
imperative to focus on investigating data breach cases. The Commissioner drew
the specific link between these investigations and data breach notification in our
interview, saying that ‘we are seeing breaches on a large scale’ and that a
mandatory reporting scheme was required ‘to give people the ability to know
they need to take steps to protect [their personal] information when something
goes wrong’.
Based on the above, it could be argued that one of the motivations for
undertaking these OMIs and publishing investigation reports might have been to
provide further support for the introduction of a mandatory data breach
notification scheme, or at the very least, to highlight the issue of data breaches in
Australia. This would be consistent with the Commissioner’s stated policy
position and may explain why the Commissioner has elected to dedicate
increasingly scarce resources to the pursuit of these investigations, in preference
to other regulatory activity. It may also explain why the investigations
themselves lack the rigour that might otherwise be expected. It is possible that
the real purpose for these investigations was to raise the profile of data breaches
and to highlight the role of the Commissioner in resolving issues as part of a
more general policy imperative. If that is indeed the case, then it is not so
important that the investigations themselves be conducted in line with the
OAIC’s own guidance or in accordance with general principles for the use of
regulatory powers, including the principles of transparency, balance and vigour. ...
Our investigation of the six OMIs suggests that the OAIC’s decisions to
commence the investigations were in response to media and were perhaps
motivated by an interest in raising the profile of data breaches in Australia to
support the introduction of a mandatory notification scheme. Whether this is in
fact correct or not, there are clearly issues with the process followed in each
investigation. In all of the OMIs, an ‘on the papers’ approach was used, based on
written responses to largely generic requests for information. There was virtually
no second-round questioning, independent evidence gathering or confirmation of
the facts as asserted by the respondents, whether directly or via third-party
investigation reports commissioned by the respondents. The decision-making
process used is also not clear. The change in the outcome of the Medvet
investigation, after the initial outcome was communicated to the respondent, in
particular raises issues as to the basis for the OAIC’s decision-making in these
cases.
We assert that these issues arise, in part, as a consequence of the limited
powers, skills and resources available to the OAIC at the time. Given the OAIC’s
new powers and increased accountability, these issues may be addressed in future
Commissioner-initiated investigations. However, without the allocation of
significant additional resources, it seems unlikely that there would be any
significant change in process. Reliance on third-party investigation reports
commissioned by the respondent in a future investigation may not be an
appropriate resolution.
The OAIC is right to emphasise that the problem of data breaches is likely to
remain. However, the examination of the six OMIs reveals that the investigatory
approach adopted can lead to the situation where the OAIC investigators are
simply going through the motions. On that note, given the issues we highlight in
this article, the OAIC’s data breach investigations as a body of work are unlikely
to be of assistance in regulatory efforts to prevent data breaches, unless
significant changes are undertaken. Such changes would herald a major policy
shift regarding the role of the OAIC, characterised by the need for a supported,
adequately resourced and thus proactive Australian privacy regulator. In that
regard, our examination of six relatively recent OMIs sounds a warning not just
as to what has happened, but also for the future
