'Lack of consequences' for poor personal info handling - commissioner
The Privacy Commissioner wants laws tightened, tougher fines and more money to investigate a steep rise in complaints
Michael Webster is looking at new rules - and possible legislation - to cover biometrics and AI, and is calling for agencies and businesses to make privacy a focus.
Complaints to the Privacy Commission increased by 79 percent in the past financial year.
"That suggests that there is a greater degree of concern out there and the message about privacy protection and respecting people's privacy rights is getting out there," said Webster.
"People have got concerns, and that's what I'm telling both government organisations and private sector businesses."
In a briefing to incoming justice minister Paul Goldsmith, Webster said funding increases were consistently below what was required to implement significant new responsibilities from the 2020 Privacy Act
"This funding shortfall has led to us deferring work and will see us committing our cash reserves to critical areas that need addressing, such as replacing our website.
"We have insufficient funding to effectively address the significant regulatory failure occurring across the public and private sectors under the Privacy Act. We do not believe we can fully deliver on our statutory responsibilities and meet the expectations of citizens and organisations with our current funding and powers."
Its limited resources - a $8.17 million operating grant with a staff of 51 - meant it could not investigate complex cyber attacks, and had to use the Australian Information Commissioner's resources in its joint investigation of last year's Latitude Finance breach.
The Privacy Act also had only limited sanctions, with a $10,000 maximum fine and no offence for causing a privacy breach.
"Our investigations into privacy breaches have shown that some agencies do not care about privacy as they know there are no significant financial penalties - contributing to serious cyber security risks.
"Many agencies that we investigate are aware of the lack of meaningful financial penalties and our relatively limited compliance powers in the Privacy Act and so are not incentivised to consider privacy in the same way they consider other requirements such as complying with financial reporting standards or health and safety.
"A primary driver behind low privacy capability and compliance is the lack of accountability and consequences for managing personal information poorly."
A multinational that is not complying with a statutory information request had been fined several hundred thousand dollars under a different regulatory regime.
Australia has raised its maximum penalty to $50 million for a series or repeated interference with privacy.
The Commissioner is also due to publish a draft biometrics code this autumn.
"However, the cross-cutting issues raised by biometrics are such that legislative amendments may also be necessary to safeguard this sensitive personal information."