In an announcement on 22 February 2024, Australian Information Commissioner Angelene Falk warned of the increased incidence of multi-party data breaches related to third-party cloud or software providers and escalating regulatory action against non-compliance.
Commissioner Falk advised businesses to ensure that privacy obligations are built into contractual arrangements with third-party service providers, and to be aware of their obligations under the Notifiable Data Breaches scheme.
Key Takeaway Points:
- The Office of the Australian Information Commissioner (OAIC) is cracking down on data breaches and non-compliance with the Privacy Act 1988 (Cth) (Act).
- Due to the high frequency of serious data breaches, the OAIC has warned of increasing penalties and harsher punishment for non-compliance with privacy obligations.
- To avoid being liable for contravention of privacy law, businesses should ensure contracts with third-party service providers clearly address privacy obligations.
Privacy obligations in contractual agreements
It is common for businesses to use cloud storage (e.g., iCloud and OneDrive), or other practice management software to store documentation, data, and personal information. While those systems are owned and operated by third-parties, responsibility over privacy and security of the data uploaded to those platforms remains with the business. If the third-party provider experiences a data or technical breach (e.g., is hacked), the business can be liable for a contravention of privacy law resulting from that breach despite having no control over the third-party’s operation of that system.
To mitigate risk in this situation, businesses should ensure contracts with third-party service providers clearly address privacy obligations.
As Commissioner Falk stated in her announcement, “Organisations need to proactively address privacy risks in contractual agreements with third-party service providers. This includes having clear policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.”
Increased penalties for non-compliance – are you at risk?
Due to the high frequency of serious data breaches, the OAIC has warned of increasing penalties and harsher punishment for non-compliance with privacy obligations.
In the words of Commissioner Falk, “The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court. We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.”
The OAIC has flagged that the health and finance industries an increased number of malicious or criminal cyber attacks and are the top two reporters of data breaches.
What can you do to minimise your risk?
Businesses should be proactive in complying with their privacy obligations, and should consider the following:
- reviewing contracts with third-party service providers to ensure clear privacy obligations are imposed, including for example, in relation to security, disclosure, destruction, and notification of data breaches;
- ensuring the required/ appropriate policies are in place including for example a privacy policy and data breach response plan; and
- understanding its obligations under the Notifiable Data Breaches scheme and establishing procedures to ensure compliance.
If you would like advice on your privacy obligations, or our assistance with preparing privacy policies or procedures, please contact our Corporate Advisory and Governance experts.
