Privacy office at breaking point
Timothy Pilgrim: Has retired as Privacy Commissioner over the weekend
The Australian government’s national data authority is facing “unprecedented challenges” following recent global data controversies and the commencement of the data breach notification laws, while its resources are “stretched beyond breaking point”, Victoria’s former privacy commissioner said.
Australian Privacy and Information Commissioner Timothy Pilgrim officially retired over the weekend after more than eight years in the role. Digital rights advocates have praised Mr Pilgrim’s achievements in the role, but have said his office has been left under-resourced and underfunded.
Deputy Commissioner Angela Falk will take on Mr Pilgrim’s role while the government undertakes a “merits-based selection process”.
This means the top four positions at the OAIC are occupied on an interim basis, with Andrew Solomon taking over as acting deputy commissioner, and two acting assistant commissioners.
This is expected to be stablised once a new commissioner is appointed.
It comes as the Office of the Australian Information Commissioner’s (OAIC) role has never been more important, following revelations over Facebook’s data harvesting, increasing concerns over online privacy and data sharing, and the launch of the mandatory data breach notification scheme.
The Office of the Australian Privacy Commissioner is an independent government agency within the Attorney-General’s portfolio, and oversees freedom of information request laws and reviews, privacy issues, government information policy functions and the new mandatory data breach notification scheme.
While the OAIC’s role has become increasingly important and the number of complaints and issues it deals with skyrocket, the agency has not been given any additional resources or funding from the federal government.
The OAIC was allocated $10.74 million in direct government funding for the 2017-18 financial year, along with just under $3 million from government agencies as part of memorandums of understanding. The agency has just over 70 full-time employees.
The OAIC does not have the adequate resources or funding to address the range of current concerns surrounding privacy and security online, former Victorian privacy commissioner and Professor of Information Law and Policy at LaTrobe University David Watts said.
“[Mr Pilgrim’s] retirement comes at a time when the challenges for the OAIC are unprecedented. The Facebook and Cambridge Analytica scandal demonstrates that the international tech giants abuse consumer trust and privacy as their business model,” Mr Watts told InnovationAus.com.
“They act with impunity, as if they are beyond scrutiny and accountability,” he said. “Getting the regulatory balance right is one of the most daunting challenges for the OAIC.”
“Combine this with other pressing issues such as the proposed Consumer Data Right, open banking, open data, big data and AI and bedding down the new data breach notification scheme, the OAIC’s resources are stretched beyond breaking point.”
The OAIC recently began overseeing the new data breach scheme, which requires all companies with annual turnover of at least $3 million to report data breaches to the individuals and the OAIC.
More than 30 data breaches have been reported to the OAIC in the first three weeks of the scheme. Despite this added workload and stress, the OAIC has not received any additional funding or resources to run the scheme.
Along with its new role overseeing the data breaches scheme, the OAIC’s role in reviewing freedom of information requests and other privacy complaints is also increasing.
In the last financial year there was a 16 per cent increase in the number of privacy complaints made to the Office, and a more than 25 per cent increase in the number of FOI reviews requested.
An OAIC spokesperson said the agency priotisies its operations to deal with the influx of requests.
“The OAIC operates within its resources to perform its function conferred on it by the Privacy Act 1988 and the Freedom of Information Act 1982 and prioritises its resources accordingly,” the spokesperson said.
In its most recent annual report, the OAIC admitted that its resources have not been increasingly in line with its responsibilities.
“While our workload and responsibilities grow our challenge is to continue to manage our responsibilities effectively with the resources available. This necessitates us looking at how we work and what we can do to deliver improved and more efficient services,” the OAIC said.
“The upcoming implementation of the Notifiable Data Breaches scheme, the Australian Public Service Privacy Governance Code, the General Data Protection Regulation requirements, the review of the CR code and any implementation of the Productivity Commission’s Data Availability and Use report, among other priorities, are expected to increase demand for advice and guidance.”
Mr Pilgrim’s last action in the role of Information Commissioner was to signal a warning to Facebook that “regulatory action” may be taken against the tech giant after revelations that the personal data of more than 50 million Facebook users was harvested and given to data analytics firm Cambridge Analytica, and later used to target advertising during the 2016 US presidential election.
The controversy has led to calls for Facebook to be more transparent over how it treats its users’ data, and for increased regulations on how this data can be used and given to third parties.
Electronic Frontiers Australia vice-chair Angus Murray said the Australian Privacy and Information Commissioner’s role has never been more important.
“[Australia’s Privacy Commissioner] is of extreme importance to safeguarding Australian citizens’ privacy, both in the traditional media and in the increasingly important digital environment,” Mr Murray told InnovationAus.com.
“It is clear form the recent Identity-Matching Services Bill 2018 and revelations about Cambridge Analytica’s data analytics technology being applied by political parties that more checks and balances are necessary for the proper functioning of society, and we are on the knife’s edge of significant change to the way in which government interacts with society.
“The government ought to take all reasonable steps to ensure that a new Privacy Commissioner is appointed without delay and is suitably qualified, funded and focused on ensuring that Australians’ rights are not further diminished without comprehensive and informed debate.”
The government and digital rights advocates have praised Mr Pilgrim’s time in the role and commitment to privacy and security. He has worked in the public sector for more than three decades, and specifically on privacy, FOI and information management for the last 20 years