Two recent decisions by the Privacy Commissioner and an announcement of a new Federal Court action relate to the Commissioner’s expectations of how to respond to data breaches.

In Pacific Lutheran College (Privacy) [2023] AICmr 98, the Privacy Commissioner considered the response by a coeducational kindergarten to year 12 independent private school to the unauthorised access by an unidentified third party to the email account of a manager of the school.

The email account contained approximately 180,000 emails. The incident resulted in the sending of phishing emails to 8,332 contacts of the email account.

The college became aware of the incident the following day, 29 May 2020, and sent an email to all staff notifying them of the incident.

It was the usual practice of the college to keep emails containing personal information of parents, students and staff, including financial details, tax file numbers, identity information and contact information.

An investigation concluded that an eligible data breach may have occurred, determining that 367 individuals were likely at risk of serious harm.

The OAIC was not notified of the data breach until 15 December 2020.

The Privacy Commissioner found that Pacific Lutheran College, interfered with individuals’ privacy as defined in the Privacy Act 1988 (Cth) (Privacy Act) by:

• failing to conduct an assessment of the incident in an expeditious manner and to take all reasonable steps to complete the assessment within 30 days, in breach of s 26WH(2);
• failing to notify the Commissioner as soon as reasonably practicable that an eligible data breach had occurred, in breach of s 26WK(2); and
• failing to take reasonable steps to protect the affected individuals’ personal information from unauthorised use and disclosure, in breach of APP 11.1.

In Datateks Pty Ltd (Privacy) [2023] AiCmr 97, the Privacy Commissioner considered the response by Datateks to the unauthorised access by a third party to three of its email accounts on 26 June 2020 and a subsequent phishing campaign.

Datateks became aware of the incident in relation to one of the email accounts on the same day it occurred and commenced an investigation and remediation activity with the support of its information technology provider.

During the course of a forensic investigation, Datateks discovered the two other email accounts that had been compromised and the investigation was widened to include these email accounts. The forensic investigation concluded in September 2020.

On 18 January 2021, Datateks notified the Office of the Australian Information Commissioner (OAIC) of the data breach.

During the relevant period it was the de facto usual practice of Datateks to hold date of birth, credit card information, bank account details, superannuation information, driver licence, birth certificate, working with children check, Medicare card information and tax file numbers in Datateks email accounts.

The Privacy Commissioner found that Datateks Pty Ltd, interfered with individuals’ privacy as defined in the Privacy Act 1988 (Cth) (Privacy Act) by:

• failing to conduct an assessment of a suspected eligible data breach in an expeditious manner and to take all reasonable steps to complete the assessment within 30 days, in breach of s 26WH(2) of the Privacy Act; and
• failing to notify the Commissioner as soon as reasonably practicable that an eligible data breach had occurred, in breach of s 26WK(2) of the Privacy Act.

On 3 November 2023, the Australian Information Commissioner announced that they had commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited (ACL) resulting from an investigation of its privacy practices. The investigation arose as a result of a February 2022 data breach of ACL’s Medlab Pathology business that was notified to the Office of the Australian Information Commissioner (OAIC) on 10 July 2022.

The Commissioner alleges that from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988. The Commissioner alleges that these failures left ACL vulnerable to cyberattack.

ACL’s business involves collecting and holding millions of individual patients’ health information. ACL collects other personal information from patients in order to provide test results and issue invoices, such as personal identifying and contact information, and copies of Medicare cards and numbers. ACL generated revenue of $995.6 million in the financial year ending June 2022.

The February 2022 data breach resulted in the unauthorised access and exfiltration of personal information, sensitive health information and credit card information of in excess of 100,000 individuals.

The Commissioner also alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable. 

The court determination including any penalty is pending.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.