OAIC Determinations: A slice and dice of the data

The Privacy 108 team has reviewed OAIC determinations published since 1 November 2010 and identified some trends and important findings.

Key take-aways

• APPs most complained about: APP 6 (use and disclosure of personal information) and APP 11 (security of personal information) with complaints about APP 10 (failure to take reasonable steps to ensure that personal information is up to date and correct) a close third
• No determinations related to APP 7 (Direct Marketing) or APP 8 (cross border transfers)
• All APP1 investigations were Commissioner-initiated
• Many investigations related to data breaches
• The most common outcomes of complaints that were upheld was a direction not to repeat the interference and mandated remediation steps. This could be very costly.
• Compensation amounts ranged from $1000 to $10,000 (which does not take into account remediation costs)
• Time from complaint to determination was between 2 – 3 years

What are the OAIC’s powers?

The OAIC has broad powers to investigate acts or practices that might constitute interference with the privacy rights of an individual, and to make consequent determinations.

An investigation may be initiated by the OAIC itself or it may be triggered in response to an unresolved complaint made by an affected individual to the supposed offender.

The authority the OAIC has in this context includes the determinative power to find that there has been an interference with privacy but also compulsive powers to issue directions to not repeat and orders to take specified actions to ensure there is no repetition of the interference. The OAIC may also compel payment to affected individuals of compensation for loss or damage suffered by them and, in the context of representative complaints where there are large groups of aggrieved and motivated complainants, the financial consequences of an adverse determination may be significant.

In the absence of case law, these determinations are also important as the most elucidating beacons of practice in the privacy arena. They provide a keener insight into the underlying organisational risks of poor data management, and they also provide guidance about the likely trajectory of a complaint that remains unresolved after internal handling and conciliation.

We thought we’d look at some of the data to see if there are any broad trends emerging from the published determinations since 1 November 2010.

Which APPs Were the Subject of OAIC Determinations?

There was a dead heat for volume of complaints, and it was between APP 6 (use and disclosure of personal information) and APP 11 (security of personal information). Those two led by a nose from complaints about APP 10 (failure to take reasonable steps to ensure that personal information is up to date and correct). Behind these frontrunners, the pack was led by APP 1 (failure to implement a system and practices of open and transparent management of personal information) and APP 12 (Providing Access) followed by APP 5 (Notification of Collection), APP 3 (Collection of Solicited Information), then APP 4 (Managing unsolicited information) and APP 13 (Correction of Personal Information). APP 7 (Direct Marketing), APP 8 (Cross Border Disclosure) and APP 9 (Use of Government Identifiers) all failed to make an appearance.

What seems odd about this is that there were no complaints about direct marketing and particularly, about poor cross border disclosure practices which are, from a practical point of view, a significant enabler of data profiling and behavioural advertising. Perhaps breaches of these two APPs were not apparent to those impacted by them?

It is also notable that almost all the investigations into APP 1 (Failure to Implement Systems and Practices) were instigated by the OAIC directly and not in response to a complaint. Here again, a breach of this APP might not have been apparent to those affected by it?

OAIC Determinations: Common themes

Common themes of the complaints were privacy issues emanating from obvious and apparent data processing errors. These involved events like inadvertent shipping of personal information beyond the protection of firewalls and out into the public domain, call centre or data-processing disclosures caused by poorly documented procedures and systems integration issues where data entered into one enterprise system failed to be shared appropriately across the entire system meaning that data processors and call centres were relying on out-of-date or incomplete data where the relevant and data had actually been made available to the organisation. Over-aggressive use of fingerprint, faceprint and CCTV data, particularly in an AI paradigm also got a look in.

In terms of the determinations that relate to individual’s right to access, the cases demonstrate a lack of organisational understanding of the visibility of medical reports and documented education sector disciplinary procedures. It would have been advantageous for the organisations concerned to have seen to it that the reports in question were framed up in the context that the subject individuals might access them, rather than fighting a rear-guard action to deny that access.

It’s an important reminder for all organisations to consider the Privacy Act right to access.

We think the take home messages include:

• the importance of conducting thorough privacy impact assessments in systems implementations, particularly those involving emerging technologies, big data and AI;
• the centrality of providing comprehensive collection notices at the point of collection, particularly in scenarios where data may be processed for multiple or complex purposes;
• having processes to ensure regular data updates, particularly in relation to next of kin details;
• keeping in mind that the subjects of experts reports or disciplinary report may be entitled to see those reports;

OAIC Determinations: Were complaints upheld?

All the complaints across the APPs generally followed a pattern in that more or less half of them were found to be justified (across the board and in respect of each of the APPs) with APP 10 (taking reasonable steps to ensure up-to-date and accurate information) as an outlier in that it was the least likely complaint to be upheld. In some instances, APP10 complaints failed because the data kept was, on the whole complete, but incomplete data-mapping and systems integration had stranded from being shared where it was needed so there was a breach, but not a breach of APP10.

OAIC Determinations: Who are the usual suspects?

Investigations into private sector organisations or businesses more than doubled the number of investigations into public sector organisations.

Investigations into entities in the health, government, retail and the education sectors were the most frequent (in descending order of frequency) although the R&D sector, software and data-processing and law enforcement sectors (which we’ve treated as being aside from the public sector for the sake of clarity) also got a look in.

OAIC Determinations: What sorts of remedies are granted?

The most common OAIC regulatory response to a finding of interference with the privacy rights of an individual was a direction to not repeat or continue the relevant practice, more often than not accompanied by mandated and quite specific steps to remediation.

The OAIC also awarded compensation in some of the determinations, and this is discussed below.

OAIC Determinations: How often is compensation awarded and what sort of money are we talking?

Compensation was awarded in about half of the cases where there was a finding of interference with the privacy rights of an individual.

The determinations show the OAIC’s emphasis on the necessity for there to be an evidentiary basis supporting the award of compensation. Compensation tended to be granted in respect of non-economic loss, mostly demonstrable distress, anxiousness, and humiliation. This reflects the difficulties adducing appropriate evidence of economic loss where the chain of causation is likely to be quite long and tenuous.

Compensation amounts tended to be small, mostly ranging from $1000 to $10,000 (leaving aside compensation for direct costs incurred by the complainant in progressing the complaint) and there is no instance of aggravated damages being awarded.

It would be facile though to dismiss the implications of an adverse determination in the context of these relatively low amounts. First, the financial consequences of compensation might become very significant in relation to representative complaints with large numbers of class members. The cost of retrofitting comprehensive data handling governance to implemented practices in response to an OAIC order might be very high and the resultant disruption to BAU operations might be severe. Other consequences include the cost of and diversion of resources into managing the complaint process as well as the reputational damage. For private sector organisations, an adverse determination might also trigger a breach of finance covenants and cash flow issues.

OAIC Determinations: What’s the length of process?

The process from incident to resolution is a protracted one, with most cases running 2 to 3 years from incident to resolution. While this does reflect the complexity of the mandated process (which requires an internal resolution process and conciliation as well as an investigation), it does mean that complainants wait years for resolution. It also means that organisations and businesses which are the subject of complaints will endure years of disruption, cost and uncertainty and particularly uncertainty about data handling processes which go to the very core of their business.

Conclusions

Our review of the published determinations tends to the conclusion that while the underlying processes may be protracted from a complainant’s point of view, and offer little in the way of monetary compensation, the prospect of an OAIC investigation imposes significant operational and  business risks for organisations that have paid inadequate attention to their data handling processes.

To minimise the cost and disruption of a protracted privacy investigation, organisations should:

• Be aware of the key areas of complaints, particularly individual rights, and ensure that appropriate processes are in place to support the exercise by individuals of those rights;
• Ensure that the organisational privacy complaint handling process is robust and suitable for appropriate handling of individual complaints;
• Be alert to the significant costs that might be involved in a determination that requires that internal systems be modified, particularly where a third party is involved in the decisions on the design and implementation of new systems.