The theme of this year’s Privacy Awareness Week (PAW) is “back to basics”. It’s fitting to consider some lessons arising from recent high-profile breaches affecting millions of Australians, and the consistent messages we’ve been hearing from the Australian Information Commissioner in the midst of those incidents.
Data breaches can happen to anyone. We know cyberattacks can be big business, and sophisticated criminal networks make a good living from these. And if your organisation has taken reasonable steps to avoid or mitigate such breaches, the fact you’ve encountered one will not, of itself, be held against you.
However after recent prominent incidents, we’ve noticed the OAIC raising time and again two basic tenets of the APPs:
- only collect the minimum amount of personal information required for a particular purpose; and
- delete (or de-identify) that information as soon as it is no longer needed.
Initially collecting, and then holding onto, larger sets of data than you need will clearly increase the risk when a data breach occurs – the hackers will have access to a larger dataset and more opportunity to cause harm.
Recent data breaches have reportedly involved customers’ identity records and other information being held for more than a decade, and some of these have occurred after the maximum penalty for serious privacy breaches was raised in December to more than $50m per contravention. It will be interesting to watch the outcome of the regulator’s enquiries: the OAIC has either commenced preliminary inquiries or opened investigations (see here and here) into several high profile recent incidents.
It’s worth a nuanced examination of the justifications for data you collect and retain, with experienced privacy practitioners able to assist from daily experience. The OAIC’s repeated warnings should be heeded – and careful application of these principles will reduce your target if things do go wrong!
K&L Gates is a proud supporter of PAW, read more about PAW at the OAIC’s 2023 resource.