OPINION: OAIC not primed for data breaches

Next to Prime Minister Scott Morrison, the Office of the Australian Information Commissioner (OAIC) Chief Executive, Angelene Falk would have to have one of the least coveted positions in Australia, and it’s hard not to feel sorry for her.

The challenges she faces are extraordinary and what she has to contend with as the head of the OAIC.

Unlike Prime Minister Morrison, Falk was appointed with a specific job to do. Scott Morrison was an unlikely candidate in an orchestrated political coup that was an exercise in duplicity and how to end the political life of a government and hand its accidental leader, a poison chalice.

Recently Falk wrote in The Australian that “Australia’s notifiable data breaches scheme has the goal of ensuring that organisations notify affected individuals so they can take steps to minimise the risk of serious harm. It also holds entities accountable to their customers.”

“We help ensure breaches are contained and remedial action is taken, and we report quarterly on common causes to help regulated entities take preventive action.”

The OAIC is a young regulatory body. It is one of the new kids on the block, which makes its existence, a blank canvas that should have painted and upheld a standard of excellence to. However, the OAIC has delivered little if anything and portrays itself more as a body with a do-nothing attitude than one who seeks to regulate, correct and prosecute the failing practices of corporations – its canvas remains a blank composition without colour and creativity.

Last month, the OAIC released its third quarter report. Like previous reports, it was much of the same with no surprises or revelations about undertaking a course of prosecutions for serious data breaches - 245 breaches tabled, created no reason for concern? What was produced was a waste of tax payer’s money that leave us in no doubt it is an ineffective organisation mismanaged and lacking the ability to understand the meaning of its existence regarding cyber security and data breaches.

Australian taxpayers are funding a bureaucratic basket case afraid to affect its own powers – blinded through ignorance and naivety.

It would have been hard for the OAIC to appear before Senate Estimates on October 22. It’s obvious, the OAIC is now in the cross hairs of Senate Estimates who are trying to understand why the OAIC exists if it is not prepared to investigate and prosecute organisations where the overwhelming evidence confirms it simply does nothing.

Despite the inaccuracies of answers presented to Senate Estimates, the OAIC does have on record repeat offenders, and it is the big four banks who are the biggest culprits.

As of June 30, this year, nine percent of all data breaches were due to the banks, making a mockery of the OAIC’s position – misleading Senate Estimates reflects poorly on the OAIC.

It’s hard to conceive the OAIC’s claim there are no repeat offenders, when nine percent of all data breaches as of June 30 are attributable to the ANZ, Commonwealth Bank, NAB and Westpac.

Complex issues at times are unenjoyable to solve, but rewarding to understand – not to draw conclusions or ask questions around why no penalties have been issued or investigations conducted, when Westpac staff advised its customers breaches had taken place involving fraud and criminal activity, is an issue the Federal Government must seek answers to, and it appears Senate Estimates is determined to do that.

If Westpac reported repeated data breaches and there were 32 repeat offences across the big four, how can there be no recidivist offenders, why are there no fines, no investigations of genuine merit conducted when there has been criminal activity and service breaches, but yet, the OAIC claims no further investigations were warranted?

The OAIC it appears, through its repeated failure to carry out its charter, is a fish rotting. With a decaying carcass comes an unbearable smell that requires immediate attention or the stench gets worse.

Senate Estimates is now asking questions about the relevance of the OAIC and what it is actually doing if it is doing anything at all? It maybe Parliament now has its sights firmly fixed on the OAIC – and it may be, the OAIC will be asked to explain why it shouldn’t have its fate pre-determined?

Perception is everything and the OAIC has drawn attention to itself. We have the right to know why there is an escalating number of data breaches and why our personal information is continually in jeopardy and why the banks repeat privacy breaches with no action taken?

The OAIC has shown safeguarding our privacy is in the wrong hands. It took a Royal Commission to expose the banking industry where anonymity was always pleaded. It’s imperative there is transparency where an organisation can no longer hide behind the cloak of non-disclosure.

The reality is the OAIC is not primed for data breaches because it has yet to accept its mandate.