A standalone Privacy Commissioner will be appointed for the first time in more than eight years, as the federal government looks to respond to the growing number of significant data breaches impacting Australians.
Attorney-General Mark Dreyfus announced on Wednesday that the government would be looking to appoint a standalone Privacy Commissioner within the Office of the Australian Information Commissioner (OAIC) to deal specifically with data security threats and the rapidly increasing volume of privacy issues.
Toni Pirani has been appointed as the acting Freedom of Information Commissioner while a search begins for a permanent replacement for Leo Hardiman, who resigned from the position after less than a year in the job.
The announcements mean that the OAIC will return to the three-Commissioner model which was intended when it was launched in late 2010.
The former Abbott government significantly cut funding to the privacy office in 2015, leading to the scrapping of standalone Privacy and FOI Commissioners.
Angelene Falk has been serving as both the Privacy and Information Commissioner since 2018, and will continue on as the Information Commissioner and head of the OAIC.
“Australians rightly expect their privacy regulator to have the resources and powers to meet the ongoing challenges of the digital age and to protect their personal information,” Dreyfus said.
“The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.
“The Australian people rightly expect greater protections, transparency and control over their personal information and the appointment of the standalone Privacy Commissioner restores the Office of the Australian Information Commissioner to the three-Commissioner model Parliament originally intended.”
The funding and resourcing of the OAIC has been a continual issue for several years. It has been provided a number of short-term funding pledges, meaning its funding is set to fall by 43 per cent in 2024-25, unless it is given reliable funding in next week’s budget, the Canberra Times reported.
The October budget allocated the OAIC $33.5 million in 2022-23, an increase from the $30.3 million it received in 2021-22. The agency received an extra $5.5 million over two years to “investigate and respond to the Optus data breach”.
Merit-based selection processes are now underway for the Privacy and FOI Commissioners, with Pirani beginning as interim Commissioner on 20 May.
Data security has been a mainstream political issue since the major Medibank and Optus hacks and data breaches late last year, which saw the personal information of millions of Australians leaked onto the dark web.
Australians were again caught up in a major breach recently when Latitude Financial was hacked, leading to the personal data of 14 million customers, including driver licences and passports, being stolen.
The Labor government moved late last year to increase the penalty for serious or repeated privacy breaches to $50 million, which can be sought by the Privacy Commissioner.
The new laws passed Parliament in November, with the OAIC also handed stronger enforcement powers, including an expansion of the types of declarations it can make in a determination after an investigation is completed, and new powers to conduct assessments.
The Australian Computer Society (ACS) has also called for the directors of companies hit with repeated and wilful privacy breaches to face potential jail time, applicable to organisations viewing fines for privacy breaches as the “cost of doing business”.
Under the reforms proposed by the landmark Privacy Act review, released by the federal government earlier this year, Australians would also be able to sue over privacy breaches.