The Australian privacy commissioner has warned that third-party suppliers are “a real weak spot” for protecting customer privacy after Australian user details were compromised in a leak of supplier data held by New South Wales and Australian Capital Territory clubs.
Last week more than 1 million people had their personal information including names, addresses, and driver’s licence information exposed after data collected by the IT provider Outabox was published online. Outabox’s customers included dozens of clubs in NSW, including the hospitality giant Merivale.
The Office of the Australian Information Commissioner’s data breach report stated that there were 483 notifications in the past six months related to direct data breaches, and 121 secondary data breaches – that is, where another company has suffered a data breach and that company is thereby affected by it.
The privacy commissioner, Carly Kind, said it was a growing issue, and larger organisations such as clubs needed to ensure they were passing on their privacy obligations to third-party suppliers.
“We’re absolutely seeing a rise in third party suppliers being the source of data breaches,” Kind said in an interview to mark the launch of Privacy Awareness Week. “Being a point of vulnerability for others in terms of compliance with Privacy Act is very real and what we’re cautioning organisations about is ensuring that they’re passing on their obligations in the best way possible in any contract with third parties.
“So either through contractual provisions about compliance with privacy standards, but also through due diligence and ensuring that they know what kinds of privacy protections are in place for those third-party suppliers … it’s becoming a real weak spot in the chain of protecting privacy.”
Kind is the first stand-alone privacy commissioner to hold the federal role in eight years. She took up the position in late February, moving back to Australia after being the inaugural director of the London-based AI and date research organisation the Ada Lovelace Institute since 2019. Her appointment comes as the federal government is planning a substantial overhaul of the Privacy Act.
On Thursday the attorney general, Mark Dreyfus, said reform of the law was vital in a time when the “personal privacy of citizens is under attack”. The government plans to introduce legislation overhauling the Privacy Act and targeting doxing – the malicious use of their personal and private information – in August.
In consultation with industry, he said, the government was considering bringing in a fair and reasonable test regarding the collection, use and disclosure of personal information, and has agreed in principle that a statutory tort for serious invasions of privacy should be introduced complementary to the Privacy Act protections. Also under consideration is requirements for businesses around maximum and minimum retention periods for personal information.
Kind said since coming into the role in February she had noticed no resistance to the privacy reform from industry, and there was political support for the change. She said what she was more concerned about was Australian organisations not considering what personal information they collect and whether they still need to collect it.
“When these data breaches occur, we’re seeing a lot of data that’s being exposed, perhaps some of which doesn’t need to be held or retained by those entities. So [that’s] perhaps a challenge of excessive collection of data in the first place … I think there’s some probably some habits and trends there that have been baked in and because there hasn’t been that Privacy Act reform, and it’s feeling a bit overdue.”
Kind said some of the larger tech companies had improved their data-collection practices as a result of passing on requirements under the EU’s data privacy regime to the rest of the world but that alone was not sufficient, and local laws needed updating, with regulators given stronger powers to enforce privacy law.
“The role of regulators there is really key. We’ve seen that in Europe very active enforcement of privacy law in certain aspects really can change business models.”