OAIC under fire for long review wait times following Notifiable Data Breaches scheme
The Office of the Australian Information Commissioner (OAIC) is charged with a handful of functions covering privacy, freedom of information (FOI), and information policy.
Its responsibilities include conducting investigations; reviewing decisions made under the FOI Act; handling complaints; monitoring agency administration; and providing advice to the public, government agencies, and businesses. A year ago this week, it had its workload upped once more and was given the responsibility of handling Australia’s Notifiable Data Breaches (NDB) Scheme.
In the first year of operation, the OAIC received notification of 812 breaches.
Speaking during Senate Estimates in May last year, then-acting Information and Privacy Commissioner Angelene Falk said her office was expecting around 500 breach disclosures to hit her office, telling the committee at the time there was “an increase in a number of matters” the OAIC was closing and that the challenge was to “manage responsibilities with the resources available”.
Now appointed as the Australian Information and Privacy Commissioner, Falk faced Senate Estimates on Tuesday, grilled again about the staffing numbers in her office.
“The Notifiable Data Breaches scheme has been a significant increase in workload,” she said, noting under the voluntary scheme that was previously in place, the OAIC received 114 breach notifications in a 12-month period.
“That has required the office to focus and prioritise on that work and inevitably because of the increased workload across all of our functions, it is leading to some extended periods of delay in actioning some of the work.”
Of specific concern to the senators was that appeals and requests for review are taking nearly a year to complete as result of the increased workload.
In the six months from July 2018, the OAIC received over 10,000 inquiries relating to both privacy and FOI. There were 524 requests to review FOI decisions — up 42 percent over the same period a year prior. 318 reviews were finalised during that same time.
There are currently 784 FOI Information Commissioner (IC) reviews on hand and 18 FOI matters that have been waiting 11 months to be assigned a case officer.
“We resolve over 50 percent of the privacy complaints through an early resolution model and similarly we have seen a success on the FOI side of the work in increasing the numbers,” Falk explained.
“Having said that, those matters, both in privacy and FOI that need to go to a full investigation are experiencing a delay to be allocated to an officer.”
Average time taken to resolve an IC review over the last three years has been 6-7 months.
In addition, from July through December 2018, 1,716 privacy complaints were received by the OAIC — a 22 percent increase over the same period a year prior. Of those, 1,410 have been resolved.
Refusing to tell Estimates overtly she wanted more staff — saying in May the OAIC boasted 75 full-time equivalent staff — Falk said her office was “working proactively” in terms of getting to the causes of the increase in matters. She said she was specifically looking into if there was “good FOI decision-making” in the first place and in terms of privacy, that there is good awareness around government and business of responsibilities.
“At the same time we are looking at our resourcing,” she conceded. “We are putting more focus on early resolution and that is bearing fruit and as well as that, looking at what our resourcing needs might be moving forward.”
2,947 privacy complaints were also received by the Office of the Australian Information Commissioner.
Although 63 data breaches were reported to the Office of the Australian Information Commissioner in less than six weeks, FireEye’s Mandiant has warned the figure is higher, but organisations are unsure if their breach fits the brief.
The OAIC has revealed to ZDNet it has received 31 notifications since the Notifiable Data Breaches scheme came into effect last month.
Security is everyone’s problem, but CEOs should make sure their organisation doesn’t block its success. Gartner offers eight situations for CEOs to avoid if a breach occurs within their organisation.
Australia’s Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.