The New South Wales (NSW) Privacy Commissioner has recommended to state parliament that IT service providers share the blame for data breaches involving their public sector customers.
In a report released on 20 February, the Commissioner urged that the Privacy and Personal Information Protection Act 1992 (PPIP) be amended so that individuals, public and private sector agencies and partners could all share responsibility for data breaches where appropriate.
“The purpose of this report is to place in the public domain matters relevant to the responsibilities of employers, employees and agents, such as contracted service providers, for privacy and management of personal and health information,” the report stated.
Under current law, public sector agencies hold responsibility for the security of personal information.
However, the state’s Privacy Commissioner, Elizabeth Coombs, wants to redistribute the burden of responsibility to include third party providers, meaning resellers which hold government contracts would share the blame for data breaches.
“NSW privacy legislation has stood the test of time well, but there are gaps in privacy protections," Coombs said.
“The report, released today, addresses two of these gaps – that is, protections available to individuals when employees of public or private sector covered by the legislation intentionally breach privacy requirements, and when contractors to the public sector do not handle personal information lawfully.”
The commissioner said there has been increased concern around the intentional actions of employees which breach privacy requirements.
According to the report, the commissioner’s office reviewed a number of privacy complaint investigations concerning the unlawful use of personal information by public sector employees.
“As NSW privacy legislation does not make provision for mandatory data breach notifications, I am not aware of the full extent of intentional privacy contraventions by agencies’ employees or contractors,” Coombs said.
“But the Queensland Crime and Corruption Commission in 2016 reported a growing number and proportion of complaints about misuse of confidential government information. There is no reason to believe that NSW would be any different.”
The commissioner also alluded to the 1992 inquiry by the NSW Independent Commission Against Corruption (ICAC) - which uncovered a black market trade of government information - as a warning to parliament.
“The investigation uncovered a widespread corrupt trade in confidential New South Wales and Commonwealth Government information,” ICAC stated in its 1992-1993 annual report.
"It involved public officials who sold or otherwise provided the information, private inquiry and commercial agents who brokered the information, and insurance companies and financial institutions who were consumers of the information."
As a result of that investigation more than 40 New South Wales public officials were identified as having received payment in exchange for confidential information and many others were found to have released such information without authority, but not for payment.
“The recommendations, if adopted, will better secure the privacy rights of individuals in the NSW community,” Coombs added.
- Australian ministers, judges and premiers identified in Yahoo breach dataset
- NSW calls on partners to fill whole-of-government IT panel
- Boardroom blame game after cyber attacks, finds survey
- Samantha Gavel named NSW Privacy Commissioner
- Equifax blames massive data breach on Apache Struts vulnerability