The Office of the Australian Information Commissioner (OAIC) has commenced a formal investigation into the data handling practices of Medibank following its recent breach.
The Commissioner of the OAIC is empowered to commence such an investigation under s 40(2) of the Privacy Act if it believes an act or practice may interfere with the privacy of an individual. Preliminary inquiries were made in early October in regard to Medibank’s compliance with the Notifiable Data Breaches scheme. This follow-up investigation will assess whether Medibank took reasonable steps to protect the personal information of its customers from misuse, interference, loss, unauthorised access, modification, or disclosure. The investigation will also determine whether Medibank is appropriately following the practices and procedures of the Australian Privacy Principles.
If the OAIC determines that an interference with the privacy of individuals occurred, the Commissioner may make a determination that can include requiring Medibank to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. Moreover, if the Commissioner believes there to be a serious and/or repeated interference with privacy in contradiction of Australian privacy law, it may seek penalties through the Federal Court of up to $2.2 million for each contravention.
This crackdown aligns with the recent passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 which aims to strengthen Australia’s privacy and security framework following the increased data breaches. The OAIC recommends that all organisations and individuals should review their information sharing and handling practices to ensure the safety of personal data.
