PRIVACY ACT – Where an APP entity breached Australian Privacy Principle (APP) 11.1 of the Privacy Act 1988 (Cth) (Act) by failing to take reasonable steps to protect personal information from unauthorised access or disclosure – what constitutes “reasonable steps” – where an APP entity interfered with the privacy of 223,000 individuals under s 13(1) of the Act by breaching an APP – where breaches of privacy constituted “serious contravention” under s 13G of the Act – where breach of privacy of each individual constituted a separate contravention of s 13G of the Act – where an APP entity was aware that there were reasonable grounds to suspect that there may have been an eligible data breach – where an APP entity failed to carry out a reasonable and expeditious assessment to determine whether there were reasonable grounds to believe that there was an eligible data breach in contravention of s 26WH of the Act – where contravention of s 26WH of the Act was serious – where an APP entity was aware that there were reasonable grounds to believe that there had been an eligible data breach – where an APP entity failed to prepare a statement in relation to the eligible data breach and provide it to the Commissioner in contravention of s 26WK of the Act – where contravention of s 26WK of the Act was serious – where a penalty was agreed between the regulator and the contravener –where a contravener admitted contraventions – where contraventions were extensive and significant – where it is not possible to quantify the loss or damage caused by contravening conduct – where contraventions were not deliberate – where a contravener cooperated with the regulator – where a contravener took meaningful steps to develop a satisfactory culture of compliance – where 223,000 contraventions arose from a single course of conduct – where the Court satisfied that agreed penalty falls within permissible range of penalties sufficient for both specific and general deterrence
Recent cases about privacy compliance
-
McGinn v Australian Information Commissioner [2024] FCA 1185
PRACTICE AND PROCEDURE – application for order suppressing applicant’s identity – where applicant seeks to be identified by a pseudonym PRACTICE AND PROCEDURE – application for unilateral maximum costs order in respect of party and party costs recoverable against applicant PRACTICE AND PROCEDURE – application for change of respondent’s name
-
Foley v Australian Information Commissioner [2024] FCA 169
PRIVACY – breach of privacy – unauthorised access of personal information – inadequate data protection systems – breach of Australian Privacy Principles – ss 13 and 15 of Privacy Act 1988 (Cth) – investigation of representative complaint – earlier representative complaint – construction of ss 36, 38 and 39 of the Act – whether s…
-
Medibank Private Limited v Australian Information Commissioner [2024] FCA 117
PRIVACY – investigation by Australian Information Commissioner – breach of Australian Privacy Principles – own initiative investigation under s 40(2) of Privacy Act 1988 (Cth) – representative complaint under ss 36 and 38 of the Act – injunction to restrain investigation under representative complaint – separate Federal Court representative proceeding dealing with overlapping issues –…
