Social media websites could find themselves in court if they breach Australia’s Privacy Act now that the Privacy Commissioner has been granted new powers to take breaches to court.
The new powers allows the Privacy Commissioner to be able to accept undertakings from companies which can be enforced in court; make a determination in own motion investigations, where a complaint has not been lodged by an individual but the Office of the Australian Information Commission (OAIC) has received third-party information of breaches; seek civil penalties for serious or repeated breaches; and carry out performance assessments on private sector organisations.
Timothy Pilgrim, Privacy Commissioner at the OAIC, told Computerworld Australia that social media websites, like other organisations, need to have appropriate protections in place to protect users’ personal information.
He said the new powers coincide with “an obligation for organisations to be much clearer about how they are collecting information and what they are going to do about it.”
According to Pilgrim, “If they fail to meet that, then we would be looking to work with the organisation to fix those policies and again, we could look at getting written undertakings from them to do that and failure to comply with those could result in us taking action through the courts.”
However, he said users of social media websites also have to ensure they adequately protect themselves.
“Often when we’re dealing with social media sites we do find that individuals don’t necessarily have the strongest privacy settings in place,” Pilgrim said.
He said while the new power to take organisations to court for civil penalties may be a deterrent for companies breaching the Privacy Act, it will be a last resort action and would only be pursued when organisations had failed to improve their systems after being alerted of a breach.
“My approach will be first of all, as we do currently, try and work with organisations to come to an agreed set of undertakings, which happens in a number of cases to resolve the issue,” Pilgrim said.
“What I think will occur is that we will see a stronger message being sent to both Australian government agencies and private sector organisations about the importance of ensuring that they have good processes in place before something goes wrong, because these new powers will give us new remedies to enforce the laws if something does go wrong.
“I would certainly hope that if we identify that an organisation was in breach of the Act, they would immediately take steps to remedy it because at the end of the day, it will not be a very good public relations exercise for an organisation not to comply with the Privacy Act.”
Pilgrim said it would depend on the type of breach as to how long organisations would have to fix their systems if they are found to be in breach of the Privacy Act.
“We would have to look at the size of the systems rebuild that may need to occur, and we would take that into account, obviously while we’re working with the organisation. It could be something that is easily fixed through to something that may require quite a large wholesale systems rebuild,” he said.
The new powers are part of the government’s reforms into the Privacy Act 1988, which will be introduced in the winter sitting of parliament.
The OAIC also recently announced updates to data breach notification , in conjunction with Privacy Awareness Week 2012.
Follow Stephanie McDonald on Twitter: @stephmcdonald0
Follow Computerworld Australia on Twitter: @ComputerworldAU ComputerworldAU|@ComputerworldAU|Twitter: @ComputerworldAU]]