The Privacy Commissioner has, in the last couple of months, begun implementing a policy of publicly naming companies that have been found to have breached the information privacy principles in the Privacy Act 1993. The Privacy Commissioner's Naming Agencies in Public Reports Policy came into effect in December 2014, and is intended to encourage agencies to comply with the Privacy Act. In developing the Policy, the Privacy Commissioner stated:
"We think it is time to ‘name names’ where it is warranted. Our view is that in certain circumstances, the Privacy Act is better served by revealing the organisations that have breached the law."
The Policy does not mean that all agencies that breach the privacy principles will automatically be named - rather, the Policy sets out the factors that the Privacy Commissioner will take into account in deciding whether to name an agency. Those factors include the seriousness of the breach, the number of people affected, whether there have been repeated breaches, and whether the agency has demonstrated an unwillingness to comply with the law. A key consideration will also be whether, in the circumstances, the public interest would benefit from identification of the agency, due to its deterrent effect, educative purpose, or other reasons.
The naming of agencies comes at a time when the Privacy Commissioner is continuing to raise concerns about the effectiveness of the enforcement framework set out in the Privacy Act. The Government has, for some time, signalled that it intends to introduce a Privacy Bill to replace and modernise the Privacy Act. The Government has indicated that the Bill will include stronger powers for the Privacy Commissioner, mandatory reporting of privacy breaches, new offences, and increased fines. The naming of agencies will, in the meantime, be a useful tool available to the Privacy Commissioner to encourage compliance with the Act because it does not require a legislative change.
We will provide a further update when a new Privacy Bill is introduced.