Lessons from the AFP’s privacy breach

An observation and actions out of the Australian Federal Police privacy breach Determination from the OAIC. The breach arose out of a free of charge proof of concept for 10 people.

Many companies run proofs of concept but the AFP Determination is a high impact regulatory action from a very small and contained proof of concept. The AFP determination recalibrates how we must think about privacy compliance for proofs of concept.

The Determination is about what the AFP failed to do, not what a supplier should have done. So, assuming that you can’t get a vendor to take much, if any, liability for a proof of concept (free or not) then you will need to consider a privacy impact assessment and compensating controls that address the level of risk to individuals and privacy compliance relevant to the activity.

This may mean adjusting your internal procedures to ensure that proofs of concepts are treated now as a potentially high-risk privacy compliance exposure.

A privacy impact assessment is still not mandatory for private organisations in Australia (it is for Government Agencies like the AFP), but the signal from the Commissioner is clear. Not having one for a high risk activity (even though not mandatory) isn’t going to be well received.

Sure, the AFP had some control measures in place, yet the Commissioner still found the AFP in breach because of the high risk nature in the activity and not having appropriate controls in place to support the proof of concept’s compliance requirements.

Simply, the AFP didn’t do enough that the Commissioner thought was reasonable.

And now, in addition to the breach finding, the AFP has an independent assessor who must review the AFP’s privacy compliance systems and controls.

Happy Christmas.


Published by Brett

Brett is an experienced lawyer and business executive who focuses on commercial outcomes. He has worked across three sectors in England & Australia advising and leading initiatives in digital, media and technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s