Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Standing Committee on Social Policy and Legal Affairs

PILGRIM, Mr Timothy, Australian Privacy Commissioner, Office of the Australian Information Commissioner

FALK, Ms Angelene, Director, Policy, Office of the Australian Information Commissioner

Evidence was taken via teleconference—

Committee met at 8:50 am

CHAIR ( Mr Perrett ): I declare the meeting open. This public hearing of the House of Representatives Standing Committee on Social Policy and Legal Affairs inquiry into the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. I would like to acknowledge the Ngunnawal and Ngambri people, the traditional custodians of this land, and pay our respects to the elders past, present and future. The committee also acknowledges the present Aboriginal and Torres Strait Islander people who now reside in this area and thanks them for their continuing stewardship. Please note that these meetings are formal proceedings of parliament. Everything said should be factual and honest, and it is considered a serious matter to attempt to mislead the committee. This hearing is open to the public and is being broadcast live, and a transcript of what is said will be placed on the committee website.

I now welcome the representatives from the Australian Office of the Information Commissioner to give evidence via teleconference. Would you like to make a brief introductory statement before we proceed to questions?

Mr Pilgrim : Yes, I would—thank you for that. I would just like to make some statements that I made last week to the Senate Legal and Constitutional Affairs Legislation Committee. I welcome the opportunity to appear before your committee today as well in relation to the Privacy Amendment (Enhancing Privacy Protection) Bill. I would like to make a couple of brief opening comments to the committee that relate to the submission we have put in and also draw on another issue.

CHAIR: Mr Pilgrim, I interrupt you briefly just to let you know that some bells will start ringing in about 3½ minutes. Some of the committee will leave and some will stay, so please make your comments truncated. I do apologise, but it is the price of democracy.

Mr Pilgrim : I fully understand, and thank you for letting me know. The introduction of the bill into parliament earlier this year marked the culmination of a long process of privacy reform that began with the 2008 report of the Australian Law Reform Commission. In that report, the ALRC emphasised the paramount importance of ensuring that Australia has an effective framework for the protection of privacy interests. There are considerable benefits in ensuring that the Australian and international communities have confidence in Australian government and business information-handling practices. This confidence will assist to ensure that Australia is not disadvantaged in a global information market.

Concerns about government and business information-handling practices have the potential to significantly influence consumer choices about whether or not to participate in the Australian economy. This is particularly so in an era when many transactions take place online, and government and businesses collect and store large quantities of personal information. So much of the future success of e-commerce and online transactions depend on the Australian community having trust that their personal information will be handled appropriately when they use those systems.

The need for confidence was the reason given by the then Attorney-General in his second reading speech for the act that introduced the National Privacy Principles in 2000. In that year, much of the private sector became subject to the Privacy Act for the first time. However, those principles and the other privacy protections in the Privacy Act were conceived in an earlier era. Globalisation, the digitalisation of information flows and advances in communication and surveillance technologies have created new risks to information handling and data security. We need to give the Australian and international communities confidence that the Australian privacy framework is equipped to meet these emerging challenges.

At the same time, I recognise that the Australian community, government and business want to access the benefits of this global and digital age and new communication technologies. Government and businesses provide useful and often essential functions and services to the community. They should not be unnecessarily hampered in that role. In this way, I recognise that privacy cannot be an absolute in the society in which we live. An individual's privacy needs to be balanced with other social interests, such as the interests of government and business in carrying out their legitimate functions and activities. The bill recognises this latter aspect in the object clause and provides a range of exceptions to information-handling obligations.

With these comments in mind, I welcome the bill and the enhancements to current privacy regulations that it proposes. I also appreciate the government's commitment to create a clear and simple framework for privacy rights and obligations. I support the intent to simplify the Privacy Act through the introduction of a single set of high-level principles, the Australian Privacy Principles, that apply to both the government and business.

In my submission to the committee, I outline some areas where I think that the APPs could be amended to better achieve the objectives of the reform—in particular, that the privacy rights and obligations are easy to understand and apply, and the protections are maintained, not diminished. While I consider that in many respects the bill goes some way to achieving simplification, the inclusion of some exceptions for particular government agencies or activities seems to unnecessarily add complexity.

Further, the intention to incorporate the concept of accountability into the bill is an important aspect of the reforms. In some instances, this will mean government and businesses remain accountable for the subsequent handling of personal information they send overseas. However, an issue that I have specifically addressed in my submission and about which I remain concerned is that this accountability may be displaced in some instances. For example, where an individual has consented to their personal information being sent overseas, they may not have access to remedies if their personal information is subsequently mishandled.

I support, though, the introduction of the new credit reporting provisions. The introduction of more comprehensive credit reporting is accompanied by enhanced privacy protection—for example, a prohibition on the reporting of defaults that are less than $100 and credit related information about children. The enhancements reflect the fact that the protection of personal credit information remains an important privacy concern for many individuals. In addition, the credit provisions have been restructured to reflect the structure of the Australian Privacy Principles and the information life cycle.

Finally, I welcome the additional functions and powers granted to the commissioner in the bill. These powers reflect the increasing importance that the community places on the protection of their personal information and the need for the protection of privacy interests in a digitalised and globalised world. They will assist me in addressing serious and systemic interferences with individuals' privacy and provide a clear message to entities that they need to take privacy seriously.

I am happy to answer any questions that the committee may have about my submission or other privacy issues more generally.

CHAIR: Thank you, Mr Pilgrim; that is a great introduction. I was wondering if you had seen the submission from the Australian Bankers' Association.

Mr Pilgrim : I am aware of it, yes. I do not know it word for word but I have seen it.

CHAIR: Okay. There is an issue with the Australian link provisions in the bill. ANZ, for example, has entities that operate, not surprisingly, in New Zealand and Asia—basically, all of the big four have entities, wholly owned subsidiaries, that operate overseas. They are concerned about whether, under the Australian link provisions, such entities would be caught and whether they would be able to utilise their employees in those wholly owned subsidiaries. Have you turned your mind to that aspect of it?

Mr Pilgrim : I certainly recognise that, in terms of how 'Australian link' is dealt with in the bill, it is not necessarily consistent. If I can just turn to the general application of 'Australian link' and how it applies to the act more broadly, there has been recognition through the explanatory memorandum that 'Australian link', where it relates to an organisation that has a presence in Australia, is also going to be bound by the act if it collects or holds information in Australia. That is the first point.

The explanatory memorandum has gone some way towards explaining that the use of the words 'in Australia' should be interpreted as 'from Australia'. It means that information collected by an entity that may be outside of Australia will be deemed to be covered by the act by lieu of collecting information from someone in Australia. Where the issue, I believe, gets a little more complex is when we turn to how it is interpreted within the credit reporting provisions.

Within the credit reporting provisions, the policy objective as stated is to restrict or prohibit foreign credit reporting organisations, firstly, from accessing the system and, secondly, from having information about credit that a person may have acquired from outside of Australia being reported on the system. If we go back to what I said initially, in that context, an Australian link would allow an organisation to participate in accessing any Australian's personal information—that is, if they have a presence in Australia or if they have collected information from Australia. If that is then transposed to the credit provisions, it is slightly contradictory to the policy intent that I just mentioned. So the explanatory memorandum is an attempt to explain that the concept of an Australian link will apply differently in the context of credit.

We believe there is some complexity there that needs to be dealt with in the drafting of the act—and the Attorney-General's Department may want to go into that in a bit more detail—because we think it is problematic in that it is going to be difficult for organisations who have a broad range of functions. They may be dealing with the credit side of the provisions but they may also have to apply the APPs more generally to be able to understand which aspect of 'Australian link' is going to apply to which aspect of their functions and practices. I think there is an underlying issue there and I can sympathise with the organisations about how difficult that may be, particularly in an environment where we do see business practices changing quite significantly.

The fundamental issue for me is what I as Privacy Commissioner would like to see, which is an approach that is as consistent as possible in the protection for people's personal information. That gets us back to organisations remaining accountable for what happens to the information that they hold, even if they think that, for good business practices or for providing efficient and cheap services to their customers, there is a benefit in transferring information overseas that can be a good outcome for the customers. But I would like to see that we ensure that the same level of protection travels as much as possible with that information, should it be processed offshore. Sorry if that was a little convoluted.

CHAIR: No, no. It is a complicated topic, so I appreciate that. I have to admit I have not read the act from beginning to end, but it certainly refers to the new powers for the Privacy Commissioner and things that you can do, which obviously means you are going to be a much busier person in the future. Would that be true to say?

Mr Pilgrim : I think it is, and our statistics are showing that there is increasing compliance activity occurring. We are just pulling together our statistics for the annual report for the last financial year and we have had, for example, at least an 11 per cent increase in the complaints that have come to us under the Privacy Act.

CHAIR: Sorry—11 per cent from when?

Mr Pilgrim : From the 2010-11 financial year to the 2011-12 financial year, we have had an 11 per cent increase in complaints. I would suggest that one of the bigger issues for us at the moment, and it is growing, is the investigation of quite large systemic data breaches. While those numbers have not increased, the complexity of the investigations, we are finding, is increasing because of the very nature of the systems we are dealing with.

So those investigations will get a little more intense for us, and that is the area that the new reforms, in terms of the changes to my compliance functions, are aimed directly at: our ability to resolve, and seek remedies for, those large systemic breaches.

CHAIR: Now, I did not read the budget papers in detail, but did you get an 11 per cent increase in the budget in the last year?

Mr Pilgrim : No, we have not had an increase in our budget.

CHAIR: Okay. Does the efficiency dividend apply to you?

Mr Pilgrim : Yes, the efficiency dividend does apply to us.

CHAIR: The Australian Direct Marketing Association submission queries whether you will have enough resources to be able to fulfil your role. If you look at page 9 of their submission, they are saying that it takes a long time to deal with their complaints. Are you particularly concerned about this?

Mr Pilgrim : It is certainly an issue that we are clearly aware of and focused on, and it will be the subject of some ongoing discussions between us and the Attorney-General's Department. However, like all organisations that get expanded functions, what we will be doing is assessing the best way we can meet those priorities. We will be reassessing the priorities within the office to make sure that we are best placed to undertake the introduction of the reforms. But I would stress that, yes, it will be a challenge for us and, as I said, it will be the subject of ongoing discussions between us and the department.

CHAIR: With the data breaches you talked about, could you tell me how things are changing? We have certainly seen media stories in the last year or two about major data breaches. How is the digital age—and the social media interconnected world as well, I guess—presenting extra challenges?

Mr Pilgrim : It is posing quite a number of challenges, not just for us but obviously for privacy regulators around the world. That stems primarily from the sheer volume of data that can now be collected. It is being referred to more globally now as 'big data', and it is the ability for huge and vast amounts of data on individuals to be stored and collected—amounts that none of us would have dreamed of even 10 years ago. That allows various components of our lives to be brought together into various databases that can be amalgamated quickly and used for profiling.

While I would be the first to say that those large amounts of data being collected can often in themselves provide huge benefits to people, making their lives a lot easier in dealing and transacting online, they can also, however, put at risk that data when, at the same time, we are seeing a growing number of, shall we say, people with malicious intent who want to hack into systems and who see that huge amount of data as a honey pot. So the Privacy Act requires organisations to take reasonable steps to make sure that that data is secure. Some of the concerns we have seen coming out of these data breaches over the last 12 months is that perhaps there has not been as much focus as there should have been by organisations on putting in place the best processes to protect that information by way of security systems, or on making sure that, when they are developing their systems, they take that first step of building in privacy protections upfront, not leave them until the end and then try to bolt them on when something goes wrong. So we try to provide guidance to organisations on how they might be able to do that through undertaking privacy impact assessments. We will also be providing guidance, as we go down the path of the reforms, by outlining what we think are reasonable steps for putting the right security protections in place.

To sum up, it is the vast amount of data that is flowing around the world that is becoming a challenge, but I do not believe it is an insurmountable challenge, and organisations need to realise that people will lose trust in them if they see their data being mishandled or misused and will start taking their business elsewhere. So there is a benefit in organisations putting in good privacy practices upfront. A phrase we use is 'good privacy is good business'.

CHAIR: There are a couple of submissions that are pretty harsh on you, criticising you for inaction when it comes to resolving disputes and suggesting that there is a real reluctance on your part to make determinations. Obviously, determinations can be appealed. The Australian Privacy Foundation, in their submission, say that you have a real reluctance to make determinations and that the right that you have to do so is meaningless unless an individual has the right to require you to make a determination. Would you like to see that in there? What is your view on this suggestion from the Australian Privacy Foundation?

Mr Pilgrim : In response to a couple of those issues, the first thing I would say is I do not have a reluctance to make determinations. The approach that we take in the office, and that the commissioners preceding me have taken, is that we try to resolve the complaints that are brought to us through methods under alternative dispute resolutions processes—that is, we try to conciliate. I am firmly of the view that some of the best outcomes we can get are when we bring the parties together in as informal a process as possible to try and work through the issues. I would be the first to agree that there are times when our processes could be a little more efficient and probably faster, but those are issues that we continue to work on. But our starting point is that we believe we get good conciliated outcomes in the vast majority of complaints and have done so over the years. I am sorry if this answer is long; please feel free to cut me off—

CHAIR: It is not like question time, Mr Pilgrim: we will let you have a fair run!

Mr Pilgrim : Thank you! So the process for us is that we try to bring the parties together, and what we have found over the years is that, in the area of privacy, the vast majority of the outcomes of those conciliations have been that people are happy with the organisation apologising to them where there has been a proven breach, undertaking processes to remedy the system if there was a systemic fault, undertaking training, reviewing policies and those sort of things. Yes, there have been cases through the conciliation process where there has also been compensation provided as part of the resolution, but certainly not in the majority of cases. I would suggest—I can check the figures if you need them—about 10 to 15 per cent of our conciliated matters come to a result that does have compensation. But, generally speaking, people are happy to work with the organisations.

There have been a number of determinations made. I think there are only nine in the life of the act. I did one in December of last year which the committee may be aware of, which was to resolve a fairly protracted complaint. I found the organisation in breach in that particular case and I asked for three things to be done as part of the determination. I asked the organisation to apologise, which they did; to undertake a renewed training process of their staff, which they did; and to pay the individual $7½ thousand in compensation, which they also did. The reason I mention that specifically for the committee's information is that, had the organisation not complied with my determination, that would have been the trigger for me to then go to either the Federal Court or the Federal Magistrates Court to have that determination enforced. So I have to seek enforcement through the courts, as is appropriate. The concern of the Privacy Foundation in that regard is that, although the organisation may have complied with my determination—as they did here—the complainant may still be unhappy with either the outcome or the quantum of the compensation, but under the current process they do not have the right to a merits review of that decision. There can only be a merits review of the determination should the organisation fail to comply with it. However, one of the reforms that has gone into the bill introduces a right of review of the determination itself through the AAT; so the bill has added an additional process of review for the determination.

I understand that the other aspect of the privacy advocate's concern is that the individual does not have a right to require me to issue a determination, and I am not convinced that that is necessarily a power or a function that should be within the act. We have the ability to attempt to conciliate the complaint in the first instance and the act requires me to do this. That is set out in section 27 of the act. We have done that in the vast majority of our cases. Once we have done that, and we have decided that the matter has been resolved or conciliated, then we can close it under a number of different powers. One of the powers that we do use in the act is to close it on the grounds that the matter has been adequately dealt with. That is the most commonly used power for closing under the act after an investigation, and I would stress to the committee there is also a review right there, under the AD(JR) Act. If I was to close a complaint on the basis that I formed the opinion that following the conciliation there had been a fair offer made, and I believed it would reasonably deal with the issues raised, but the complainant is not happy then they are able then to take the matter to the Federal Court under the AD(JR) Act. So there are a series of processes, without me going through a number of others, by which any decisions I make can be reviewed already.

Mr NEUMANN: I have three questions. Firstly, could you address the quantum of compensation? Secondly, do you use precedent when you determine compensation? Thirdly, what are the circumstances in which compensation would be awarded by you?

Mr Pilgrim : Just for clarification, I assume, in this context, that we are talking specifically about individual complaints?

Mr NEUMANN: That is right.

Mr Pilgrim : There is no limit of quantum, theoretically, that I could award under a determination. There are no limits set by the act for the purposes of a determination for an individual complaint about quantum. However, flowing into the second part of your question, in doing that we look to precedent in certain similar fields. Because there has not been a lot of public or judicial review of these particular cases, we look at areas such as the human rights jurisdiction, where the Privacy Act originally emanated from—the former privacy office was originally part of the Human Rights Commission—as well as similar jurisdictions in the states and territories in determining what may be an appropriate precedent to help us set quantum and take those into account.

We also, in the act, have the ability to look at whether a person has suffered financial loss and can determine that, and that will also help us to establish quantum. The act also talks about awarding compensation for hurt and humiliation, and also for the purposes of reimbursing reasonable costs that may have been associated or incurred by the individual, in dealing with their complaint. So we take those sorts of issues into account in determining quantum and looking at other jurisdictions. The third part, if you might remind me of your question, was around circumstances?

Mr NEUMANN: Yes, the third part was about the circumstances—for example, in a personal injuries jurisdiction, the loss of amenities of life and permanent disability and the extent of that. The more egregious ones would result in higher damages for personal injuries. For example, in defamation law, which I used to do when I was practising as well, the worse the defamation was, the higher the award. What are the circumstances in your case in this jurisdiction where you would award compensation of a higher amount?

Mr Pilgrim : As I do not need to tell you, it is going to be determined by particular cases. There are many examples we can probably use. I just return, firstly, to the declaration which is issued under the determination. It is there to redress any loss or damage suffered by the complainant.

It can also be, as I said, for hurt and humiliation. In the context of the determination I referred to—it is on our website for the committee's purposes—last December, in that particular case sensitive information about the individual, who had a gambling problem, was released directly to their ex-partner under an out-of-date subpoena, rather than to the court, about the individual's gambling habits at the particular club. That information was then given to various family members and friends of the complainant. In that situation, we then had to look at similar cases in terms of human rights jurisdiction and the like to come up with a reasonable figure which recognised the hurt and humiliation suffered by that individual in that circumstance. We do go to that level looking at cases like that for determining a reasonable amount of compensation. When we look at some other aspects, we have had cases where we have conciliated them and, again, being cautious here, not trying to identify a particular organisation—

CHAIR: That is a good idea. There are 15 people listening to you as well.

Mr Pilgrim : And I can assure you there are a few more elsewhere! We have had a few cases, unfortunately, where individuals have been in some personally dangerous circumstances—they may have had AVOs taken out against ex-partners—and for that reason had their address and contact information restricted, hidden, and that has been revealed. In cases like that, in which I am pleased to say we have been able to conciliate an outcome rather than having to go to determination, the organisations involved have in some cases gone to the extent of relocating the individual, assisting them with that, assisting them to put in place new security systems and taking other steps to make sure, to the best extent possible, that they remained at the particular address and that it was taken from other records. We also look at those sorts of situations, where there needs to be practical steps taken to come up with what could be turned compensation in resolving these matters.

Mr NEUMANN: That is extraordinarily damaging and revealing information, very helpful to the ex-partner in a section 79(4) application for negative contribution in a family law property settlement. That was a really damaging piece of information. I could see why you awarded compensation there. Thank you very much for that; that was very helpful.

Mr Pilgrim : We did not award compensation but we negotiated through conciliation between the parties.

Mr NEUMANN: They were very lucky they did not seek compensation there.

Ms ROWLAND: As a former practitioner in this area, I would often be asked by clients about the practical implications of potential or actual breaches. Having gone to a number of seminars over the years and looked at case studies, my weighing up of advice would often include, 'If it looks as though you are dealing with the problem, if you have notified the Privacy Commissioner, if you have systems in place to show that this was inadvertent and you look as though you are cleaning it up, then you are probably going to be okay.' I would like your view on the failure of systems as a defence to any contravention and whether the amendments will have any impact on that. I am particularly thinking—again without naming any companies—of high-profile cases of large corporations who have left boxes of records and personal information in dumpsters which have then been found. On one hand you can see how this may be inadvertent but on the other hand, if these get into the public arena, it is a serious breach of trust and privacy in many people's eyes.

I would like to know about your practical approach to complaints handling and whether you think that there will be any impact on that as a result of these amendments.

Mr Pilgrim : Thank you for that. There is quite a number of areas that I would peel off, but I would start by saying this. In the context of, firstly, data breaches, as we refer to them, they have been becoming more prevalent in recent times. One aspect I would like to come back to is probably the issue which is not dealt with under these reforms, which is about mandatory data breach notification. But coming back to how we approach these issues, we find out about data breaches in a couple of probably obvious ways. One is that increasingly organisations are coming to us voluntarily and notifying us that they have had a data breach, and hopefully they have been looking at and using the data breach guidelines that we have on our website to assist them as to how to approach handling these issues.

So if an organisation comes to me initially and says, 'We have had this data breach,' what I hope they would be doing at the same time — and the vast majority do — is say, 'We've had this breach. This is what we believe the impact has been to our customers. Here are the immediate actions we have taken to stop the breach happening or to limit it from happening any further. Here's what we are doing by way of notifying the individual.' So it is if they have done a risk assessment, and I stress this is if it is necessary. It is not going to be necessary in every case but they may need to notify all the reasons why they are not and what steps they are going to put in place in the longer term to try, to the greatest extent possible, to prevent it from happening again. If an organisation comes to me and says that and if they are putting what seem to be reasonable steps into place to do those things, then I would generally ask them to provide that to me in writing and to organise to get a follow-up report from them about the fact that they have implemented the additional steps they are going to be taking and whether or not there have been any significant issues or impacts on individuals raised. Having got that information, I would not necessarily then open a formal investigation. I think it is not necessary at that point until such time as I get a final report which will tell me that the organisation has implemented everything it said it was going to do and they were addressing the main nub of the issue, whether it is a broad systemic issue or something else.

The second way we find out about data breaches can be through the media coming to us when something has been leaked to them or when they have found out about it or through some other third-party. In that case I am more than likely to approach the organisation because they have not come to me in the first instance, to open an investigation pretty well immediately on the basis that I have found out from a third party and I have not been told about it and I want to actually require them to give me information. So by opening a formal investigation I can then use the other investigation powers I have to require them to provide me with information by law—such as what is the extent of the breach, how it did happen and what they are doing—and then do a more formal investigation.

So what we try to encourage is this. For organisations it is firstly to have in place processes that will limit the likelihood of a breach, obviously, through undertaking privacy impact assessments when establishing new systems — as I said earlier — and building in good privacy protections in the first place. But I think what we are seeing is that there are situations, as I said before, where there are people with malicious intent who are trying to hack in, and unfortunately these things do happen. But where an organisation can demonstrate that it is taking these steps to try and limit the impact of the event, whether they can demonstrate that, for example, they have put in the best standard or the highest standard of systems protection such as those highlighted through international standards organisations, I certainly take that into account and have done so in some of the more high-profile investigations that we have done in the last 12 months where, say, we have had investigations into Sony — and there was one into Dell— and where we have asked them to be able to demonstrate to us that they did have international standard level systems.

CHAIR: I am sorry, Mr Pilgrim, but I have to interrupt you for a minute to ask a member to move that a subcommittee consisting of the chair, Dr Stone and Ms Rowland be formed.

Dr STONE: I so move.

CHAIR: Thank you, Dr Stone. As there is no objection, it is so resolved. Sorry, Mr Pilgrim.

Mr Pilgrim : That is okay. In that regard we did find, for example, that the organisations had taken reasonable steps, or their best steps, to have those protections in place in the first instance and, therefore having met that, not finding them in breach. If I then transpose that to the last significant report I put out, which was into a breach by Telstra in about December of last year—and we put out a public report a few months ago on that—where we did find Telstra in breach because I did not believe that it taken the appropriate steps to ensure that it put in the right privacy protections and that their internal procedures were met in developing a system to manage their BigPond broadband information. That is an example of where we did not think the right steps were taken and therefore found an organisation in breach.

Where that leads us to in the changes to the current act under the amendment we have before us is that, for those broad systemic complaints, if I can go back to this determinations we talked about in an earlier question, I have those powers to ultimately resolve the matter through a determination if we think it needs to get to that point. The December one is an example of that. For the committees purposes, while I cannot discuss the name of the organisation, we have another one on foot at the moment. However, those individual complaints can be resolved through those determinations.

But one of the, I suppose, oddities of the current act is that when I am dealing with these bigger, broader systemic breaches, such as the one I mentioned on Telstra, on Sony, on Dell, I actually do not have any remedy powers. I can only work with the organisations to come to an agreed outcome. I can find them in breach, as I did in the Telstra matter, but I can only then say, 'This is what I think you should do to improve the situation.' I cannot actually force them to do anything at the moment. That is a set of powers or functions that I think has been missing from the act for some time.

What the bill does is it gives a new raft of remedy powers, starting with the ability to do a determination under what we call an own motion investigation—that is, one that I start myself without an individual complaint. It also then gives me, importantly, the ability to get written undertakings from the organisation as part of the remedy processes and, if those undertakings are not complied with, allows me to go to the Federal Court or the Federal Magistrates Court to have those undertakings enforced. The third tier of those new powers, where it is a serious or repeated breach, would be to go to the court to seek civil penalties. I think that sends, as I said in my opening statement, an important message to all entities that are going to be covered by the act and to the community that privacy is an important issue and it is one the community is getting more worried about with the prevalence of online transactions.

One of the phrases that came up a number of years ago when I first started in the area was from a very senior person in an international company who said that with the growth of technology basically privacy was dead and we should all just get over it.

CHAIR: You cannot name that person, obviously.

Mr Pilgrim : I can actually, because it was in a public speech. It was a gentleman by the name of Scott McNealy, who I think was either the CEO of Sun Microsystems at the time. It was in a public speech; it was not something that was said privately. This gets back to a question that was asked earlier related to social media. We are seeing people dealing more and more online. Facebook, for example, has 900 million-plus people participating at the moment, yet we are not seeing people's concerns about what is happening to their personal information go away in that way. We are still seeing our complaints growing—the number of people coming to us about matters on our inquiries line through written inquiries. Our written inquiries went up in the financial year just finished in comparison to the previous financial year by 34 per cent. So we are seeing a lot of interest still growing and people having the expectation that their personal information will be protected, even when they are, as we see regularly, participating quite openly on social media platforms such as Facebook. The issue is not going away. I should probably stop there or I might sound like I am lecturing you. Sorry.

CHAIR: That is alright. Thank you, Mr Pilgrim and Ms Falk, from the Office of the Australian Information Commissioner. We appreciate your evidence and thank you for taking the time to present to us today.