On Wednesday, February 21, 2018, I interviewed Australian Privacy Commissioner Timothy Pilgrim for the Sydney Morning Herald about the Notifiable Data Breaches scheme, which came into effect on Thursday, February 22 and requires companies and government entities to report data breaches to the Commissioner and notify consumers if their data has been breached and it could cause “serious harm”.
Below is a transcript of that interview, which I paid to have transcribed using Rev.com. The associated story will be available on the Sydney Morning Herald website and other Fairfax metropolitan sites on Friday, February 23.
The transcript has been lightly edited for readability, brevity and clarity. If you spot any typos, flick me a note using my contact page.
Ben Grubb: Is it okay if I record for my notes?
Timothy Pilgrim: Yes, it’s okay to record.
Ben Grubb: Great. Okay, so … Privacy laws. Now, when do they come into effect, the data breach-?
Timothy Pilgrim: The notifiable data breaches scheme comes into effect tomorrow, the 22nd of February.
Ben Grubb: Great. Now, the first question that I guess I have about them is … A lot of people, a lot of the security companies have done a few surveys, of the business community in particular, and they say that no one is prepared, pretty much. Not that no one is prepared, but a majority of the population of the business community seems to be unprepared. Is that what you’re seeing, as well?
Timothy Pilgrim: It’s not necessarily what I’m seeing. I certainly haven’t had the opportunity to talk to the vast array of different sectors, in their entirety, but I’m aware that a lot of the large sectors around finance, and telecommunications companies, and the like, have done a lot of work in preparing.
Our office has been supporting the entities covered [by] the Act, and getting ready by having resources, and guidance, released during last year as well, and we’ve been taking every opportunity we can to have conversations, and presentations, speeches … Meeting with some of the industry associations, to get the message out through those avenues.
Ben Grubb: Great. How well resourced is the privacy commissioner’s office, to actually educate, enforce, and investigate these new laws?
Timothy Pilgrim: We have a set amount of resources and staff, as you’re aware, in the office, to undertake the whole of our regulatory responsibilities. Those are both the Privacy Act and the FOI Act. At this point in time, I have not received any additional resourcing … For the notifiable data breaches scheme, so we will be looking to prioritise the work, as we do across all our jurisdictions, to deal with priority issues in the future.
Ben Grubb: One way that anyone can, I guess, determine how serious a government is or not, about new laws, is whether they allocate new resources or funding to such laws. Have you been allocated … I guess you answered your own question there. Have you been allocated any new funds, or resources, to police these new laws?
Timothy Pilgrim: I haven’t received any additional funding, to date, for the notifiable data breaches scheme. The allocation of funding, resources to government agencies, as you would understand, is a matter for government. What I will need to do, in the absence of any additional resourcing, is take a priority approach to all our work, and ensure that we’re dealing with those issues which are identified as being the key priorities.
Ben Grubb: Does your agency primarily operate in a reactive, or a proactive, approach? Or, will … Sorry. Will it act in a proactive or a reactive approach, in terms of these new laws?
Timothy Pilgrim: Well, in terms of what we’ve done to date … As I’ve mentioned, with the passing of the bill last year, we immediately dedicated some staff to start developing, in tandem with industry and the government sector, the resources that we believed would be essential for them to understand the scheme. So that, by the end of 2017, we had a whole suite of resources out, for industry and government agencies to use, so that they could prepare themselves for the commencement date.
So, from our perspective, we treated that aspect of it, that proactive approach, as a priority, and again, we’ve just released … We’re about to release another consolidated guide to notifiable data breaches. So, in that regard, we’ve been on the front foot, to get information out there as quickly as possible.
Ben Grubb: Now, I guess, at the moment, the approach is that companies voluntarily choose to disclose breaches to you. If they choose to disclose to you now, does that get rid of the risk that they would be fined?
Timothy Pilgrim: The … There’ll be a number of ways in which we will look at the information that comes in to us. If an organisation notifies, under the scheme, that they’ve had a data breach, and they follow the procedures through, we will, of course, be assessing each of those notifications that come through. And if they’ve met the obligations of the scheme, which is to notify the affected individuals where there’s a likely risk of serious harm, and notified my office, then they will have met those aspects of the scheme.
However, what … will be incumbent upon us, as well, is to look to see whether we think there are any other issues that may be underlying, within a particular breach, that we may need to take a further look at, using some of our other regulatory powers.
So, the penalties in relation to not complying with the scheme would come from a situation, for example, where a company doesn’t notify, where there is a likelihood of serious harm, and do not meet the requirements of the scheme there. We would be following those through a mechanism. Say, for example, if an individual became aware that their information had been breached, there was serious harm. Then, we would investigate why those individuals hadn’t been notified, and why my office hadn’t been notified.
Ben Grubb: Would you say that there’s a culture of cover-up, when it comes to data breaches in Australia?
Timothy Pilgrim: I can’t answer whether there is a culture of cover-ups at all. This is going to be something that I think we’ll see play out with the mandatory scheme. Under the voluntary scheme in the last financial year, we received 114 voluntary notifications of breaches. I just don’t have the figure off the top of my head at the moment about what we’ve seen in the year to date, but we can get that for you if that’s useful.
But, I think it’s going to be a process of seeing what starts coming forth, when you have a mandatory notifiable scheme, which does have penalties attached to it. I mean, we can look overseas to other jurisdictions, and see what some of the examples are there, and the one that comes to mind is, the Dutch DPA’s office has a similar scheme. And in the first 100 days of operation, they received 1000 notifications.
Ben Grubb: So, you expect that there will be an increase in-
Timothy Pilgrim: I expect there will be an increase, certainly, with a notifiable scheme. I’m hoping that that increase will be most on sound decisions around identifying only those breaches that are likely to result in serious harm, because one of the things I’m concerned [about] not to see happen is that there is a situation where … Breaches that may not be likely to cause anyone any harm, start being notified to people, and this could lead to notification fatigue.
And the one thing we don’t want to see is notification fatigue, where the community just gets so many notifications, that they miss out on the really important ones, and don’t take other steps that they could to protect their information, as a result.
Ben Grubb: Now, resulting in serious harm … What does that mean?
Timothy Pilgrim: Resulting in serious harm … Well, serious harm can manifest in a number of ways. It can be through financial harm, so, someone’s account’s been at risk in a financial institution. It can be psychological or emotional harm, for example, if someone’s health records were breached. There can be reputational harm, if the wrong information gets out, as well.
So, these are going to be fairly contextual, because while they’re some examples of the harm that can happen, you then need to take into account, as well … Firstly, where has … For example, where has the information gone? If, for example, some information has gone from an organisation, but to, say, one individual who has identified that they’ve received for the guys of the company, and undertaken to return it, and haven’t done anything further with it, and the company can be confident in that … It could be that there’s a mitigation strategy that wouldn’t likely result in serious harm to an individual.
So, there’s going to be a whole lot of context, and we draw that out in some of the resources that we have developed and put out for organisations, so that they can step through that process.
Ben Grubb: Do the laws apply to government agencies?
Timothy Pilgrim: Yes, the notifiable data breaches scheme applies to all entities covered, currently covered, by the Privacy Act, so that includes the majority of the Australian government agencies, and all of those private sector organisations that fall under the coverage of the act.
Ben Grubb: Okay. And have you received, ever, voluntary breach notifications, I guess, if I’m going to call them that, from government agencies in Australia?
Timothy Pilgrim: Yes, we certainly have. I don’t … Again, sorry, don’t have those numbers to hand, but we do, are able to break up the voluntary notifications we’ve received by sector.
Ben Grubb: Yeah. And those ones that have been reported to you … Have they then notified affected individuals?
Timothy Pilgrim: It would depend on the particular case. We have … We would’ve had cases where they have notified us, but not necessarily felt that there was a need, in the particular circumstances, to notify individuals. I’m sure that has been the case. Again, I just can’t think of any off the top of my head, immediately, but I’m sure that would’ve been the situation.
Ben Grubb: Have you ever been concerned about receiving a breach notification that … That the party who’s reported it to you, has then not, then … Or, sorry, has then not gone on to inform the affected parties?
Timothy Pilgrim: Look, again, Ben, I’m sorry, I just can’t think of a particular case that brings that to mind. I’m not saying that that may not have happened, but at the moment, I just can’t think of one that comes to mind.
Ben Grubb: Yeah, okay. So, presumably, the ones that do come to the … To your office, are so … You know, they’re coming to your office because they are quite, quite important breaches to notify an authority of. Or do you get, sometimes, data breach fatigue yourself, for people in this game?
Timothy Pilgrim: I think what’s been a really useful outcome for us with the voluntary scheme, over the last number of years that it’s been in place, is it has allowed us to use the … The types of breaches that are being brought to us as examples, for the guidance we’ve been developing under the mandatory scheme. So, there will have been cases where an organisation, or an agency, might’ve come to us and said, ‘Oh, we want to report this particular breach’, and when we’ve looked at it, we’ve thought, ‘Well, it’s good that they’ve reported that, but, you know, if we had a mandatory scheme, would it have made that threshold?’
So, I would suggest that there would’ve been, undoubtedly, some cases where we thought a notification wasn’t required. So, I would say that, again, that’s been a useful process for us over the last few years, as I said, to build up this sort of background, and this knowledge, to inform how we can get this sort of guidance, now that the scheme is going to be mandatory.
Ben Grubb: Anecdotally, how many would’ve reached the threshold that these new laws require?
Timothy Pilgrim: Look, again, Ben, that’s a very difficult question to answer in terms of having to remember everything … Every case, and to try to work out which ones might’ve been required notification, I really have to … You’d have to go back and look at everyone individually.
Ben Grubb: Fair enough. The funding that your office received, what is it, exactly?
Timothy Pilgrim: Now, that is a difficult question.
Ben Grubb: Because you seemed to be operating with no funds, for a period of time.
Timothy Pilgrim: Well, yeah, that was due to the process of going through with government about understanding the part of the OAIC, setting up a new office for privacy commissioner. And there is … Parts of our resourcing was re-allocated.
To answer your first question, we can come back to you, if you like, with the exact figure. But, that would probably be better. I mean … It’s broken up into different components. So, for example, we get in excess of 10 million dollars a year direct from appropriation, but we also get funds through some other memorandums of understanding, to undertake particular functions, as well. So, if you’re happy, we can come back with a little bit more of a precise figure.
Ben Grubb: That would be very helpful.
Timothy Pilgrim: Yeah. So, in terms of operating without funds, if you’re referring back to the period after, in 2014, when the government, at that point, wanted to disband the office in its current form, and have FOI handled differently … There was a period there where some funding had been moved to other agencies, to pick up some of the functions, but that has since been pretty well returned to our office, with the government decision that it wouldn’t disband the OAIC, and that we would continue on with both privacy and FOI function.
Ben Grubb: Compared … When looking at other countries, like the Dutch, what … Do you believe that your office has enough funds to adequately investigate privacy breaches in Australia?
Timothy Pilgrim: Well, we always … We are always undertaking our regulatory functions as a starting point. So, we do get … When we get complaints in, when we need to do investigations, we do commence those processes. One of the challenges ahead for us, in both our jurisdictions, is that we are seeing an increase in the number of complaints coming to us. I think we had, and we can double-check the exact figure … In the last financial year, I think we had approximately a 16% increase, again, in the number of privacy complaints and investigations coming to us.
And on the FOI side, where I had the responsibility to undertake reviews of government agency positions not to release information, we’ve had somewhere in the vicinity, in the last financial year, of around 26% increase in the number of applications.
So, at the moment, we do have a waiting time for some of those complaints, but we are also able to demonstrate that, year-on-year, we’ve also increased our output. It’s jumped up, the amount that we have increased by. It is not necessarily matching the increase in the number of matters coming to us.
Ben Grubb: Yes. And with those increases year-on-year, presumably, you’re not also getting an increase in funding, except for the 2% or 1% government … It’s a cut, isn’t it? Each year?
Timothy Pilgrim: That’s right. You’re thinking our efficiency dividend, but it’s virtually a cut.
Ben Grubb: Yes.
Timothy Pilgrim: It would be lovely if it was the other way around.
Ben Grubb: So, would it be correct to say … And this is correct for every, or most, government agencies, except for defence, that every agency in government is actually getting less funds each year, and more … And, in your case, more work.
Timothy Pilgrim: Well, certainly, we are subject to the government’s efficiency dividend. So, yes, our budget is reduced by the amount of the efficiency dividend each year. And, yes, we are having, seeing, a significant increase in the work coming in to us.
Ben Grubb: Now, I heard that you are retiring.
Timothy Pilgrim: I am.
Ben Grubb: Why?
Timothy Pilgrim: Well, basically … You can make it all about me. I’ve been in the APS, for the public service, for 34 years now. And I’ve spent the last 20 years, since I was appointed initially as the deputy privacy commissioner, in the privacy office, and then, obviously, the OAIC, when we picked up the FOI responsibility. And I think, like anyone after that time, I’ve just taken the opportunity to look and say, ‘I think I’d like to do something else now’. So, I’m in the fortuitous position where I can retire. So, I’m going to take that opportunity.
Ben Grubb: Great. So, it is retirement for now, but are you looking for further opportunities?
Timothy Pilgrim: I would have to say that, having never had a … I don’t mind if you use this. Having never had a particularly long break in those 34 years, the first thing I’m looking forward to is actually being able to stop, and to see what it’s like to actually have a long break.
Ben Grubb: Yeah.
Timothy Pilgrim: So, I’m … If you want another answer, I’m not actively looking for anything outside.
Ben Grubb: Okay. The … Just going back to, I guess, the landscape that we see with the privacy breaches at the moment. There were a number of large ones, I mean, Uber and so forth, but then we also see things like GoGet and Catch of the Day, where … They hold these breaches back. GoGet seemed to have an appropriate reason for holding it back, in order to, I guess, get the hacker. But in the instance of Catch of the Day, I think that there was someone who was affected by it, who was talking to the media, which then forced their hands.
Do you think that … That, I’m just trying to think of what my question from that is. But, do you think that we’ll start to see … Do you think that the laws will be scary enough for people to actually report these breaches to you, or do you think that they might just hold back?
Timothy Pilgrim: I think that the regulation will have an effect, that it will change some organisations’ attitudes to reporting breaches, because at the end of the day, there are penalties applicable, should they not be quick on meeting requirements, that they act.
However, I’d also strongly suggest that, in this day and age, consumers would be much more savvy about what’s happening with their personal information. We saw, for example, through our last year’s privacy … Community Attitudes to Privacy survey, that 58 per cent of people said that they decide not to deal with an organisation, because they don’t trust them in terms of how they handle their personal information. So, I think the risk of a loss of customer, and a loss of trust of your customers, is another big issue that companies need to consider, when they’re responding to the notifiable data breaches scheme.
Ben Grubb: In Australia, these are civil penalties, correct?
Timothy Pilgrim: That’s correct.
Ben Grubb: Overseas, are there any jurisdictions where these are criminal … There are criminal penalties?
Timothy Pilgrim: I’m just not aware, off the top of my head, Ben.
Ben Grubb: I’ll research that, but I’m just curious. So, putting that aside, do you think that directors should face some sort of obligation, or that it should be clear to them, that this isn’t just a financial impact, if they’re … Like, I guess there’s some element of negligence here, if they’re not disclosing these things. And in the financial sector, it seems a lot clearer, but … Do you think that there should be criminal penalties for people who, or for company directors who know of breaches, or boards who know of breaches, that do cause serious harm, but they choose not to disclose them? Yeah.
Timothy Pilgrim: Look, I think there would be a raft of responsibilities already, that directors would hold, in terms of what they need to be disclosing, under a number of jurisdictions and laws. In respect of the notifiable data breaches scheme, my view would be, at this stage, that we should see how this plays out over the next 12 months, so that we can get a picture of how business and government is responding to the scheme itself, before we start to look at whether there might be other avenues or remedies necessary.
Ben Grubb: Yeah. How many staff does your office have?
Timothy Pilgrim: At the moment, I believe, and again, we can come back to you on this point, that we have … I think it’s about 75.
Ben Grubb: Equivalent, full time?
Timothy Pilgrim: I think it’s actually something like 74.2 full-time equivalent, but we can confirm that for you.
Ben Grubb: Yeah. And how many of those … Do they have shared responsibilities between privacy, and … Or, how many work on privacy?
Timothy Pilgrim: I’ll come back to you on those as well, how many work exactly on privacy. But … We obviously have a number of staff, out of those, that number, that are dedicated to doing FOI work, in terms of the Information Commissioner reviews under the FOI Act. And again, just off the top of my head, the number of those, I think, is around 15, but we can confirm that, and then we can work backwards from there.
Ben Grubb: Cool. Just a few … last kind of rapid-fire questions. The encryption laws that the government is expected to introduce, under Peter Dutton’s thingy, soon … A lot of people have described them as ‘back doors’, and I think that Dutton, today, was explaining, or trying to explain them. But, what has been your office’s view with that legislation? Have you received any draft legislation, and do you have any concerns with these laws?
Timothy Pilgrim: I’d have to double-check, and I won’t say this categorically. I’m not aware that we have a copy of those, have seen those drafts laws at this stage, on the encryption. So, I’d like … I’d like to be able to get back to you on that.
Ben Grubb: So, do you have any thoughts about ways that technology companies and law enforcement should co-operate, or shouldn’t co-operate, when it comes to this problem, this so-called problem, of devices being encrypted, and then, the companies just not having the ability to unlock those? Do you have any concerns, any particular … Yeah. Do you have any particular concerns with that?
Timothy Pilgrim: Well, taking into account that there’s always going to be, I think, an innate tension in the need to ensure the security of the community, and in doing so, the need that may be there to sometimes encroach on personal privacy, it’s incumbent on governments in drafting legislation, and the Parliament, to ensure that the proportionality’s there. And that’s the first … Our first starting point. So, it’s hard, sometimes, to just go from the abstract, until we’ve seen a draft legislation that we can comment on.
Ben Grubb: Speaking of proportionality, I understand from the New Daily that you were given one day to review the secrecy laws. Was that an adequate amount of time?
Timothy Pilgrim: On those secrecy provisions, that’s correct. We received a copy of those on the 14th. I think, as I’ve said in my evidence to the relevant committee … When it’s that sort of information, I think we would appreciate a bit longer time, to be able to give that type of legislation a bit more consideration. So, I think, yes, we would’ve appreciated a bit more time than one day.
Ben Grubb: And what would the … What are the, I guess … Has that law passed now?
Timothy Pilgrim: No, the bill’s still under consideration by the Joint Parliamentary Committee on Intelligence and Security. I gave … I put into submission, some short submissions, but nevertheless, submissions to the committee on those bills, and appeared before the committee by teleconference last Friday, and … Yeah, so as far as I’m aware, the bills haven’t actually been considered, finally, yet.
Ben Grubb: And what has been your recommendation to government on those bills?
Timothy Pilgrim: It might be best if … They’re short submissions, if you have a quick read of them, Ben. Let me try to paraphrase them here. They go … They raise, generally, some concerns I had over the … I’m just trying to remember how I phrased it, the effect the secrecy provisions may have, for example, on my ability to undertake investigations, and in doing so … Not so much undertake the investigation, but be able to get access to relevant information that I need to undertake my investigations, and whether that may be restricted by the provisions not allowing the disclosure of the information to me, as part of an investigation.
So, similar issues were raised, also, by the Commonwealth Ombudsman’s Office, and the Inspector General of Intelligence Security, in the evidence they gave. So, there were some issues around that. And also, I was seeking, first of all, clarity that that wouldn’t be the case, and certainly clarity in the respect of a person’s right to access information, that wouldn’t be impacted on, by the applications of the secrecy provisions, as well.
I spelt that out a bit clearer though in the two submissions, and as I’ve said, they’re fairly short.
Ben Grubb: And the … Just going back to the stuff for tomorrow. The fine that people face. And I know it’s kind of been going up a little bit. What is it today, the maximum penalty?
Timothy Pilgrim: Against a corporation, or against an entity covered by the Act, it’s now 2.1 million dollars maximum. And again, I’m sorry, just off the top of my head, I can’t [crosstalk 00:27:12]
Ben Grubb: I’m seeing something from [former NSW Deputy Privacy Commissioner] Anna Johnston, who said, ‘We have now … We now have maximum civil penalties of 1.7 to 2.1. Since 2014, it was 1.7 million, it was 1.7 million in 2014. Since increased to 1.8, now 2.1, along with all federal government penalty amounts.’ Yeah.
Timothy Pilgrim: And I think it’s 420,000, now, against individuals.
Ben Grubb: Yeah, now in the … In Europe, they have much bigger maximum penalties attached. They have 20 million euros, or 4% of global turnover, which is … Whichever is higher, and those penalties are aimed at big business, which might otherwise shrug off these smaller fines. Do you think that these fines are big enough for large corporations in Australia, which might perhaps go to their boardroom, and say, ‘Hey, the reputational damage of this is estimated at 20 million dollars. Why don’t we just keep it quiet?’
Timothy Pilgrim: I think it would be a very risky process for any organisation to take that sort of approach. I think, as I’ve said before, the 2.1 million dollars is the current penalty that’s available, the amount’s set by the Parliament in passing the bill. But I also think that the risks to organisations, in reputational risk, is, I think, considered extraordinarily high-risk by a lot of the organisations and companies I deal with. So, I’m not sure that they would be taking that approach to hide things.
Ben Grubb: Yeah. And the … Where was I going with that? So, the cost is just a fixed cost. Do you think that that’s fair on … If these smaller companies … Should it be a sliding scale, or, like … Yeah.
Timothy Pilgrim: No, it’s not necessarily a fixed cost. It’s an amount up to, for example, of 2.1 million dollars. So, what would happen is, if I felt the need, that I believed that civil penalties were required to be imposed, I would take the matter to the federal court, to seek the federal court to impose penalties. And then, at the end of the day, it would be up to the court to decide what the amount was to be. But that amount could be up to 2.1 million.
Ben Grubb: Okay. So-
Timothy Pilgrim: They could impose a smaller amount.
Ben Grubb: Practically, what will happen, from tomorrow? Say Telstra comes to you, and says, ‘We’ve had our fifteenth breach since whatever year it is’. Do you then … Will you then publish, on your website, that they have reported a breach to you? Or will that … Yeah, what practically will actually happen?
Timothy Pilgrim: Well, the … As I was saying earlier, the requirement on the organisation is, if they have established that there’s a serious risk, a likely risk of serious harm to an individual, they have to report to those individuals and provide them with information of what occurred, and what they’re doing to remedy the breach, and give them contact numbers and things that certain individuals can contact the company, as well. And they have to report that breach to us.
For the first 12 months, we will be providing statistical information on the number of breaches. We won’t be publishing every breach, at this stage. But we’ve undertaken to review that in 12 months. This is a common practice with a number of jurisdictions globally, so we’ll be taking that approach in the first 12 month, and then review whether we need to provide different information, and whether … About identifying each breach, we’ll decide at that time.
Ben Grubb: So, what will you … What’s the criteria for you to decide whether to disclose a breach, as part of, say, a media release?
Timothy Pilgrim: If we were likely to need to take enforcement action, as a result of a breach. So, for example, an organisation could come to us with a breach, and … I wouldn’t say this would be happening on day one, but say they’re … The organisation, in a very short period, had similar breaches, and had appeared not to have actually addressed or remedied the issue. Then, I would be looking at using other regulatory powers to investigate them, which I already have in place, and then determine whether they had taken the right steps. And if not, then we’d be looking to take action, which may result in civil penalties.
As I’ve said, one of the criteria for civil penalties is serious or repeated breaches. So, we would be looking to those powers, as well, should the need arise.
Ben Grubb: So, a serious breach … Sorry, would you classify all of the media releases that you have put out, to date, on privacy breaches … They meet that criteria, those two criterias?
Timothy Pilgrim: If you go into our regulatory action plan, we’ve set out … When we rule and undertake those commission-initiated investigations I’m referring to, and that … When I do that, as a matter of course, I advise publicly that I’m doing an investigation, and that we will report in the end, in terms of what we found and what action we’re taking.
This scheme … So, what we’ve got here are two different aspects. So, in terms of the notifiable data breaches scheme, an organisation’s obligation is to report that they’ve had a breach, again, when there’s a likelihood of serious harm. And they will meet the compliance with that scheme when they report, and when they advise my office.
What we will also do, though, is we will be looking at each of those breaches as they come in, because as we go through that process, we would want to make sure that there is nothing systemic that is occurring over and over again with that particular organisation. Should we see a recurrence of a similar breach, then we would be looking at possibly activating those other investigation powers I have, as a separate exercise.
Ben Grubb: And presumably not just recurrence, but, you said, with the-
Timothy Pilgrim: Well, yes, if it appeared, on the face of it, to be quite serious, say, egregious, so in the first place, there may have been some significant failing, then we would potentially look to do an investigation on those grounds, too.
Ben Grubb: Okay, great. And those investigations … They-
Timothy Pilgrim: I just need to let you know, I do need to get away shortly, too.
Ben Grubb: Yeah, no, this is just my last one. But, the … Those investigations, they can … That’s where the fines would be applied. Is that right?
Timothy Pilgrim: The fines can be applied in those investigations. However, if … Another scenario could be that, under the notifiable data breaches scheme, a company doesn’t notify, and I think you might’ve been touching on this earlier … If a company, say, doesn’t notify of a breach, and then, say, an individual who’s affected finds out about that breach and how it’s affected them, and they come to my office to complain, I would then investigate why the company didn’t notify.
And if I form the view that they should have notified, then I can then use those same penalty provisions to go down that path, for non-notification.
Ben Grubb: Yeah. So the penalties apply to both those two different aspects.
Timothy Pilgrim: That’s correct.
Ben Grubb: Great, okay. Thank you so much for your time, Tim, and good luck with retirement.
Timothy Pilgrim: Yeah, thanks for chatting. Bye.