Data notification law starts today – as Privacy Commissioner says goodbye

Timothy Pilgrim, retired public servant

The world is very different now, but many of us don’t know it. From 22 February 2018 Australia has a new Notifiable Data Breaches (NDB) regimen.

Under the laws, passed in 2017 as the Privacy Amendment (Notifiable Data Breaches) Act, companies and government agencies have to tell people  if lost or stolen data “is likely to result in serious harm to any individuals whose personal information is involved in the breach.”

They must make this notification “as soon as practicable.” Previously there was no obligation to do so at all, and many serious breaches were only reported years after they occurred.

The laws were years in the making, after first being proposed by the Australian Law Reform Commission in 2008. But despite nearly a decade of public debate, recent research shows that most Australian businesses believe they are not prepared for the new scheme (HP Australia IT Security Study, February 2018).

The legislation has been widely criticised as being too vague (‘as soon as practicable’, ‘serious harm’), and for excluding organisations with an annual turnover of less then $3 million. They will be overseen by the Office of the Australian Information Commissioner (OAIC).

But Commissioner Tim Pilgrim will not be around to do that overseeing. He has resigned, just two days before the new rules came into effect. He will stay on for another month, but it will be his successor who will have to deal with the potentially massive consequences of the new data retention regime.

Mr Pilgrim’s resignation comes as no surprise. He hasn’t said a lot about why is leaving, but a reasonable reading of the situation would be that he’s had enough. He has been Privacy Commissioner since 2010, during which time his office has been continually downgraded.

A career public servant, he is now in his late 50s and eligible for a comfortable retirement. The introduction of the new law is as good a time to go as any.

Pilgrim’s progress has been steady, if unspectacular. He was appointed Privacy Commissioner in July 2010, after being Deputy Commissioner since 1998. Before that we worked in a number of agencies, including the ATO. He was also appointed Australian Information Commissioner in October 2016, after acting in the role since the Privacy Commission was made part of the OAIC in 2010.

It has been a struggle since then. The ill-fated Abbott budget of 2014 attempted to abolish the OAIC altogether. That move was blocked in the Senate, but the Government responded by starving it of funds to the extent that it was increasingly difficult for Mr Pilgrim to do his work.

That did not stop new Attorney-General Christian Porter for heaping praise on Mr Pilgrim, saying he had done an outstanding job.

“Mr Pilgrim built a strong reputation, both within government and the wider community, with his thoughtful and considered approach to privacy and information regulation. He has worked tirelessly to help Australia deal with global privacy challenges, particularly through building closer relationships with other privacy regulators domestically and internationally.

“Mr Pilgrim oversaw the implementation of the amendments to Australia’s Privacy Act in 2014, the most significant reforms since the Privacy Act 1988 was extended to the private sector in 2000. He was awarded a Public Service Medal in 2015 in recognition of his outstanding work overseeing these reforms.”

One wonders just how much more of an outstanding job Mr Pilgrim would have been able to do if the government had not hobbled him.

Mr Porter said a “merit-based selection process” was now underway to find Mr Pilgrim’s replacement. It will be interesting to see how long it takes – this Government has a habit of taking a long time to appoint people to positions it has tried to abolish.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter.


Leave a comment:

Your email address will not be published. All fields are required