Privacy investigations stemming from the Optus and Medibank data breaches could stretch into 2024, as it emerged they’re just two of eight open investigations by Australia’s privacy watchdog.
The Office of the Australian Information Commissioner has issued notices to produce documents to both Optus and Medibank, however it only “expects to have received all the core information for consideration and assessment before the end of the calendar year.”
“It is difficult to make judgements on how long an investigation will take as there are a number of variables,” the OAIC said.
The office said it had also transferred “most” individual privacy complaints about the Optus data breach to the Telecommunications Industry Ombudsman (TIO), which would act in an external dispute resolution capacity.
The power to transfer complaints to other bodies is contained within section 50 of the Privacy Act.
So far, the OAIC has spent $481,000 on “external legal services and cyber security consultants” for the Optus investigation, and an additional $112,000 on the Medibank investigation.
However, it turns out that with the spate of data breaches that impacted Australian organisations in the back half of 2022, that the OAIC has a number of other breaches under active investigation.
Its most recent statistics release showed there were five data breaches over the period that impacted at least 1 million people.
“In addition to the Optus and Medibank investigations, the OAIC is investigating the privacy compliance of six entities in relation to data breaches in the health, finance, telecommunications and not for profit sectors,” the office said, without naming all of the parties.
