El Reg: What does the Privacy Act have to say about “bad apple” incidents – where the company didn’t intend to make customer data public, but an insider has breached its policies?
Clarke: The Privacy Act is almost irrelevant. It’s toothless and administered by an organization that doesn’t spend much time exercising those powers it has.
The problem isn’t the obligations, it’s the unenforceability of the obligations. [The Act] requires that security precautions be taken – and it’s covered by a reasonableness clause, so that you don’t have to have extraordinarily expensive security on not-very-interesting data.
There is an obligation, but what hasn’t happened is for the Privacy Commissioner to get out there, and get consultancies to advise it on how those obligations should be implemented in particular circumstances.
Clarke is not done criticizing the law and its enforcement, however. Read the interview.