Clive Palmer’s political parties Trumpets of Patriots and the United Australia Party (UAP) have not reported their privacy breach to her office, despite claiming to have done so, Australia’s privacy commissioner says.
The Office of the Australian Information Commissioner (OAIC) also left the door open to the possibility that the UAP will face penalties because an exemption for political parties from the Privacy Act may not apply as the UAP has been de-registered.
Last week, Palmer’s parties announced that they were the victims of a ransomware attack that had exposed “all emails to and from the Political Parties (including their attachments) and documents and records created and or held electronically by the Political Parties at any time”.
As part of a notice put on the parties’ websites and sent to their email lists, the parties claimed to “reported the breach to the Office of the Australian Information Commissioner (OAIC) and to the Australian Signals Directorate.”
However, a spokesperson for the OAIC says it has no record of a breach being reported to the agency.
Neither a spokesperson for Palmer nor the privacy officer for the parties immediately responded to a request for comment.
Under Australian privacy law, entities have 30 days to report a breach. Based on Palmer’s parties’ claim that an intruder was detected on 23 June, a formal report of the breach is due by tomorrow, 23 July.
Political parties are exempt from the Privacy Act, which includes the obligation to report any breaches.
Except the UAP may not be exempt. The party was “voluntarily deregistered” after the 2022 election, and was unsuccessful in its High Court bid to register before the last election. The UAP is still not registered according to the AEC.
An OAIC spokesperson said it had not confirmed whether “any or all of them are entitled to claim the political party exemption” given the recency of the event.
“Any entity not covered by the exemption will need to adhere to the requirements of the Notifiable Data Breach scheme, as well as to the Privacy Act more generally,” they told Crikey.
Failing to report a breach can result in penalties under the Privacy Act.
Privacy Commissioner Carly Kind questioned why political parties are exempted from Australia’s privacy laws.
“The exemption is not only out of step with community expectations, it is not reflective of the nature and scope of risks to Australians’ privacy in the digital era,” she said to Crikey.
The OAIC has always opposed the political party exemption, and Kind said that each new data breach was a reminder why Australian organisations should be improving their cybersecurity practices.
“The Australian community wants more, not fewer, protections on their privacy,” Kind said.