Peter A Clarke

Even after writing about privacy for a decade and more, it still never ceases to amaze me that media write in breathless tones about the problem with organisations using and misusing data and personal information as if it was some form of revelation.  The only thing that has changed has been the great efficiency in the misuse.  The latest offering is the Australian’s piece Giants’ data haul sparks call to reform privacy act which is a bit of a spruik dressed up as an article for a conference to be hosted by the Consumer Policy Research Centre on 19 November 2019.

The chief executive is calling for “urgent reform of the Privacy Act” to better protect consumers.  She also wants a Consumer Data Right.  The call to reform the Privacy Act is misconceived.  There is no point increasing the powers of Read the rest of this entry »

The Office of the Victorian Information Commissioner (OVIC) has released its 2nd annual report.  The transition from separate privacy commissioner and Freedom of Information Commissioner offices to a combined office seems to be working.  It was inevitable after a similar approach has been taken at a Federal level and in Queensland and New South Wales.

The remit of OVIC is limited to public service agencies.  Enforcement action is limited with compliance notices being the most serious action that can be taken.  The Privacy and Data Protection Act makes the OVIC a gatekeeper in any action taken under the Act in VCAT.  That has been problematical.  As with the Federal Information Commissioner, much is made of the conciliations and finalising of complaints but little is published about the nature of the breaches and what remedial action is taken beyond a few case studies in the Annual Report.

The Information Commissioner, Seven Bluemmel, has proved to be a very active participant in the various privacy seminars throughout the year and has hosted seminars on a fairly regular basis.  Generally they are of Read the rest of this entry »

The ABC, Guardian and Nine/Fairfax press reports on a Queensland Police Officer, Senior Constable Neil Punchard, who has been convicted and been sentenced to 2 months jail, wholly suspended for 18 months, for leaking personal information of a woman to her ex husband in 2016.  Punchard accessed information relating to the victim on 9 occasions, hence the 9 charges of Read the rest of this entry »

The Australian Information Commissioner has recently released a Guide to Health Privacy.  At over 50 pages it is quite comprehensive.  It is less equivocal than previous guides published by the Information Commissioner.  That is not to say it does not descend into vague generality more than it should. The Commissioner’s guidelines have no force of law under the Privacy Act 1988.  That obvious fact has been stated by the Administrative Appeals Tribunal and the Federal Court.  As they are not regulations their use as a legal document is relatively limited.  They do however serve as a standard which the Information Commissioner expects agencies and organisations to follow in order to comply with the Privacy Act.

While some of the Commissioner’s previous and current guidelines are so vague, rubbery and equivocal as to be of little use that is not really the key regulatory issue.  The problem has always been the reluctance by the regulator in taking enforcement action.  That has been a 30 year problem. The powers available to the Commissioner have grown over the years.  That has not been matched by Read the rest of this entry »

A few days ago the Duchess of Sussex commenced proceedings against the Mail on Sunday alleging misuse of private information, a breach of copyright and contravention of the General Data Protection Directive. Now Prince Harry has commenced proceedings against the Sun and the Daily Mirror in relation to the hacking of his phone.

The pleadings are not public so it is not possible to comment on the technical basis for the claim however it would appear to be also a misuse of personal information case, with the hacking of his phone being used as a basis for stories.  He is using the law firm Cliffords who brought many of the claims arising out of the practice of News of the World in hacking the phones of members of the public.  Those cases settled.  It should be born in mind that, as the Media Standards Trust reported in its 52 page report,  most of the victims of phone hacking were not famous or Read the rest of this entry »

It is widely reported (in the Guardian, the Australian, the Nine Fairfax Press, the ABC etc) that Meghan, Duchess of Sussex has commenced proceedings in the High Court for misuse of private information.  She has, as is often the case involving the use of private communications which find their way into the media’s hands, also alleged a breach of copyright.  Additionally a breach of the General Data Protection Regulation is another cause of action.

The basis for the claim is a private letter from Meghan to her estranged father. Parts of that letter was extracted in an article in February 2019.

The United Kingdom courts have been industrious in developing the equitable cause of action of misuse of private information in the context of considering the operation of Articles 8 and 10 of the Human Rights Act.  The development has proceeded to Read the rest of this entry »

The Australian in Anxiety rising as law firms confirm cyber breaches reports on a survey conducted by the Australian Legal Practice Management Association and GlobalX that found almost 20 per cent of Australian law firms that responded had been victims of a cybersecurity breach. This figure is consistent with US findings, such as the Australian Bar Association 2017 Legal Technology Survey.

This is hardly news.  The American Bar released a report in January 2019 dealing with the threat to US law firms which also set out in a practical terms processes and systems which reduce a law firms exposure to a data security.  Australian law societies have come some way in doing something similar but not to the same extent. Unfortunately there seems to be a cultural problem with law firms resisting spending enough on IT security, spending what budgets they have badly and generally failing to develop and maintain decent privacy and data protection policies.  Training tends to be superficial and irregular.  Given the weakest part of any cyber defence is the humans manning the phones, responding to emails and operating the computers this is commonly a disaster waiting to happen.  Often the usual targets for phishing targets, junior administrative staff are ill prepared for an attack.

Law firms are particularly prone to phishing and hacking of email accounts.  Law firms, particularly those with a focus on commercial and property law, hold significant sums and bank details.  Law firms are also prone to ransomware.  In 2017 DLA Piper suffered a ransomware attack which forced it to shut down its world wide digital operations.

The other problem with law firms’ data security is the Read the rest of this entry »

Sometimes, in fact often times, reality provides better copy than fiction.  The Australian reports that the the office of Christian Porter, the Commonwealth Attorney General, has been involved in a privacy breach.  In sending an email regarding the religious discrimination bill the office revealed the email addresses of more than 100 recipients.  Many of the addressees are religious figures but the list also included a judge and lawyers.

While the Australian’s report Read the rest of this entry »

The Information Commissioner has released the latest report on reported, rather than actual data breaches, for the last quarter; April – June 2019.  The report highlights what has long been known, that human factors are a major cause of breaches.

The report reveals that:

• 34% of the breaches were caused by human error;
• 62% were motivated by malicious or criminal attacks
• the number of reported breaches, at 245 is statistically greater than the breaches in the January – March period of 215 but in line with the previous 2 quarters of 245 and 262.
• 1 breach affected over a million people, 21 breaches affected over a thousand but less than 5,000 people, 52 breaches affected between 100 and 1,000 and the largest category of 61 breaches affected a single person. The report does not identify which industries are affected by breaches impacting a large number of people.
• contact information was affecetd in 220 of the breaches while financial details were affected in 102 and health information on 67 occasions.
• as is commonly the case wrong email addresses were the cause of the most human errors. Most of those errors were in the health sector.
• phishing is by far and away the most common cause of cyber incidents
• the most notifications were from the health sector, 47, while finance had 42 notifications followed by lawyers and accountants, 24.

Read the rest of this entry »

It is now trite to say that data is a source of power and wealth.  The new oil to hear some commentators tell.  Data analytics is a rapidly expanding and developing field with Artificial Intelligence is driving that development.  Companies collect as much personal information as they can and use it for analysis and marketing just to name two uses.   Organisations often collect more information than is required and keep it for much longer than necessary.  Both are poor privacy practices which attracts no censure from the regulator. 

David Irvine, chief of the Foreign Investment Review Board highlighted in a speech last Monday 19 August 2019 the obvious point that in takeovers by foreign companies personal information of Australians will be part of what is taken over.  The FIRB will be Read the rest of this entry »