Peter A Clarke

The work of the Information and Privacy Commissioner continues to not go on.  But the Government has appointed a permanent successor to the previous Commissioner, Timothy Pilgrim.  The Interim Information Commissioner and Privacy Commissioner, Angelene Falk, has been appointed Read the rest of this entry »

The UK Information Commissioner has taken strong action in the form of a Monetary Penalty Notice of £140,000 for on selling personal information of one million people, from Emma’s Diary, which provides advice on pregnancy and childcare, to Experian Marketing Services, which is used by the Labour Party.  That information was used as a database which was used to profile new mums for use during the 2017 General Election.  The key with data for political parties is to allow them to micro target voters with carefully structured messages.

Under both UK and Australian privacy legislation personal information collected for one purpose can not be disclosed to a third party for another purpose unless one of the exceptions applies.

The actions by Emma’s Diary was particularly cynical given Read the rest of this entry »

A problem which predates the My Health Records Act is the poor state of data security in the Health Sector.  It is a chronic problem.  The extent of the problem is highlighted in the discovery of 1,000 medical records relating to 400 patients of an Aged Care centre found in a building in South Sydney and 7,000 patient records exposed on line at South Australia’s Women and Children’s hospital.

The Hong Kong Department of Health was recently hit with a ransomware attack.   And in Nova Scotia the Privacy Commissioner has investigated a privacy breach by a pharmacist employed by a large pharmacy chain who viewed the private medical records of 46 people who were not that person’s patients, including a child who was a friend of her child, that child’s parents, friends and Read the rest of this entry »

The My Health Records Act 2012 is a dreadful piece of legislation.  Privacy professionals have known this for some time.  They have been saying it for some time.  While the system involved voluntary placement of records onto the systems the Government could avoid grumblings from various groups.  The Privacy Commissioner was on an extended tea break on the issue.  Nothing new there. So the legislation was untouched and the agency responsible for its management, the ADHA, filled forms, ignored complaints and generally kept a low profile.

Then the opt out provisions came into effect and various commentators “discovered” the privacy invasive aspects of the system. Janet Albrechtson took up the cudgels as did Peter Van Onsolen at News Ltd.  Similar negative treatment came from Read the rest of this entry »

The Australian Information Commissioner has released another quarterly report of notified data breaches.  It has grown into a 33 page document from its humbler beginnings of a single page.  At the outset it is relevant to note that these figures are not the last word on actual data breaches.  There is a balancing act organisations go through before deciding to notify.  That is a weakness in the legislation.  There is also likely to be some non compliance with the legislation.  Finally many organisations are not subject to the operation of the Privacy Act and therefore will not notify because they do not have to.  That said it is a valuable report.

Putting the issue of data breaches in its broader context itgovernance has calculated that there were data breaches and cyber attacks in July 2018 which resulted in unauthorised access to 139,731,894 records.  And health records were a significant percentage of the records affected.

In the quarter there was 242 notifications, compared to 63 in the previous quarter, which were Read the rest of this entry »

As if the victims hadn’t suffered enough.  The Independent Inquiry into Child Sexual Abuse suffered a major data breach.  Of the all too common own goal variety.  A staff member sent an open email to 90 victims of sexual abuse, thereby allowing each person to identify the emails of others.  More than the majority of the email addresses listed the full name of the recipients.  Given the nature of the inquiry and the sensitivity of at least some of the recipients it was a dreadful and entirely avoidable error.  The Inquiry released personal information without consent.

Under the Monetary Penalty Notice the contravention was Read the rest of this entry »

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »

The Australian in Facebook hit by Australian compensation case for data theft reports that the litigation funder IMF Bentham have lodged a representative complaint with the Office of the Information Commissioner arising out of the Cambridge Analytica use of personal information gleaned from Facebook.  One of the more egregious breaches of privacy by Facebook in recent times.  Which is saying something!  The story is also picked up by the Guardian in Compensation sought for Australians caught up in Facebook privacy breach.

Representative claims before the Information Commissioner is a rarely used provision.  The IMF Bentham quite lengthy statement relevantly Read the rest of this entry »

The Australian Government Agencies Privacy Code came into effect yesterday.  That is effectively today.

As the Privacy Commissioner notes on its media release under the Code agencies are Read the rest of this entry »

There is a regularity with certain types of breaches.  I posted on 11 September 2014 about the privacy problems with mobile apps.  Privacy controls are generally terrible.  The HealthEngine app, marketed as Australia’s biggest online doctors appointment booking service is reported to have used personal information Read the rest of this entry »