Information Commissioner registers new Privacy Credit reporting Code (version 3.0)

October 2, 2024

Credit Codes under the Privacy Act 1988 are very important and a breach of them can result in serious difficulties for a credit provider. The Information Commissioner has registered the Privacy (Credit Reporting) Code 2024. The Commissioner’s media release provides a useful summary of the features of the new code. That is an overview only.  It is important for credit providers, and those who act for those who have credit related matters to carefully read the Code. It is important that credit providers incorporate the new requirements into their documentation and processes. While that may sound trite the failure to do so is quite common, particularly by non bank credit providers.

The media release Read the rest of this entry »

Hundreds of email addresses shared by Victorian Victims of Crime Assistance Tribunal email error

October 1, 2024

The ABC reports in Hundreds of email addresses shared in Victims of Crime Assistance Tribunal administrative error that there was an accidental share of email addresses of victims of crime in an email advising of changes to the compensation application process. It appears that the email was a sent to multiple addressees, 480 the ABC has seen, however the addressees were not blind copied so the recipient could read the email address of other recipients.  The addresses included first and last names.  VOCAT sent 2 recall emails, which means very little. 

The damage is done.  Given the addressees are victims of crime, some of which may involve stalking, the presumed damage would be greater than might otherwise be the case. Damages in privacy cases have not been significant in Australian cases.  That is primarily because there have been relatively few reported cases where damages have been considered.  In the United Kingdom the courts also took a restrained approach to damages however with increased litigation and the bench’s greater understanding of how privacy breaches can impact a person the awards have risen.  And egregious privacy breaches have increased the ceiling over time.  In Victoria a complaint can be made under the Privacy and Data Protection Act 2014 with VCAT hearing a complaint.  Under Section 77(1)(a)(iv) it has jurisdiction to award damages of up to $100,000.  There has been only one instance where an award of damages has been made, Zeqaj v Victoria Police (Human Rights) [2018] VCAT 1733.  In that case the breach was proved and an award in the sum of $1,000 was made.  That is derisory.  The analysis was also very disappointing.  The jurisprudence in VCAT should not make a complainant optimistic.  It is very difficult to succeed, hence the award provision in the Act is virtually dead letter.  The analysis by VCAT is very disappointing and not consistent with privacy litigation in the UK or the USA, let alone Europe.   The Office of the Victorian Information Commissioner has a page titled Assessing compensation claims for loss in privacy complaints where it provides an overview of the law. It is fairly basic and not particularly sophisticated given the development of privacy in common law jurisdictions. It is useful given all complaints must proceed through the Victorian Information Commissioner. Many complaints are mediated and resolved there. Better that than taking one’s chances in VCAT. 

This type of error is all too common and especially prevalent in the public service. It is entirely preventable.  Proper training and Read the rest of this entry »

Information Commissioner releases corporate plan for 2024 – 2025

September 30, 2024

Agencies release corporate plans. They are of variable quality and often drafted in vague enough terms to avoid criticism. The good plans say something even if there is a enough plausible deniability buried into its dense prose. The Information Commissioners’ media release keeps with this approach.

It provides:

As the accountable authority, I am pleased to present the 2024–25 Office of the Australian Information Commissioner (OAIC) corporate plan for the 2024–25 to 2027–28 reporting periods, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office regulates privacy and freedom of information (FOI) under the Commonwealth Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act) and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance. Read the rest of this entry »

Operation Turton, IBAC’s special report into hacking and misuse of information highlights the overlap of security, corruption and basic issues of privacy and data security. And the inadequacy of Australian privacy regulation

September 25, 2024

The Parliament of Victoria tabled a special report by Victoria’s Independent Broad Based Anti Corruption Commission (“IBAC”) titled Operation Turton. It is a report about repeated instances where employees
inappropriately accessed and misused sensitive information at the Metropolitan Fire Brigade (MFB). It has been reported in the Australian and the Age. The investigation concluded in 2021.  

The Report clearly goes to the behaviour of individuals and the misuse of private information for improper purposes. But for privacy practitioners it is a useful report to show the need for proper data security practices and training.  Fire Rescue Victoria had clear vulnerabilities in its data security which allowed for the breaches that occurred. 

In the analog age there was misuse of information contained in documents.  Reports and correspondence were copied and leaked.  The challenges of controlling information flow grew with the digitisation of documents, the use of emails and means of leaking material.  Under privacy legislation in every jurisdiction governments or organisations must maintain adequate data security.  That includes password protections and requiring proper authorisation to access certain documents.  But every system has vulnerabilities, the prime one being a failure to properly maintain data security standards and check for weaknesses. 

The Report:

  • identified five separate incidents where MFB information was accessed or disclosed without authorisation, with three incidents involving public servants from MFB’s Information and Communications Services business area.
  • found individuals shared sensitive MFB information directly with the United Firefighters Union (UFU) without permission.
  • Mr Marshall sought assistance from employees to inappropriately gather sensitive information on internal investigations related to him, executive contracts and another confidential organisational matter.
  • identified MFB was operating with significant information security vulnerabilities and under a restrictive agreement with the UFU that impaired MFB’s ability to address issues.

The recommendations include:

Recommendation 1
Fire Rescue Victoria develops clear policies and  procedures regarding the matters that may be the
subject of consultation with employees and their representatives at the Consultation Committee,
and in what circumstances Fire Rescue Victoria information may be disclosed to employees and
their representatives to inform that consultation.

Recommendation 2
Fire Rescue Victoria addresses the information and communication technology security vulnerabilities  and risks identified in Operation Turton by:
(a) actioning the consolidated findings of the audit and reviews conducted in this area since 2018 Read the rest of this entry »

Hardware chain, Total Tools suffers a data breach

September 23, 2024

Total Tools announced that it suffered a data breach which involved the loss of personal information . Total Tools statement is long and comprehensive.  It is overlong but that is a small criticism compared to the usual vague brief minimalist commentary that many Australian companies prefer publishing.  It is still quite vague as to the cause of the breach, when it happened and for how long.  That information is often provided in statements provided by American companies because often that information comes out. It has been reported that the breach involved the personal information of 38,000.

A media release should be part of a comprehensive data breach notification program. It is better than many Australian statements.  It  provides:

Overview:

Total Tools has experienced a cyber incident on its website that resulted in the compromise of some customers’ personal information. The data that may have been compromised includes customer name, email address, Total Tools password, mobile number, shipping address, and certain credit card information belonging to customers who shopped or registered on our website recently.

What Happened?

We were made aware of an issue with our website, and upon further investigation, we identified evidence of suspicious activity occurring. Our team, along with third-party forensic and cyber security experts took expedited steps to investigate the incident and assist with our response.

What Are We Doing?

    • We are confident that the issue which caused the incident has been removed from our website.
    • We are continuing to monitor our network, and undertaking additional processes to maximise our security.
    • We have informed the relevant authorities, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
    • We have set out below several precautions we recommend that impacted customers consider taking to lower the risk of their information being potentially misused.

Read the rest of this entry »

Office of the Information Commissioner reports that from January to June 2024 there was the highest number of data breaches for 3 1/2 years.

The Office of the Information Commissioner has released its data breach report for first 6 months of 2024. It is a useful if imperfect indication of the number of notifiable data breaches in Australia.  The latest report shows an increased number of reportable breaches, reaching the highest number in three and a half years.  It should be a given that the figures set out in these reports are very much a indication of trends.  The actual number of data breaches is significantly higher.  Some industries are more assiduous than others in reporting.  The legislation allows for considerable interpretation of what is a reportable data breach.  The culture of reporting remains poor because the consequences of non compliance with the legislation

The Commissioner provided a forward to the Report where she foreshadowed a more muscular approach to enforcement.  Finally.  The forward provides:

Since the launch of the Notifiable Data Breaches (NDB) scheme in 2018, the Office of the Australian Information Commissioner (OAIC) has published statistical information about data breach notifications we have received. Our goal in doing so has been to help entities and the public understand privacy risks identified through the scheme, highlight areas that require attention and provide clarity around our regulatory approach.

Six years on, the NDB scheme is now mature, and we are moving into a new era in which our expectations of entities are higher, seen in our recent commencement of civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited. This enforcement action should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities. Read the rest of this entry »

ASIC investigating how directors prepare for and respond to cyber attacks

September 18, 2024

The Australian Financial Review reports in ASIC pursues board directors over cyber breaches that it is investigating how directors deal with cyber attacks, both before and after they happen.  The ASIC Chair’s speech Effective compliance: Perspectives from the regulator highlights this increased focus. 

ASIC has been quite active in taking action against companies who have suffered damage as a result of data breaches, most notably its civil penalty proceeding against RI Advice.

The speech by the ASIC chair Read the rest of this entry »

The much anticipated privacy reform has landed in the House of Representative in the form of the Privacy and Other Legislation Amendment Bill 2024. It is quite a modest affair.

September 13, 2024

Yesterday the Government, via the Attorney General, introduced the Privacy and Other Legislation Amendment Bill 2024. If passed before Parliament is prorogued prior to next years Federal election (which must be held by 17 May 2025 for there to be a concurrent House of Representatives and half Senate election) it will constitute a significant but modest reform of the quite inadequate Privacy Act. 

The most significant change is the introduction of a Statutory Tort for Serious Invasions of Privacy.  It will be found at Schedule 2.  I have reproduced the entire Bill below.  

I will post on this proposal in more detail later but the highlights are:

  • the cause of action is confined to intrusion upon seclusion and/or misuse of information (clause 7) where a person had a reasonable expectation of privacy (clause 7(b)), the act(s) was/were intentional or reckless (clause 7(c)) and it was serious (clause 7(d)).
  • it is actionable per se.
  • a defence may rely on a public interest defence (clause 7(3) which matters of public interest are listed at clause 7(4)
  • reasonable expectation of privacy is defined using a non exclusive list of matters for the Court to consider (clause 7(5)
  • seriousness is defined using factors to be weighed (clause 7(6)
  • there are other specific defences set out at clause 8
  • general damages are capped at the greater or $478,550 (clause 11(5)(c)) or the maximum awarded under defamation law.  Aggravated damages cannot be awarded but exemplary damages may be awarded.
  • the court can order an account of profits, issue an injunction, or an apology, a correction order and a declaration.
  • the limitations period (clause 14) is:
    • for a plaintiff under the age of when the invasion of privacy occurred, before that person’s 21st birthday
    • for all other plaintiffs the earlier of:
      • the day that is 1 year after the day on which the plaintiff became aware of the invasion of privacy
      • the day that is 3 years after the invasion of privacy occurred.
  • there are immunity from suit, described as exemptions (at Part 3) for:
    • journalists
    • enforcement bodies
    • intelligence agencies
    • persons under the age of 18
  • Federal Circuit and Family Court of Australia (Division 2) has jurisdiction.

Other notable provisions are:

  • Part 3 Emergency declarations
  • Part 4 Children’s privacy; the development of a Children’s Online Privacy Code
  • Part 8 Penalties for interference with privacy
  • Part 9 Federal court orders; expanded scope of orders that can be made
  • Part 15 Automated decisions and privacy policies
  • Schedule 3- creation of doxxing offences, to be section 474.17C of the Criminal Code.

Given the significant recommendations that have not be acted upon in the 2008 and 2014 ALRC reports and even the Attorney General’s Report the word “modest” is the best description for the proposed amendments. It could have been a whole lot more and led to a much better Privacy Act and by extension must better privacy protections for Australians. 

The Conversation’s Long-overdue Australian privacy law reform is here – and it’s still not fit for the digital era  aptly summarises the disappointing the scope of the reform.  It provides:

Almost four years since the Privacy Act review commenced, the Australian government has introduced a reform bill that fails to make most of the fundamental changes needed to modernise our privacy laws.

Attorney-General Mark Dreyfus said in May that the government would introduce legislation to reform a privacy regime that’s “woefully outdated and unfit for the digital age”. Read the rest of this entry »

Recent data breaches in Australia show the problem remains and that organisation

September 10, 2024

With amendments to the Privacy Act about to be introduced into the House of Representatives, or at least that is the expectation, it is worth listing the known significant data breaches in Australia in August>

Bloom Hearing

  • Bloom Hearing Specialists, which operates hundreds of clinics around Australia, confirmed that a “threat actor” had stolen data from the audiologist’s network.  The data includes medical and financial records of current, past and prospective patients as well as current and former employees and contractors.  Bloom released a statement, Bloom Hearing confirms that the data includes medical and financial records of current, past and prospective patients as well as current and former employees and contractors.

Regent Caravans – August 2024

  • Regent Caravans was hit by RansomHub, losing 30 gigabytes of data included a large amount of CAD files for the company’s caravans, ordering details, and a folder full of ID card photos of the company’s employees.
Read the rest of this entry »

NIST releases draft of digital identity guidelines for final review

September 9, 2024

NIST has released a  an update on Digital Identity Guidelines.   The that involves an update of the draft Digital Identity Guidelines (NIST Special Publication [SP] 800-63 Revision 4 and its companion publications SPs 800-63A, 800-63B and 800-63C). While the focus of these guidelines are US practice and laws the issues they deal with are universal when it comes to data management, privacy and security.

The public release provides:

“Today’s draft revision from NIST highlights the Biden-Harris administration’s commitment to strengthening anti-fraud controls while ensuring broad and equitable access to digital services,” said Jason Miller, deputy director for management at the Office of Management and Budget. “By incorporating feedback from private industry, federal agencies, privacy and civil rights advocacy groups, and members of the public, NIST has developed strong and fair draft guidelines that, when finalized, will help federal agencies better defend against evolving threats while providing critical benefits and services to the American people, particularly those that need them most.”

“Everyone should be able to lawfully access government services, regardless of their chosen methods of identification,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “These improved guidelines are intended to help organizations of all kinds manage risk and prevent fraud while ensuring that digital services are lawfully accessible to all.”   Read the rest of this entry »

Verified by MonsterInsights