Victorian Information Commissioner finds that Public Transport Victoria has breached the privacy of myki users. A cause of action?

August 15, 2019

In a brilliant piece of analysis Dr Chris Culnane, Associate Professor Benjamin Rubinstein and Associate Professor Vanessa Teague of the University of Melbourne have demonstrated in their paper released today titled Stop the Open Data Bus, We Want to Get Off that de identification of unit record level data does not work without substantially altering the data to the point where its value is reduced.  The analysis was based on the data released by the Victorian Government in to a data science competition.  The authors have demonstrated that a combination of only needing a small number of points of information to make an individual unique and poor quality anonymisation and security techniques makes it quite easy to reidentify individuals. 

In the case of the myki data the authors found that “little to no de identification took place on the bulk of the data.”  They found it was a straightforward task to re identify two of the co authors cards.  They also established that is possible to identify a stranger from public information about their travel patterns, for example twitter to name just one source.  They identified Read the rest of this entry »

The Western Australian Government announces that it will start the process to implement privacy legislation in that state

August 12, 2019

Western Australia and South Australia have been outliers in not having any statutory framework for the protection of personal information. That is likely to change, a little, with the Western Australian Government through its Attorney General releasing a discussion paper titled Privacy and Responsible Information Sharing for the Western Australian public sector

As the name suggests whatever structure is implemented will only apply to personal information collected, used and stored by the Government and its agencies, statutory authorities and other instrumentalities. Even though it is a discussion paper the Government is clearly envisaging following the legislative structure adopted in New South Wales, Victoria and Queensland. Each of those jurisdictions has a privacy and data protection act and has established Read the rest of this entry »

A significant data breach of medical histories at Neoclinical, an example of how not to respond to a data breach meanwhile the ACCC commences action against HealthEngine for selling its customers data. Big problems with data security in the health sector, no news there…

August 8, 2019

Paradoxically the one type of data that is regarded as most sensitive, health information, is often the most poorly protected.  The privacy protection culture is poor and insufficient resources are put into protecting personal information and staff training is often times rudimentary.  There is a constant stream of breaches reported including in the last fortnight thousands of pharmaceutical records leaked in the US, a data breach in Presbyterian Healthcare Services in Alberquerque resulted in unauthorised access to 183,000 patients, the all too regular instance of medical records in paper form being left on the street, this time in London Canada and a health Centre in Kentucky paying $70,000 ransom to unlock medical records of 20,000 patients. There are clear challenges in securing personal information in health centres and hospitals with many individuals having access to data at many terminals however the challenges are surmountable.  Most data breaches are a result of poor practices and insufficient time, money and effort going into setting up proper hardware and software, establishing proper processes and training and then more training.

The Nine/Fairfax press reports on a major data breach at Neoclinical, a company which matches individuals with active clinical trials.  The data is sensitive by definition but it is even more concerning given the data that Neoclinical heald was users responses to questions qualifying them for clinical trials.  Those sort of questions go to medical diagnoses illicit drug use and treatments received.  The breach involved its 37,170 users.  The breach was detected by UpGuard which sent an email to Neoclinical.  Neoclinical did not notify the Information Commissioner about the breach when notified or even shortly after.  It did nothing until Read the rest of this entry »

The predictability of abuses in accessing retained metadata…with an equally predictable damage to privacy

August 1, 2019

The newspaper the Australian has hardly been a standard bearer of privacy rights. Whenever there has been even a whiff of a suggestion that the Parliament would consider a statutory tort to give individuals a right to bring an action for an interference of their privacy the paper has gone into overdrive predicting the end of civilisation.  See my post in 2012, 2013 and again in 2013 and a less dismissive but no less hostile brief piece in 2018.    And there are others.  It has been a generally poorly argued, high octane almost Read the rest of this entry »

Australian Competition & Consumer Commission releases the Digital Platforms Inquiry – calls for more privacy protections amongst many other recommendations

July 30, 2019

Last Friday, 26 July 2019, the Australian Competition & Consumer Commission released its long anticipated and comprehensive final report.  At 623 pages it is something of a tome, not surprisingly given the broad and comprehensive recommendations it makes. The executive summary is found here.

The scope of the recommendations cover issues of competition and protecting diversity in the media, issues of critical importance but beyond the usual coverage of this publication.

Relevantly, for this site, is the recommendations for more privacy protections. That includes Read the rest of this entry »

National Australia Bank suffers data breach involving 13,000 customers

July 28, 2019

There has been widespread coverage of data breach at the NAB involving personal information of 13,000 customers being uploaded two data companies without permission. The data provided to the mysterious data companies is extensive; names, date of birth, contact details and sometimes government issued identifiers.  Close to enough to undertake some identity theft and get close to accessing accounts.  It is serious but mitigated by the fact that the breach was only to third party providers known to the NAB.  From the tenor of the story it is likely that the data providers knew of and have or had some form of relationship with the NAB. As such the disclosure is more containable than a disclosure to the world or a hack.  The difficulties with personal information being provided to third party providers is that Read the rest of this entry »

Federal Trade Commission imposes $5 billion penalty and says it imposed sweeping new privacy restrictions

July 26, 2019

The Federal Trade Commission (FTC) has formally imposed a $5 billion fine on Facebook arising out of its breach of the 2012 FTC order.  The breaches related to sharing of data with third party users, to wit making that information available to Cambridge Analytica, as well as launching Privacy Shortcuts and Privacy Checkup in 2014 which were supposed to help with managing privacy settings but did not disclose Read the rest of this entry »

Equifax settles its 2017 data breach with the Federal Trade Commission for at least $575 million

July 22, 2019

It is something of a myth that there is no privacy and data protection regulation in the United States.   In the United States privacy and data protection in certain sectors, such as health and finance, is the subject of comprehensive regulation and the authorities are not afraid to enforce the law.  Another area of strong regulation is consumer protection with the Federal Trade Commission using its powers to litigate, enter into onerous and long term enforceable undertakings and levying heavy fines for breaches.

The most recent example of the FTC wielding the very big regulatory stick is its proposed settlement with Equifax to settle its complaint regarding its 2017 data breach which affected approximately 147 million people. The FTC brought a formal complaint in the US District Court. As is common the FTC alleged a misrepresentation as to protecting privacy, providing security and confidentiality of personal information.

Today in a 74 page proposed settlement Equifax has agreed to a judgment being entered against it in the sum of $425 million.   Of that $300 million will Read the rest of this entry »

Omar Property Pty Ltd & Others v Amcor Flexibles (Port Melbourne) Pty Ltd [2019] VSC 446 (3 July 2019); discovery, content of pleadings and redactions

In Omar Property Pty Ltd & Others v Amcor Flexibles (Port Melbourne) Pty Ltd [2019] VSC 446 the Supreme Court, per Mukhtar AsJ considered the principles of ambit of discovery and the use of redactions in a hard fought discovery application.

FACTS

The five-day trial dated was vacated because of three intervening discovery fights [1].

This decision related to the first fight.

The proceeding is a dispute over a commercial lease of industrial premises. The question is whether the defendant has validly exercised an option to renew its lease or is entitled to renew the lease. The plaintiff says Read the rest of this entry »

UK Information Commissioner intends to fine Marriot International 99 million pounds and British Airways 183.39 million pounds. The GDPR bites for data breaches

July 16, 2019

With the General Data Protection Regulation in force in the United Kingdom the Information Commissioner has greatly enhanced powers to fine those who breach data protection laws.  And in that vein the Commissioner announced on 8 July 2019 an intention to fine British Airways £183.39 million for a data breach in September 2018 which resulted in personal information of 500,000 were compromised.  As is often the case investigation after the breach revealed Read the rest of this entry »