Peter A Clarke

It is a core feature of most privacy and data legislation that organisations and governments should only retain personal information for the period required and for the purpose for which the information was collected.  It is common in cases of data breaches to find organisations who have had poor data security to also have hopeless data management practices; keeping records long after they have no utility, keeping old customer information and generally storing data in one place so as to make a hackers job much easier than would otherwise be the case.  In the UK Read the rest of this entry »

Itnews reports in Popular Android apps inherit bugs from recycled code that at least half of the 50 most popular Android apps have security problems.  That is hardly a surprise. Privacy regulators around the world have focused on deficiencies in app development.  Apps are notorious for poor privacy practices ranging from the software through to totally inadequate privacy policies.  Most privacy regulators have released guidances on apps, most recently being the New Zealand Privacy Commissioner with Need to Know or Nice to have which was released earlier in July.  In the Australian context the problem is that many app developers are small businesses as defined in the Privacy Act and are often not covered by its operations.
Read the rest of this entry »

On 24 July 2014 the Information Commissioner’s Office in the United Kingdom (the ICO) served on Think W3 a very substantial monetary penalty notice, of £150,000 after determining that personal details involving 1,163,996 credit and debit card records were accessed.

The ICO media notice provides:

Think W3 Limited, an online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.

The company was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd. The hacker extracted a total of 1,163,996 credit and debit card records. Of these records 430,599 were identified as current and 733,397 as expired.

Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed. Read the rest of this entry »

Last week Catch of the Day announced it had suffered a data breach where customer passwords and their credit card details were stolen….. 3 years ago.  Itnew covered the story in Catch of the Day reveals three-year old data breach.

There is no mandatory data breach notification laws in Australia.  It is a large gaping hole in the privacy regulation.  There is no good legal reason for this lapse beyond legislative lethargy.  Last years attempt to enact a fair to middling notification bill lapsed when parliament was porogued.  There is currently a bill in the Senate which aims to achieve the same result (being the same bill in all respects as the 2013 version) but because of political maneuvering is likely to fail.  At some stage such legislation will be introduced.  It is too large a a problem not to be addressed.  But as with most matters privacy related in Australia the response will likely to be slow in coming, reluctantly enacted and inadequate and probably half a cycle behind developments in the technology.

The story provides:

Delays advising customers of early 2011 “cyber intrusion”.

Read the rest of this entry »

In its report titled Data Sharing between Public Bodies A Scoping Report the UK Law Commission highlights  what it describes as  “widespread misunderstanding and confusion” by and between UK public bodies about their ability to legally share data.   In its report the Law Commission recommends Read the rest of this entry »

Under the Privacy Act Australian Privacy Principle 8, relating to personal information being sent off shore, is both detailed, comprehensive and can be complicated.  It must necessarily be so given the significant risks of sending personal information to overseas locations where the protections may not otherwise be sufficient.  The Australian reports in Luxottica’s $33.5m contract axed after Defence personal data sent offshore that once the unauthorised transfer of personal information overseas was detected the Department of Defence took the only prudent course of conduct and terminated the contract.  It will be interesting to see whether the Privacy Commissioner investigates.

The article provides:

LUXOTTICA Retail Australia, which owns the OPSM brand, has lost a $33.5 million contract after checks revealed it sent the personal information of some Defence personnel offshore.

Medibank Health Solutions moved quickly to terminate its contract with sub-contractor Luxottica after a routine review earlier this month revealed that the personal details of Defence staff seeking optical services had been sent to an unnamed overseas location. Read the rest of this entry »

I have long posted on the development of drone technology, the exponential growth of the commercial and hobbyist market and the corresponding potential to interfere with privacy.  In its non commercial use drones started with the traditional hobbyist thing of lifting off from an oval or field, flying around for a while and then touching down and then progressed to mounting video cameras.  With greater capacity and longer lasting batteries the uses are getting more sophisticated. The Age reports in  ‘Dronies’ take-off creating aerial headaches for safety regulators on drones being used to take selfies, photographs of the operators from  overhead.

The angle of the story is Read the rest of this entry »

There have been a few  articles on “the end of privacy” in the recent past including The Monthly and Thomas Friedman.  While it is useful to have an ongoing discussion on privacy, in particular the legal concept and protections, all to often the commentary and reportage is reduced to a jeremiad about how privacy is lost and never to be regained.  Generally good copy on an emotional level but analytical dross.

In the Monthly’s The end of secrets, Privacy is fast becoming a quaint old-fashioned thing while trying to be an interesting overview of the concept of privacy, the role of government surveillance, its abuse, the cult of celebrity and its conflict with privacy it ends up being a very well written jumble.  It daintily steps onto the various touchstone issues and then moves onto the next.  But well polished sentences do not a strong analytical piece. It is at best a taste of the issues.

It provides:

On a Sunday afternoon in late April, in a grand old ballroom in Melbourne, I read aloud a love letter I’d written to a man I call “my mysterious stranger”. The man, never named in the letter, was not present. I have never shown it to him. I wrote it to share with some 400 other strangers, mysterious in their own right but all aware that what goes on in the ballroom stays in the ballroom. No recordings, no tweets. Such are the ground rules of Marieke Hardy and Michaela McGuire’s Women of Letters events: though open to the public, they’re gloriously private. Read the rest of this entry »

There have been privacy proceedings against Google in Europe from both individuals and regulators with a frequency bordering on regularity. The most famous case of recent origin was the right to be forgotten case (Europen Court of justice media release here and the cae of Gonzalez v Google is here)

The Age reports in Google to face privacy lawsuit in the US tbat Android phone users are taking action against Google in what is framed as a breach of contract and fraud claim but really relates to a privacy related course of conduct.  Unfortunately the constraints on privacy protection through the privacy tort are significant so often it becomes necessary to Read the rest of this entry »

The Information Commissioner’s annual report for the 2013/14 provides some sobering statistics including:

• receiving 14,738 data protection complaints in the past year.  It received 13,760 in the previous year.
• resolving 15,492 data protection complaints in the last 12 months.
• half of all the data protection complaints related to the alleged mishandling of subject access requests.
• of  17% were directed at lenders, 12% at local government agencies and 10% at health bodies.
• the ICO launching an investigation into  1,755 data protection cases  and imposing fines totalling £1.97 million for serious breach of the Data Protection Act.
• more than 260 reports from communication service providers about personal data security breaches they suffered.

It is relevant to note that pursuant to the EU’s directive on the notification of personal data breaches data breach notification is mandatory to inform the ICO within 24 hours of detection of a personal data breach.  With that notification the ICO should be supplied with categories of information about the breach, including Read the rest of this entry »