Privacy, Victorian government agenices and notification about data breaches

September 19, 2014 |

There are no mandatory data breach notification laws in any jurisdiction in Australia. In that regard Australia lags the USA where 47 o f the 50 states have such laws.  A voluntary system of notification results in patchy notification, often after or in anticipation of negative publicity. The Age in Government agency leaks customer details without telling reports on the reluctance on a yet unknown government agency to notify the less than 50 customers whose personal information, which included their full names, addresses and sums on their bills, was leaked through a Bpay View system.  The agency contacted the affected customers after Privacy Commissioner, now Commissioner for Privacy and Data Protection as of 17 September 2014 (see here for press release) ,  recommended that it do so.  The basis of the story is found in the Annual Report of the Privacy Commissioner which was recently tabled in Parliament (found here).

The article provides:

A government authority has leaked the billing and contact details of Victorians online, but decided against telling affected customers even though the privacy breach posed a “medium to high” level threat.

The undisclosed state authority responsible for the breach notified Privacy Victoria about problems affecting its online payment system after discovering the personal information of some customers could be seen by other users.

According to the Victorian Privacy Commissioner’s annual report, tabled in state parliament on Thursday, the exposed details included customers’ full names, home addresses and amounts owing on bills.

The state government and the Privacy Commissioner’s office would not say which statutory authority was involved. Deputy Privacy Commissioner, Helen Lewin, said less than 50 customers had been affected by the breach and that the incident did not involve the release of credit card details. 

The government authority contained the breach within three hours by suspending its BPay View system, and set up a “contact point” for customers who were either unable to view their bills or had inadvertently viewed other people’s bills.

But it failed to immediately notify customers whose details were exposed as a result of the payment glitch. Only later, after producing a report about how the error had been fixed and steps had been put in place to prevent it from being repeated, was a recommendation made by Privacy Victoria to tell the affected customers.

“Privacy Victoria reviewed the authority’s breach notification report, finding that whilst the authority had acted promptly in containing the breach, [it] had made a decision to not notify the affected individuals,” the annual report said.

“Furthermore, Privacy Victoria found that as such bills are often used as a source of secondary identification documentation, the incident posed a medium to high risk to affected individuals and recommended that the authority notify affected individuals of the incident.”

On Thursday Ms Lewin said the authority had cooperated with the recommendation to inform the additional customers. “Our normal practice is to follow up recommendations on a six-monthly cycle unless there are risk factors that require otherwise,” she said. 

The Privacy Commissioner’s 2013-14 annual report details other alarming examples of possible privacy breaches, with some of the 2468 inquiries dealt with over the year involving the use of biometrics and cloud services.

One person reported concerns about a plan floated by their boss to collect staff members’ biometric information in a bid to record attendance levels at work.  

Inquiries about surveillance were the highest they have been in the past five years (192 contacts), with concerns about CCTV, smart phones being used to record meetings, and electronic devices being used to track people topping the list.

Calls about property have been consistent in recent years, but there was an increase of almost 300 per cent in inquiries about tenants’ rights when landlords’ want to photograph and film rental properties to advertise inspections.

Leave a Reply