Luxottica loses lucrative contract because it sent personal information overseas

July 25, 2014

Under the Privacy Act Australian Privacy Principle 8, relating to personal information being sent off shore, is both detailed, comprehensive and can be complicated.  It must necessarily be so given the significant risks of sending personal information to overseas locations where the protections may not otherwise be sufficient.  The Australian reports in Luxottica’s $33.5m contract axed after Defence personal data sent offshore that once the unauthorised transfer of personal information overseas was detected the Department of Defence took the only prudent course of conduct and terminated the contract.  It will be interesting to see whether the Privacy Commissioner investigates.

The article provides:

LUXOTTICA Retail Australia, which owns the OPSM brand, has lost a $33.5 million contract after checks revealed it sent the personal information of some Defence personnel offshore.

Medibank Health Solutions moved quickly to terminate its contract with sub-contractor Luxottica after a routine review earlier this month revealed that the personal details of Defence staff seeking optical services had been sent to an unnamed overseas location. Read the rest of this entry »

As drones become more common so do their uses…. now “dronies”

I have long posted on the development of drone technology, the exponential growth of the commercial and hobbyist market and the corresponding potential to interfere with privacy.  In its non commercial use drones started with the traditional hobbyist thing of lifting off from an oval or field, flying around for a while and then touching down and then progressed to mounting video cameras.  With greater capacity and longer lasting batteries the uses are getting more sophisticated. The Age reports in  ‘Dronies’ take-off creating aerial headaches for safety regulators on drones being used to take selfies, photographs of the operators from  overhead.

The angle of the story is Read the rest of this entry »

End of privacy articles…. more jeremiads..

July 23, 2014

There have been a few  articles on “the end of privacy” in the recent past including The Monthly and Thomas Friedman.  While it is useful to have an ongoing discussion on privacy, in particular the legal concept and protections, all to often the commentary and reportage is reduced to a jeremiad about how privacy is lost and never to be regained.  Generally good copy on an emotional level but analytical dross.

In the Monthly’s The end of secrets, Privacy is fast becoming a quaint old-fashioned thing while trying to be an interesting overview of the concept of privacy, the role of government surveillance, its abuse, the cult of celebrity and its conflict with privacy it ends up being a very well written jumble.  It daintily steps onto the various touchstone issues and then moves onto the next.  But well polished sentences do not a strong analytical piece. It is at best a taste of the issues.

It provides:

On a Sunday afternoon in late April, in a grand old ballroom in Melbourne, I read aloud a love letter I’d written to a man I call “my mysterious stranger”. The man, never named in the letter, was not present. I have never shown it to him. I wrote it to share with some 400 other strangers, mysterious in their own right but all aware that what goes on in the ballroom stays in the ballroom. No recordings, no tweets. Such are the ground rules of Marieke Hardy and Michaela McGuire’s Women of Letters events: though open to the public, they’re gloriously private. Read the rest of this entry »

US privacy action against Google

There have been privacy proceedings against Google in Europe from both individuals and regulators with a frequency bordering on regularity. The most famous case of recent origin was the right to be forgotten case (Europen Court of justice media release here and the cae of Gonzalez v Google is here)

The Age reports in Google to face privacy lawsuit in the US tbat Android phone users are taking action against Google in what is framed as a breach of contract and fraud claim but really relates to a privacy related course of conduct.  Unfortunately the constraints on privacy protection through the privacy tort are significant so often it becomes necessary to Read the rest of this entry »

UK Information Commissioner reports an increase in complaints in the last 12 months

July 16, 2014

The Information Commissioner’s annual report for the 2013/14 provides some sobering statistics including:

  • receiving 14,738 data protection complaints in the past year.  It received 13,760 in the previous year.
  • resolving 15,492 data protection complaints in the last 12 months.
  • half of all the data protection complaints related to the alleged mishandling of subject access requests.
  • of  17% were directed at lenders, 12% at local government agencies and 10% at health bodies.
  • the ICO launching an investigation into  1,755 data protection cases  and imposing fines totalling £1.97 million for serious breach of the Data Protection Act.
  • more than 260 reports from communication service providers about personal data security breaches they suffered.

It is relevant to note that pursuant to the EU’s directive on the notification of personal data breaches data breach notification is mandatory to inform the ICO within 24 hours of detection of a personal data breach.  With that notification the ICO should be supplied with categories of information about the breach, including Read the rest of this entry »

Another portable device loaded with sensitive information stolen in an all too common privacy breach

There is a red faced court reporter in Ohio at the moment.  The hapless person lost a laptop computer and usb stick from an office inside the Summit County Courthouse as is reported in Laptop with sensitive information stolen from Summit County Courthouse.

 Losing computers and flash drives is a moment of annoyance and possibly a hit to the wallet. It gets more serious when the devices contain sensitive information about ongoing court cases.  Then it is a serious privacy breach.

Portable devices are notorious weak points in data security and Read the rest of this entry »

An app for posting anonymously

July 15, 2014

Anonymous communication is an important feature of the internet.  It finds little favour with older users and organisations.  But APP 8 of the Privacy Act makes it clear that except where the exceptions apply (and they can be broad ranging in some areas) an individual should have the right to communicate anonymously or pseudonymously.

Apps are notoriously dangerous from a privacy perspective.  The security architecture is often weak, the means by which they transfer data insecure with poor privacy policies let alone protocols, programs and training to deal with privacy breaches.

It is then curious that a company called Secret has developed an app to let users post messages anonymously, even on Facebook as reported in Secret, an app for posting anonymously lets users tap into Facebook.  Of course, as with many apps. the price for using the product for free is Read the rest of this entry »

Salient lesson on deleting data on devices

A constant problem in the digital age is deleting data stored on digital devices. Computers, photocopiers, scanners, printers and smart phones have, to a greater and lesser extent, storage capacity.  They are devices that are readily turned over, sometimes for resale.  Personal information stored on those devices is as much the responsibility of an organisation if it is covered by the Privacy Act or state legislation.  Documents are Read the rest of this entry »

Cybersecurity and privacy issues

The current edition of the Economist has a special report on cybersecurity.  For those practising in privacy law it should be mandatory reading.  It gives a brilliant synopsis (as the Economist can do so well) of the key issues and future developments. For those just interested in cyber security it should also be mandatory reading.

In the series of articles:

Pound Road Medical Centre: Own motion investigation report by Privacy Commissioner

The Privacy Commissioner has conducted an own motion investigation into Pound Road Medical Centre. The investigation applied to the Privacy Act prior to the amendments taking effect on 12 March 2014.  


On 23 November 2013, a shed located at 16 Amberley Park Drive, Narre Warren South was broken into.  There were boxes of medical records located in a locked shed.  During the break in the boxes, and therefore the documents, were compromised.  The medical records were created when PRMC operated as a medical centre at the site.  PRMC ceased operating the medical practice at the site from 6 April 2011, and since this date has conducted its practice from new premises.

In about October 2012, the records were transferred from a locked room inside the site to the shed so that renovations for sale of the site could occur. The  shed door was locked with three padlocks. PRMC believed that all the paper-based health records stored at the site were transferred to a locked store at its new premises.

A representative from PRMC initially visited the site two to three times a week and later once a week for purposes of maintenance, repairs and renovations to prepare the site for sale.

The Office of the Australian Information Commissioner (OAIC) was notified that there were boxes of unsecured medical records at the site on 25 November 2013.

The personal information compromised in the data breach consisted of:

  1. patients’ ‘identifying particulars’, Read the rest of this entry »