Information Commissioner releases Annual Report

November 1, 2024

It is a annual report season for Government agencies and authorities. And that includes that of the Office of the Australian Information Commissioner.Yesterday the Commissioner released its 194 page Annual Report for 2023 – 24. 

Given the significant amendments to the Privacy Act 1988 it is better to look forward to how the Privacy Commissioner approaches her responsibilities with new found powers rather than poring over the activities of the Privacy Commissioner over the past year.  On that note the work rate improved but it remained a timid regulator by any measure.   Which is a pity given the the Information Commissioner’s remuneration was $576,174 and Deputy Commissioner Elizabeth Hampton was $380,091. The relatively newly appointed Privacy Commissioner, Carly Kind is on $109,239.

In relation to privacy complaints the the Commissioner stated:

Privacy has been very much in the spotlight, with the continuing incidence of major data breaches. In 2023–24, we received 13% more notifications under the Notifiable Data Breaches (NDB) scheme than the year prior, when there was a 4% increase. We lifted our response rate, closing 84% of notifications within 60 days (compared to 77% last reporting year). In the 2022–23 financial year we received a 34% increase in privacy complaints. This year, complaints have remained relatively high, with a slight decrease of 5% year on year. We successfully responded to this high demand, finalising 20% more privacy complaints (3,104 in total), building on last year’s increase of 17% (2,576 finalised in total).
We continued our focus on clearing longer-standing, generally more complex and resource-intensive complaints, finalising 84% (271) of the 322 matters that were over 12 months old as at June 2023. At the same time, more recent complaints increased in age over the reporting period. The volume of complaints, combined with the focus on the longest-standing, meant that by the year’s end there was an overall increase in matters older than 12 months to 729. The OAIC will continue to focus on aging cases through process efficiencies and the strategic application of resources.

 What is quite unusual is that Read the rest of this entry »

Irish Data Protection Commission fines LinkedIn Ireland 310 Euros for breaches of the GDPR in its processing of personal data.

October 25, 2024

The Australian Government has put forward a Bill to increase penalties for breaches of the Privacy Act. That is to be welcomed. However the penalties available to the regulators under the GDPR dwarf anything the Australian authorities could levy and the obligations are far stricter. That is demonstrated by the Irish Data Protection Commission fining Linked In Ireland 310 million euros for breaches of the GDPR for processing personal data to use it for behavioural analysis and targeted advertising.

The Commission’s media release:

The Irish Data Protection Commission (DPC) has today announced its final decision following an inquiry into LinkedIn Ireland Unlimited Company (LinkedIn). This inquiry was launched by the DPC, in its role as the lead supervisory authority for LinkedIn, following a complaint initially made to the French Data Protection Authority.

The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members). The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, and notified to LinkedIn on 22 October 2024, concerns the lawfulness, fairness and transparency of this processing. The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million. Read the rest of this entry »

Australian Department of Home Affairs suffers cyber attack

The Department of Home Affairs is partly responsible for the Governments handling and regulation of cyber security. It has developed the 2023-2030 Australian Cyber Security Strategy. So it is all the more galling that it has reportedly suffered a data breach which has exposed visa and passport details. But there should not be too much surprise.  The Information Commissioner identified a trend of increasing attacks on a Government websites.  Government departments rely on and enjoy collecting masses of information.

The Australian article on the breach provides:

Cyber criminals have accessed sensitive visa and passport details, drivers’ licences and other personal information held by a data firm contracted by the ­Department of Home Affairs, which oversees Australia’s cyber security architecture and policy.

Visa-holders using the department’s Free Translating Service have been warned their visa application, grant and subclass numbers, full names, dates of birth, mobile numbers, email addresses, drivers licences and passports are compromised. Read the rest of this entry »

The Australian Information Commissioner issues updated guidance for charities and other not for profit organisations

October 24, 2024

The Australian Information Commissioner has issued updated guidances of charities and other not for profit organisations,  Guidances are not regulations but they are very important.  Organisations which comply with the guidances and somehow still have a data breach or other form of interference with privacy may be able to argue that they have done all that was required of them.  The reality is that if more organisations focused on complying with guidances and standards there would be far fewer data breaches.  Clearly all investigations are fact specific and compliance with a guideline does not provide any sort of immunity.

The statement from the Commissioner provides:

The updated guidance includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

In particular, the updated guidance includes discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. This area is particularly topical in the wake of high-profile data breaches affecting charities and NFPs.

Privacy Commissioner Carly Kind said the guidelines aim to help charities navigate their privacy responsibilities when collecting and handling personal information, and understand their obligations under the Privacy Act.

“We know how critical trust is to the work of not-for-profits and charities, and how important good privacy practices are to that trust”. Read the rest of this entry »

Singapore Data Protection Commission issues 3 undertaking responding to ransomware attacks

The Personal Data Protection Commission of Singapore issued three undertakings on Orchid Hotel Pte Ltd, Absolute Telecom Pte Ltd and Hiap Seng Engineering Ltd stemming from ransomware attacks involving each of the companies.  The cause of those data breaches were due to insufficient IT security measures.  The attacks affected the personal data of over 690,000 individuals.

The Commission requires affected organisations to implement remediation plans to rectify the immediate breach and address any systemic shortcomings to ensure compliance with the PDPA on a continual basis, such as:

  • Enforce a stricter password policy requiring strong and unique passwords for all accounts
  • Implementing Multi-Factor Authentication (MFA)
  • Engaging a DPE service provider to implement basic data protection and cybersecurity measures
  • Conduct training sessions for employees to raise their awareness on data protection and cybersecurity best practices

National Institute of Standards and Technology releases a draft on the use of Cryptographic Algorithms and Key Lengths

October 22, 2024

The National Institute of Standards and Technology (“NIST”) has released a public draft of for the use of cryptography and transitioning to stronger cryptographic keys and algorithms.

The abstract provides:

NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms.

Interesting points Read the rest of this entry »

UK and US issue statement of protection of children on line

One of the key challenges with regulation of the internet is how to protect the interests, including privacy, of children which is effective. Protecting children covers a very broad spectrum of activities; protecting their personal information, shielding them from damaging images, minimising the adverse effects of social media on children’s mental and physical health, eradicating the transmission of explicit images from adults to children or children to children and stopping child pornography. It is difficult enough to regulate within a country let alone deal with extra territoriality. South Australia is considering banning social media for children. The report by ex Chief Justice French proposes a Children (Social Media Safety) Bill 2024 which imposes a positive obligation on social media platforms to prevent access to children under the age of 14. It is complex.

The UK – US has issued a statement on the protection of children on line.

The statement provides:

The United Kingdom and the United States share fundamental values and a commitment to democracy and human rights, including privacy and freedom of expression. Both the United Kingdom and the United States, alongside our international partners, are taking steps to support children’s online safety.

To make the internet safer for children, we should aim to ensure all users have the skills and resources they need to make safe and informed choices online and advance stronger protections for children. The United States and the United Kingdom intend to work with our national institutions and organisations to support these goals and shared values. To help further these aims, both countries plan to establish a joint children’s online safety working group to advance the aims and principles of this statement. Read the rest of this entry »

UK Information Commissioner fines Police Service of Northern Ireland 750,000 pounds for exposing the personal information of its entire workforce

October 21, 2024

When it comes to poor data security practices and serious data breaches the police and health service providers are generally amongst the worst performers. Both have serious cultural problems in properly treating personal information confidential. Both often have serious system problems, especially with their IT. The UK Information Commissioner’s fine of 750,000 of the Police Service of Northern Ireland is the most recent example. Here the breach was the very common human error of uploading a document onto a webpage.  That happens quite regularly.  Here the document contained the personal information of all employees of the Northern Ireland Police Service.  The consequences were baleful.  The quality assurance processes failed.  While the personal information was viewable for only 3 hours the Police Service are working on the assumption that the information was accessed by dissident republications who would use to intimidate.

The media release provides 

We have fined Police Service of Northern Ireland (PSNI) £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety.
Our investigation found that simple-to-implement procedures could have prevented the serious breach, in which hidden data on a spreadsheet released as part of a freedom of information request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.
Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.

Summary of the breach

On 3 August 2023, PSNI received two freedom of information requests from the same person via WhatDoTheyKnow (WDTK). The first asked for “… the number of officers at each rank and number of staff at each grade …”, the second asking for a distinction between “how many are substantive / temporary / acting …”.
The information was downloaded as an Excel file with a single worksheet from PSNI’s human resources management system (SAP). The data included: surnames and first name initials, job role, rank, grade, department, location of post, contract type, gender and PSNI service and staff number.

As the information was analysed for disclosure, multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file. The original worksheet, containing the personal details, remained unnoticed and this was also not picked up despite quality assurance. The file was subsequently uploaded to the WDTK website at 14:31 hours on 8 August.
PSNI was alerted to the breach by its own officers at approximately 16:10 hours the same day. The file was hidden from view by WDTK at 16:51 hours and deleted from the website at 17:27 hours.
Six days later, PSNI announced they were working on the assumption that the file was in the hands of dissident republicans and that it would be used to create fear and uncertainty and for intimidation.
John Edwards, UK Information Commissioner said: Read the rest of this entry »

The Australian Information Commissioner releases guidelines

AI presents a major regulatory challenge across a range of governmental and private activities. And that is especially the case with privacy. The UK Information Commissioner’s Office has issued detailed guidance and other resources on Artificial Intelligence. The US Federal Trade Commission raised issues on AI, by way of a Big Data report in 2016, by post in 2017, issued a guidance by way of Q & A in 2020 and a finding on the use of Artificial Intelligence In the Matter of DoNotPay, Inc. Matter Number 2323042 September 25, 2024. Which brings us to the Australian Information Commissioner’s release of AI guidance today. There are actually 2 guides, one on the use of commercially available AI products.  The second relates to developers using personal information to great AI models.

AI needs personal information to properly work.  Lots of it.  Each of the guides and highlight the care that needs to be taken in considering the operation of the Privacy Act when using and developing Artificial Intelligence.  

The media release provides:

New guides for businesses published today by the Office of the Australian Information Commissioner (OAIC) clearly articulate how Australian privacy law applies to artificial intelligence (AI) and set out the regulator’s expectations.

The first guide will make it easier for businesses to comply with their privacy obligations when using commercially available AI products and help them to select an appropriate product. The second provides privacy guidance to developers using personal information to train generative AI models.

“How businesses should be approaching AI and what good AI governance looks like is one of the top issues of interest and challenge for industry right now,” said Privacy Commissioner Carly Kind.

“Our new guides should remove any doubt about how Australia’s existing privacy law applies to AI, make compliance easier, and help businesses follow privacy best practice. AI products should not be used simply because they are available.

“Robust privacy governance and safeguards are essential for businesses to gain advantage from AI and build trust and confidence in the community,” she said.

The new guides align with OAIC focus areas of promoting privacy in the context of emerging technologies and digital initiatives, and improving compliance through articulating what good looks like.

“Addressing privacy risks arising from AI, including the effects of powerful generative AI capabilities being increasingly accessible across the economy, is high among our priorities,” Commissioner Kind said.

“Australians are increasingly concerned about the use of their personal information by AI, particularly to train generative AI products.

“The community and the OAIC expect organisations seeking to use AI to take a cautious approach, assess risks and make sure privacy is a key consideration. The OAIC reserves the right to take action where it is not.”

While the guidance addresses the current situation – concerning the law, state of technology and practices – Commissioner Kind said an important focus remains how AI privacy protections could be strengthened for the benefit of society as a whole.

“With developments in technology continuing to evolve and challenge our right to control our personal information, the time for privacy reform is now,” said Commissioner Kind.

“In particular, the introduction of a positive obligation on businesses to ensure personal information handling is fair and reasonable would help to ensure uses of AI pass the pub test.”

The OAIC has published a blog post with further information about the privacy guidance for developers using personal information to train generative AI models.

The first guide Read the rest of this entry »

With the Federal Government proposing a statutory tort of interference with privacy a story about homeowner pointing CCTV into neighbours backyard

October 17, 2024

NIne News reports in ‘Am I justified?’: Homeowner installs CCTV camera pointing straight into neighbour’s backyard one homeowner installing a camera pointing into a neighbour’s yard. At the moment the legal options are cumbersome and generally ineffective. There is no tort of harassment and it would be difficult to successfully argue nuisance and not possible to argue trespass. A tort of interference with privacy would however deal with such egregious conduct. As the story makes clear the Privacy Act does not apply. No so in the UK where the Information Commissioner does have powers and has issued a guidance as to the placement of CCTVs. The Commissioner has stated in summary that:

Where possible owners should position their cameras to only capture their own property. However, if this isn’t possible and the CCTV captures someone else’s property, a public area or communal space, then data protection law applies. This is because CCTV can capture images and voices of other people, and this counts as their personal information.

It is not theoretical.  In 2021 the UK in Dr Mary Fairhurst -v- Mr Jon Woodard an Oxford County Court ordered the defendant to pay 100,000 pounds for breach of the Data Protection Act in collecting Read the rest of this entry »

Verified by MonsterInsights