Federal Trade Commission takes action against data broking

December 2, 2016

The purchase of data in the United States is longstanding and has given rise to a data broking industry.  Under the Privacy Act such Read the rest of this entry »

Encryption guide

November 22, 2016

Privacy regulators release very good and comprehensive guidelines on data protection and  anonymisation and encryption , particularly the Information Commissioner in the United Kingdom. The Fairfax press has published a reasonably good cut down guide on encryption.  It is actually a Read the rest of this entry »

UK Information Commissioner takes issue with London Borough of Ealing for losing court documents in a public street

November 18, 2016

The facts were almost comical.  In February this year a harried social worker gets to her car with a bundle of court documents under her arm.  To get to her keys she puts the documents on the roof of the car.  She opens the door and hops into the car and drives off to her next appointment.  The court documents disappear into the Read the rest of this entry »

Australian personal information being sold by corrupt at offshore call centres

November 16, 2016

Under the Australian Privacy Principle 8.1 an organisation must:

Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

  1. who is not in Australia or an external Territory; and
  2. who is not the entity or the individual;

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

In short an organisation must Read the rest of this entry »

US Financial Industry Regulatory Authority fines totaling $650,000 against Lincoln Financial Network for failure to protect confidential customer information

The contrast between the way Australian regulators approach privacy breaches and those in other jurisdictions is stark.  In Australia when the Privacy Commissioner takes action, rarely, the impact is minimal.  The awards from determinations are risable, the terms of the enforceable undertakings are weak and not once has the Privacy Commissioner used the very strong injunction powers under the Privacy Act.  As such the privacy culture of Australian organisations remains poor. There is no real incentive to improve.

By contrast the Information Commissioner has imposed monetary penalty notices of tens of thousands of pounds with such regulatory as to not warrant comment.  In the United States the Federal Trade Commission has imposed rigorous enforceable undertakings on organisations who mislead their customers about privacy protection.  The Financial Industry Regulatory Authority has imposed very significant fines on organisations who have breached or exposed their customers’ personal information.  As it did on 14 November 2016 when Lincolm Financial Securities Corporation was fined $650,000 and required to implement tighter security protocols after hackers in mid-2012 accessed its cloud server and stole the confidential records of roughly 5,400 customers.  Read the rest of this entry »

New face verification service announced by Minister for Justice

Today the HOn Michael Keenan, Minister for Justice, has announced the first phase of a Face Verification Service.  The claimed aim is to tackle identity crime.

The media release Read the rest of this entry »

US National Institute of Standards and Technology releases a guide to help assist small businesses with cybersecurity

Apart from obligations under Australian Privacy Principle 11, regarding data security, proper cyber security makes good business sense.  Lloyds is reported to have said that Australia is exposed to a potential $16 billion damages bill over the next decade.  According Lloyd’s City Risk Index 2015 – 2025 Sydney is the 12th most exposed city with the exposure running at $4.86 billion of economic growth at risk.  The next most exposed in Australia are, in order, Melbourne, Brisbane, Perth, Adelaide and Canberra.  This comes as little surprise to privacy practitioners.  The level of awareness of cyber risks in Australia is generally low, the privacy culture poor, the regulation inadequate and its regulation lethargic and timid.  Given the potential legal liability under a number of causes of action that is very foolish behaviour by many businesses.

The National Institute of Standards and Technology (the “NIST”) produces many excellent publications on cyber issues, in particular regarding standards and security.  Its publications are far more useful than the guidelines  such as those relating to information security,  produced by the Privacy Commissioner which run to the opaque and general.

The NIST has released a guide on helping small businesses improve their cyber security.  The press release Read the rest of this entry »

TRK & BVP v ICM 2016] EWHC 2810 (QB): privacy, misuse of private information, injunctive relief

November 15, 2016

Recently Justice Warby in TRK & BVP v ICM 2016] EWHC 2810  granted an injunction Read the rest of this entry »

86 Medicare data breaches by Department of Human Services in past financial year

A regular theme running through privacy and data protection law is how poorly government agencies and private organisations manage health records.  That seems to be counter intuitive given the extraordinary problems that arise from revealing personal information held in medical records.  Under Australian law there are potentially serious consequences for Read the rest of this entry »

A UK Historical Society fined for data breach by the Information Commissioner’s Office

November 14, 2016

Data breaches through lost or stolen lap tops or other BYODs (bring your own devices) is quite common.  Unlike lost paper documents it is possible to lose a significant amount of data held in digital form.  Which is what happened to a Historical Society recently.  The Information Commissioner has issued a Monetary Penalty Notice, fining the Historical Society £500.

The media release Read the rest of this entry »