A significant data breach by the Commonwealth Bank. The real question, what will be the consequences..

May 3, 2018

The Commonwealth Bank of Australia has suffered a major data breach involving the records of 20 million customers.  In 2016.  It has only made this public now after media reports.  The CBA only made a statement after the media reports.  That is a dreadful approach to data breaches.  Conceal until you can’t.  Then obfuscate.  The CBA is not an outlier in its reaction to this data breach.  Unfortunately it is all too common in Australia.  Perhaps that will change with the mandatory data breach notification scheme but proper enforcement is required.  Incredibly the Information Commissioner was notified in 2016.  And took no enforcement action.  No enforceable undertakings even.  That was, and remains, a dreadful mistake.  The Australian Prudential Regulation Authority that has been more active and transparent than the Information Commissioner’s Office in dealing with privacy breaches.  If that is not an indictment on the Information Commissioner Read the rest of this entry »

Privacy Commissioner speech on Digital Media and Digital Advertising

April 17, 2018

The Acting Privacy Commissioner, Angelene Falk, recently gave a speech titled Privacy in Digital Media and Digital Advertising.

It is a speech very much in the vein of the previous Privacy Commissioner, completely unobjectionable, very reasonable, topical and accurate.  It hit the current affairs notes, commenting on Facebook/Cambridge Analytica and the topical regulatory change, the upcoming implemention of the GDPR in Europe.  It also is completely neutral about what the regulator expects in concrete terms and what it may do in “fostering a privacy culture…”  And that does not bode all that well for a change in direction for one of the least effective regulators at the Commonwealth level.  Bromides and exhortations to comply with the law are fine but never as effective as strategic and forceful enforcement which will send a message to the market.

The speech relevantly Read the rest of this entry »

Early report on mandatory data breach notification laws – Australian Information Commissioner releases first quarterly report. Sixty three notified breaches in the first 6 weeks of the law’s operation

April 12, 2018

The Office of the Australian Information Commissioner has published the first quarterly report on data breach notifications under the mandatory data breach notification legislation which came into effect on 22 February 2018. Not surprisingly the on a pro rata basis the number of notifications far exceeds the rate of notification under the previously voluntary scheme, 63 breaches in 6 weeks as opposed to 114 notifications in the last 52 weeks of the voluntary scheme.  If the rate of notifications remain consistent then 546 reports could be expected, almost 5 times the rate under the voluntary scheme. Because the legislation requires the organisation and agency to undertake self assessment as to whether a breach requires notification and some organisations will seek to take a less conservative approach, and take a risk in doing so, the figures are probably not a complete record of data breaches Read the rest of this entry »

Privacy and Information Commissioner releases guide to managing data breaches…just in time for the commencement of the Notifiable Data Breach legislation

February 21, 2018

The draft guidelines relating to the impending Data breach legislation coming into effect have now been finalised and were released yesterday.  All 64 pages of them.

While the guidelines are not regulations they will be very important when developing processes and procedures necessary to deal with a data breach.  They will also be important when dealing with data breach.  What is notable about this Guideline is that while it is comprehensive in one respect, addressing key issues in each category, and provides a very useful structure when dealing with a data breach it is drafted in broad and sometimes opaque terms.  That means there will need to be consideration of relevant principles of law when dealing with particular provisions of the Privacy Act.  The absence of case law does not assist.  It is a starting point only for Read the rest of this entry »

The Australian Information and Privacy Commissioner, Timothy Pilgrim, to retire on 24 March 2018

February 20, 2018

According to a report in the Mandarin,Last man standing: information and privacy commissioner Timothy Pilgrim to retire, Timothy Pilgrim, the Privacy and Information Commissioner is to retire on 24 March 2018. It is also reported in itnews, computerworld and zdnet.

Timothy Pilgrim has been one of the better privacy commissioners.  That is a comparative measure only.  His predecessors ranged from ineffective to hopeless.  As a result the privacy and data security culture has been poor.  Pilgrim was far more active than his predecessors both in terms of work rate and general profile.  But objectively measured he was a timid and tentative regulator.  Even with a limited budget from 2014 the Office of the Information Commissioner took a very low profile.  His determinations were excessively conservative and Read the rest of this entry »

A refreshing and timely story on the Commonwealth bank accused of misleading the Privacy Commissioner and the Privacy Commissioner cops criticism in handling that deception

December 20, 2017

Tonight’s 7.30 program has a story, titled  Commonwealth Bank accused of misleading the Privacy Commissioner about a privacy complaint where the sting is the Commonwealth Bank failing to provide proper disclosure of documents. The determination is Read the rest of this entry »

With mandatory Data Breach Notification legislation coming into effect in February 2018 the Information Commissioner releases draft Notifiable Data breach guidelines and puts retailers on notice about their obligations.

November 6, 2017

It is less than 6 months before the mandatory data breach notification laws take effect.  February 22 2018 to be precise.  It will impact all organisations and agencies covered by the Privacy Act and may  require them to report data breaches of personal information.  This has been the norm in 48 states of the United States for some time.  In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual.  That is an indicator of the frequency and impact of data breaches on business and government.  Cyber crime for profit and malicious hacking is a chronic problem.  In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach.  There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.

The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach.  There is little point trying to comply while dealing with a data breach.  Notifications must be made within 30 days from the date the breach is detected.  That is the outer limit.  While the time frame seems generous, given the Read the rest of this entry »

Privacy Commissioner investigates data breach at Flight Centre and Cosmetic Institute

August 23, 2017

On 15 July 2017 I posted on the very serious data breach by Flight Centre.  It has been covered fairly widely by the media, on the ABC, MSN Nine and the Sydney Morning Herald to name a few.

A month later the Privacy Commissioner has decided to investigate the data breach.  It made its announcement on 18 August 2017.  The announcement provides:

On 15 August 2017, the Acting Australian Information Commissioner opened an investigation into Flight Centre, examining an alleged data breach involving the release of the personal information of customers to third-party suppliers.

Flight Centre is cooperating with the Office of the Australian Information Commissioner’s (OAIC) inquiries. Once the investigation has concluded a further statement will be published.

If any person has any concerns about how their privacy has been managed they can contact the OAIC at www.privacy.gov.au or on 1300 363 992.

This announcement has Read the rest of this entry »

‘LP’ v The Westin Sydney (Privacy) [2017] AICmr (7 June 2017): APP 3.5 and 12, secret recording of telephone conversation by The Westin

June 14, 2017

The Privacy Commissioner handed down a decision finding that the The Westin Sydney interfered with the complainant’s privacy in LP’ and The Westin Sydney (Privacy) [2017] AICmr 53.  The Westin was found to have interfered with the privacy of LP by recording his telephone conversation without advising him beforehand.  It is a decision that has not been publicised.  That is a shame and quite different to the practice by the Information Commissioner in the United Kingdom and the Federal Trade Commission in the United States.  It is a practice failing by the Australian Privacy Commissioner.


LP  booked a room at The Westin. On the afternoon of 17 January 2016, he arrived and checked in. The Westin employee who handled his check-in informed him that there would be a 10 to 20 minute delay until his room became available.  While LP was waiting in the hotel’s executive lounge he received a call on his mobile phone from a Westin employee who advised that the preferred room was not be available until later that afternoon. LP was then asked whether he wanted to wait for a similar room on a different floor, or if he would prefer an alternate smaller room on the same floor that was available immediately. LP agreed to accept the alternate room, but was unhappy [4].

LP subsequently complained to The Westin about his treatment, including the unavailability of his preferred room. While responding to this complaint, on 18 January 2016, the Executive Assistant Manager of The Westin referred to the recording of LP with a Westin employee. LP had been unaware that The Westin had recorded the call [5].

On 19 January 2016, LP emailed Read the rest of this entry »

EU General Data Protection Regulation less than a year away. The Privacy Commissioner issues guidance

June 12, 2017

In slightly less than a year, from 25 May 2018 to be precise, the the General Data Protection Regulation (“GDPR”) will take effect throughout the European Union.  Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  It is more a continuum of the existing data protection laws rather than a new system.  That said it is a Read the rest of this entry »