The Australian Information Commissioner publishes a guidance on tracking pixels

November 5, 2024

Tracking pixels are HTML code snippets which is loaded when someone visits a website. It is used for tracking user behaviour. Advertisers can use this data for online marketing and web analysis. In the latest of a surge of guidances the Office of the Australian Information Commissioner (“OAIC”) has published guidance on tracking pixels.

Given the increased powers proposed in the Privacy and Other Amendments Bill 2024 organisations covered by the Privacy Act 1988 need to consider their use of tracking pixels before the amendments come into force.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) has released guidance for private sector organisations to ensure they meet their obligations under the Australian Privacy Act when using third-party tracking pixels on their website.

Publication of the guidance responds to industry demand for greater detail on the application of the Privacy Act to tracking technologies, as well as interest in the topic across government, media and the community.

Many social media companies and other digital platforms offer tracking pixels. A tracking pixel is a piece of code generated by a third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.

Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms. They can be important to business for analysis, advertising and measurement of return on investment.

“However, many of these tracking tools are harmful, invasive and corrosive of online privacy,” Australian Privacy Commissioner Carly Kind said.

“This is a real concern in the community with our Australian Community Attitudes to Privacy Survey 2023 finding that 69% of adults did not think it fair and reasonable that their personal information was used for online tracking, profiling and targeted advertising, with that rising to 89% when material was targeted at children.”

The guidance makes clear that it is the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it is configured and used in a way that is compliant with the Privacy Act.

Before deploying a third-party pixel, organisations should ensure they understand how the product works, identify the potential privacy risks involved and implement measures to mitigate those risks, and not adopt a ‘set and forget’ approach.

Failing to conduct appropriate due diligence can create a range of privacy compliance and other legal risks.

Consistent with the OAIC’s recent guidance on the use of generative AI products, the OAIC is seeking to expand its range of guidance for organisations so that they can continue to grow their businesses while meeting privacy obligations in a way that builds community trust.

The guidance Read the rest of this entry »

Information Commissioner releases Annual Report

November 1, 2024

It is a annual report season for Government agencies and authorities. And that includes that of the Office of the Australian Information Commissioner.Yesterday the Commissioner released its 194 page Annual Report for 2023 – 24. 

Given the significant amendments to the Privacy Act 1988 it is better to look forward to how the Privacy Commissioner approaches her responsibilities with new found powers rather than poring over the activities of the Privacy Commissioner over the past year.  On that note the work rate improved but it remained a timid regulator by any measure.   Which is a pity given the the Information Commissioner’s remuneration was $576,174 and Deputy Commissioner Elizabeth Hampton was $380,091. The relatively newly appointed Privacy Commissioner, Carly Kind is on $109,239.

In relation to privacy complaints the the Commissioner stated:

Privacy has been very much in the spotlight, with the continuing incidence of major data breaches. In 2023–24, we received 13% more notifications under the Notifiable Data Breaches (NDB) scheme than the year prior, when there was a 4% increase. We lifted our response rate, closing 84% of notifications within 60 days (compared to 77% last reporting year). In the 2022–23 financial year we received a 34% increase in privacy complaints. This year, complaints have remained relatively high, with a slight decrease of 5% year on year. We successfully responded to this high demand, finalising 20% more privacy complaints (3,104 in total), building on last year’s increase of 17% (2,576 finalised in total).
We continued our focus on clearing longer-standing, generally more complex and resource-intensive complaints, finalising 84% (271) of the 322 matters that were over 12 months old as at June 2023. At the same time, more recent complaints increased in age over the reporting period. The volume of complaints, combined with the focus on the longest-standing, meant that by the year’s end there was an overall increase in matters older than 12 months to 729. The OAIC will continue to focus on aging cases through process efficiencies and the strategic application of resources.

 What is quite unusual is that Read the rest of this entry »

The Australian Information Commissioner issues updated guidance for charities and other not for profit organisations

October 24, 2024

The Australian Information Commissioner has issued updated guidances of charities and other not for profit organisations,  Guidances are not regulations but they are very important.  Organisations which comply with the guidances and somehow still have a data breach or other form of interference with privacy may be able to argue that they have done all that was required of them.  The reality is that if more organisations focused on complying with guidances and standards there would be far fewer data breaches.  Clearly all investigations are fact specific and compliance with a guideline does not provide any sort of immunity.

The statement from the Commissioner provides:

The updated guidance includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

In particular, the updated guidance includes discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. This area is particularly topical in the wake of high-profile data breaches affecting charities and NFPs.

Privacy Commissioner Carly Kind said the guidelines aim to help charities navigate their privacy responsibilities when collecting and handling personal information, and understand their obligations under the Privacy Act.

“We know how critical trust is to the work of not-for-profits and charities, and how important good privacy practices are to that trust”. Read the rest of this entry »

The Australian Information Commissioner releases guidelines

October 21, 2024

AI presents a major regulatory challenge across a range of governmental and private activities. And that is especially the case with privacy. The UK Information Commissioner’s Office has issued detailed guidance and other resources on Artificial Intelligence. The US Federal Trade Commission raised issues on AI, by way of a Big Data report in 2016, by post in 2017, issued a guidance by way of Q & A in 2020 and a finding on the use of Artificial Intelligence In the Matter of DoNotPay, Inc. Matter Number 2323042 September 25, 2024. Which brings us to the Australian Information Commissioner’s release of AI guidance today. There are actually 2 guides, one on the use of commercially available AI products.  The second relates to developers using personal information to great AI models.

AI needs personal information to properly work.  Lots of it.  Each of the guides and highlight the care that needs to be taken in considering the operation of the Privacy Act when using and developing Artificial Intelligence.  

The media release provides:

New guides for businesses published today by the Office of the Australian Information Commissioner (OAIC) clearly articulate how Australian privacy law applies to artificial intelligence (AI) and set out the regulator’s expectations.

The first guide will make it easier for businesses to comply with their privacy obligations when using commercially available AI products and help them to select an appropriate product. The second provides privacy guidance to developers using personal information to train generative AI models.

“How businesses should be approaching AI and what good AI governance looks like is one of the top issues of interest and challenge for industry right now,” said Privacy Commissioner Carly Kind.

“Our new guides should remove any doubt about how Australia’s existing privacy law applies to AI, make compliance easier, and help businesses follow privacy best practice. AI products should not be used simply because they are available.

“Robust privacy governance and safeguards are essential for businesses to gain advantage from AI and build trust and confidence in the community,” she said.

The new guides align with OAIC focus areas of promoting privacy in the context of emerging technologies and digital initiatives, and improving compliance through articulating what good looks like.

“Addressing privacy risks arising from AI, including the effects of powerful generative AI capabilities being increasingly accessible across the economy, is high among our priorities,” Commissioner Kind said.

“Australians are increasingly concerned about the use of their personal information by AI, particularly to train generative AI products.

“The community and the OAIC expect organisations seeking to use AI to take a cautious approach, assess risks and make sure privacy is a key consideration. The OAIC reserves the right to take action where it is not.”

While the guidance addresses the current situation – concerning the law, state of technology and practices – Commissioner Kind said an important focus remains how AI privacy protections could be strengthened for the benefit of society as a whole.

“With developments in technology continuing to evolve and challenge our right to control our personal information, the time for privacy reform is now,” said Commissioner Kind.

“In particular, the introduction of a positive obligation on businesses to ensure personal information handling is fair and reasonable would help to ensure uses of AI pass the pub test.”

The OAIC has published a blog post with further information about the privacy guidance for developers using personal information to train generative AI models.

The first guide Read the rest of this entry »

Privacy and Other LegislationAmendment Bill 2024 – Government moves the Second Reading and publishes Second Reading speech

October 8, 2024

The Government has published the Second Reading Speech and adjourned debate of the Bill. The Second Reading Speech is dated 12 September 2024 however the Daily Program lists the Speech as being moved today. It only recently appeared on the Bill’s homepage.

The Bill provides the Privacy Commissioner with more flexibility with enforcement, allowing for infringement notices and new civil penalties.  The real issue there is getting the Commissioner to use those powers.  The existing civil penalty provisions have only been used twice, and then only very recently and neither case has reached resolution. 

The statutory tort for serious invasions of privacy is welcome however the exemption carve outs, for journalism, law enforcement and security limit its effectiveness.  There is no consideration of whether the actions of the journalist is excessive and irresponsible in breaching a person’s privacy.  In the UK there is a balancing between Article 8, a right to privacy, and Article 10 a freedom of expression as applies to the media.  

There is specific provision for the development of a Children’s Privacy Code.  According to the Attorney General that is designed to align the protections with those that exist overseas. 

Doxxing will be criminalised.

There are other provisions which clarify the sharing of information when there are data breaches and during emergencies and regarding overseas data flows.

The amendments are conservative and modest but a move in the right direction. These changes will not make Australia’s Privacy Act the gold standard but if the further reforms proposed by the Attorney General’s Department are implemented then the level of protections will allow for a more effective regulation and protections.

The Second Reading provides:

Introduction

The digital economy has unleashed enormous benefits for Australians. But it has also increased the privacy risks we face through the collection and storage of enormous amounts of our personal data.

The Privacy Act 1988 represented the first time that a comprehensive, integrated set of legal rules protecting interests in privacy existed in Australia. On introducing it, Attorney-General Lionel Bowen told the parliament that ‘enormous developments in technology for the processing of information are providing new and, in some respects, undesirable opportunities for the greater use of personal information.’

In that respect, little has changed. Evolutions in technology and the way people use it continue to vex those who share information online, and those charged with regulating it. It is essential that Australians are protected by a legal framework that is flexible and agile enough to adapt to changes in the world around them.

The Privacy Act has not kept pace with the adoption of digital technologies. The vast data flows that underpin digital ecosystems have also created the conditions for significant harms—like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams. Read the rest of this entry »

Information Commissioner registers new Privacy Credit reporting Code (version 3.0)

October 2, 2024

Credit Codes under the Privacy Act 1988 are very important and a breach of them can result in serious difficulties for a credit provider. The Information Commissioner has registered the Privacy (Credit Reporting) Code 2024. The Commissioner’s media release provides a useful summary of the features of the new code. That is an overview only.  It is important for credit providers, and those who act for those who have credit related matters to carefully read the Code. It is important that credit providers incorporate the new requirements into their documentation and processes. While that may sound trite the failure to do so is quite common, particularly by non bank credit providers.

The media release Read the rest of this entry »

Information Commissioner releases corporate plan for 2024 – 2025

September 30, 2024

Agencies release corporate plans. They are of variable quality and often drafted in vague enough terms to avoid criticism. The good plans say something even if there is a enough plausible deniability buried into its dense prose. The Information Commissioners’ media release keeps with this approach.

It provides:

As the accountable authority, I am pleased to present the 2024–25 Office of the Australian Information Commissioner (OAIC) corporate plan for the 2024–25 to 2027–28 reporting periods, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office regulates privacy and freedom of information (FOI) under the Commonwealth Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act) and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance. Read the rest of this entry »

Office of the Information Commissioner reports that from January to June 2024 there was the highest number of data breaches for 3 1/2 years.

September 23, 2024

The Office of the Information Commissioner has released its data breach report for first 6 months of 2024. It is a useful if imperfect indication of the number of notifiable data breaches in Australia.  The latest report shows an increased number of reportable breaches, reaching the highest number in three and a half years.  It should be a given that the figures set out in these reports are very much a indication of trends.  The actual number of data breaches is significantly higher.  Some industries are more assiduous than others in reporting.  The legislation allows for considerable interpretation of what is a reportable data breach.  The culture of reporting remains poor because the consequences of non compliance with the legislation

The Commissioner provided a forward to the Report where she foreshadowed a more muscular approach to enforcement.  Finally.  The forward provides:

Since the launch of the Notifiable Data Breaches (NDB) scheme in 2018, the Office of the Australian Information Commissioner (OAIC) has published statistical information about data breach notifications we have received. Our goal in doing so has been to help entities and the public understand privacy risks identified through the scheme, highlight areas that require attention and provide clarity around our regulatory approach.

Six years on, the NDB scheme is now mature, and we are moving into a new era in which our expectations of entities are higher, seen in our recent commencement of civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited. This enforcement action should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities. Read the rest of this entry »

Information Commissioner publishes concise statement in its civil penalty proceeding against Medibank Private

June 18, 2024

Yesterday the Australian Information Commissioner published its Concise statement in its civil penalty proceeding against Medibank Private. It has been reported in the ABC under the heading “The absence of multi-factor authentication led to the Medibank hack, regulator alleges.” The story has also been covered by the Guardian with Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges.

The Commissioner has listed Important Facts as being:

  • For the financial years ending 30 June 2021, 2022, and 2023, Medibank generated revenue of approximately $6.9 billion, $7.1 billion, and $7.1 billion and annual profit before tax of $632.3 million, $560 million, and $727.1 million,respectively.
  • As at 30 June 2022, Medibank employed approximately 3,291 full time employees
  • the personal information collected and held by Medibank included:
    • names,
    • dates of birth,
    • home addresses,
    • phone numbers,
    • email addresses,
    • employment details,
      passport numbers,
    • Medicare numbers,
    • financial information
    • sensitive information such as:
    • sensitive information about customers’
      • race and ethnicity
      • illnesses,
      • disabilities or injuries,
      • health services
  • Prior to 7 August 2022 an IT Service Desk Operator who was an employee of a Medibank contractor had access to Medibank Admin Account using his Medibank Credentials.
  • the contractor saved his Medibank username and password (Medibank Credentials) to his personal internet browser profile on his work computer. When he subsequently signed into his internet browser profile on his personal computer, the Medibank Credentials were synced across to his personal computer
  • the the Admin Account had access to most (if not all) of Medibank’s systems, including:
    • network drives,
    • management consoles, and
    • remote desktop access to jump box servers (used to access certain Medibank directories and databases)
  • on or about 7 August 2022 the Medibank Credentials were stolen from the IT Service Desk Operator’s personal computer by a threat actor, commonly and better known as a hacker  using a variant of malware which is known to the parties but not publicly disclosed
  • on 12 August 2022, log onto Medibank’s Microsoft Exchange server and test the Medibank Credentials for the Admin Account
  • on or around 23 August 2022 the hacker authenticated and log onto Medibank’s “Global Protect”
    Virtual Private Network (VPN) solution (which controlled remote access to the Medibank corporate network) & began typing malicious script
  • the hacker actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required
  • on 25 and 25 August 2022 Medibank’s Endpoint Detection and Response (EDR) Security Software sent alerts the hacker’s activities  to a Medibank IT Security Operations email address. These alerts were not appropriately triaged or escalated by either Medibank or its service provider, Orro, at that time.
  • from 25 August 2022 until around 13 October 2022 the hacker used Medibank Credentials to access numerous Medibank IT systems and exfiltrated 520 gigabytes of data including names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health related information and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, treatment dates).
  • On 11 October 2022, Medibank:
    • triaged a high severity incident for a alert that identified modification of files needed to exploit the “ProxyNotShell” vulnerability.
    •  engaged Threat Intelligence, its existing digital forensics and incident response partner, to perform an incident response investigation.
  • Until at least 16 October 2022, when a Threat Intelligence analyst noted that there had been a series of suspicious volumes of data exfiltrated out of Medibank’s network, Medibank was not aware that customer data had been accessed
  • on 19 and 22 October 2022 respectively, Medibank was contacted by the hacker and provided with files containing sample data that had been exfiltrated from Medibank’s systems
  • Between 9 November 2022 and 1 December 2022, the hacker published data exfiltrated during the data breach on the dark web.

Read the rest of this entry »

The Federal Government announces the appointment of a new Information Commissioner, starting on 16 August 2024

May 13, 2024

The Attorney General has announced the appointment of Elizabeth Tydd as Information Commissioner. It is an internal appointment, uplifting Tydd from Freedom of Information Commissioner to the top job. It is too early to say whether that is an inspired choice or not.  It is probably a safe choice.  But there is a very good argument to be made for the regulator to have an outsider to take the helm and adopt a more assertive stance, such as Sims did at the ACCC.  Australian Information Commissioners have been worthy, decent and quite conservative.  Compared to regulators in the UK, Europe and the US the Information Commissioner’s work rate is low.

The Government’s announcement Read the rest of this entry »

Verified by MonsterInsights