Peter A Clarke

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance Read the rest of this entry »

The Information Commissioner has released the latest report on notifiable data breaches for the second half of 2021.  There were 464 data breaches from July to December 2021.  A total of 464 data breaches throughout all of Australia for a 6 month period. According to itgovernance there were 5.1 million records breached worldwide in February 2022 alone. Why there is such a ridiculously low number reported to the Commissioner is ample evidence of how flawed the data breach regime remains. 

There are a number or reasons for this failure in public policy.  A starting point is =the limited coverage of the Privacy Act.  The small business exemption as well as the journalist and political party exemption leaves a large part of the economy which collects, holds and uses data outside of the coverage.  The Data Breach Notification Scheme is self assessment using a long list of factors to determine whether there has been serious harm.  For some organisations Read the rest of this entry »

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

It governance has provided its list of data breaches and cyber attacks in February 2021, estimating that 2.3 billion records were breached. The cyber attacks range from the relatively modest in number, with 208 records of the Watermark Retirement Communities residents across 10 states being affected, to the catastrophically large attack, involving millions of user records of Raychat being destroyed and the records of 102 million consumers of two mobile operators in Brazil.  There were also other significant data breaches, including 400 million records of a delivery company, Bykea, being leaked in Pakistan and Australia’s Oxfam discovered that its database of 1.7 million records were being offered for sale on a hacker forum. The humiliating Oxfam data breach required it to issue the now all too familiar sort of candid post of where matters are at on 1 March 2021 which Read the rest of this entry »

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

The Commonwealth Attorney General’s Department has released an exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020.

The Attorney General’s media release provides:

The COVIDSafe app is a critical tool in helping our nation fight the COVID-19 pandemic.

With more than 4 million COVIDSafe registrations many Australian’s are already doing their part to help protect and save lives.

Attorney-General, Christian Porter, today released draft legislation which will codify the existing protections for individuals’ data collected by the COVIDSafe app that have been established in the Health Minister’s Biosecurity Act Determination.

The Privacy Amendment (Public Health Contact Information) Bill 2020, will reinforce the protections set out in the Determination made by the Minister for Health under the Biosecurity Act 2015on 25 April 2020, placing the protections into primary legislation through amendments to the Privacy Act 1988. Read the rest of this entry »

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely Read the rest of this entry »

At the end of February the Australian Information Commissioner released the Report of Notifiable Data Breaches for the July – December 2019 period.  There were 537 notifications, up from 460 in the previous 6 months and making 997 for the 2019 calendar year. 

As usual health service providers top the list, with 117 notifications, followed by finance with 77 notifications.  Interestingly though less than 10% of notifications there were 40 notifications from the legal/accountancy and management services.  In terms of numbers of individuals affected 132 notifications, about 20%, affected only one person’s personal information but one breach affected more than 10,000,000. The majority of notifications, 309, affected from 2 to 1,000 individuals while 13 notifications covered between 25,000 – 10,000,000. 

Contact information was Read the rest of this entry »

Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court.  The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).

It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018.  The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.

This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy.  Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented.  What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach.  That will be a significant Read the rest of this entry »

Even after writing about privacy for a decade and more, it still never ceases to amaze me that media write in breathless tones about the problem with organisations using and misusing data and personal information as if it was some form of revelation.  The only thing that has changed has been the great efficiency in the misuse.  The latest offering is the Australian’s piece Giants’ data haul sparks call to reform privacy act which is a bit of a spruik dressed up as an article for a conference to be hosted by the Consumer Policy Research Centre on 19 November 2019.

The chief executive is calling for “urgent reform of the Privacy Act” to better protect consumers.  She also wants a Consumer Data Right.  The call to reform the Privacy Act is misconceived.  There is no point increasing the powers of Read the rest of this entry »