With mandatory Data Breach Notification legislation coming into effect in February 2018 the Information Commissioner releases draft Notifiable Data breach guidelines and puts retailers on notice about their obligations.

November 6, 2017

It is less than 6 months before the mandatory data breach notification laws take effect.  February 22 2018 to be precise.  It will impact all organisations and agencies covered by the Privacy Act and may  require them to report data breaches of personal information.  This has been the norm in 48 states of the United States for some time.  In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual.  That is an indicator of the frequency and impact of data breaches on business and government.  Cyber crime for profit and malicious hacking is a chronic problem.  In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach.  There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.

The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach.  There is little point trying to comply while dealing with a data breach.  Notifications must be made within 30 days from the date the breach is detected.  That is the outer limit.  While the time frame seems generous, given the Read the rest of this entry »

Privacy Commissioner investigates data breach at Flight Centre and Cosmetic Institute

August 23, 2017

On 15 July 2017 I posted on the very serious data breach by Flight Centre.  It has been covered fairly widely by the media, on the ABC, MSN Nine and the Sydney Morning Herald to name a few.

A month later the Privacy Commissioner has decided to investigate the data breach.  It made its announcement on 18 August 2017.  The announcement provides:

On 15 August 2017, the Acting Australian Information Commissioner opened an investigation into Flight Centre, examining an alleged data breach involving the release of the personal information of customers to third-party suppliers.

Flight Centre is cooperating with the Office of the Australian Information Commissioner’s (OAIC) inquiries. Once the investigation has concluded a further statement will be published.

If any person has any concerns about how their privacy has been managed they can contact the OAIC at www.privacy.gov.au or on 1300 363 992.

This announcement has Read the rest of this entry »

‘LP’ v The Westin Sydney (Privacy) [2017] AICmr (7 June 2017): APP 3.5 and 12, secret recording of telephone conversation by The Westin

June 14, 2017

The Privacy Commissioner handed down a decision finding that the The Westin Sydney interfered with the complainant’s privacy in LP’ and The Westin Sydney (Privacy) [2017] AICmr 53.  The Westin was found to have interfered with the privacy of LP by recording his telephone conversation without advising him beforehand.  It is a decision that has not been publicised.  That is a shame and quite different to the practice by the Information Commissioner in the United Kingdom and the Federal Trade Commission in the United States.  It is a practice failing by the Australian Privacy Commissioner.

FACTS

LP  booked a room at The Westin. On the afternoon of 17 January 2016, he arrived and checked in. The Westin employee who handled his check-in informed him that there would be a 10 to 20 minute delay until his room became available.  While LP was waiting in the hotel’s executive lounge he received a call on his mobile phone from a Westin employee who advised that the preferred room was not be available until later that afternoon. LP was then asked whether he wanted to wait for a similar room on a different floor, or if he would prefer an alternate smaller room on the same floor that was available immediately. LP agreed to accept the alternate room, but was unhappy [4].

LP subsequently complained to The Westin about his treatment, including the unavailability of his preferred room. While responding to this complaint, on 18 January 2016, the Executive Assistant Manager of The Westin referred to the recording of LP with a Westin employee. LP had been unaware that The Westin had recorded the call [5].

On 19 January 2016, LP emailed Read the rest of this entry »

EU General Data Protection Regulation less than a year away. The Privacy Commissioner issues guidance

June 12, 2017

In slightly less than a year, from 25 May 2018 to be precise, the the General Data Protection Regulation (“GDPR”) will take effect throughout the European Union.  Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  It is more a continuum of the existing data protection laws rather than a new system.  That said it is a Read the rest of this entry »

Data breach at Comestic Institute attracts the attention of the Privacy Commissioner

June 6, 2017

Personal information relating to medical matters is highly sensitive.  The Cosmestic Institute, based in Bondi,  specialised in providing cosmetic surgery, holds a particularly subset of that type of information; before and after photographs, photographs of a highly intimate nature and details which are almost invariably kept confidential

Naked photos and medical records of hundreds of women were published on line at least as late last Saturday.  Possibly earlier.  It appears that the publication of this highly sensitive information included patient names, Medicare numbers and naked images of 500 people.  The breach involved Read the rest of this entry »

Privacy Commissioner issues Draft guidelines and resources on Notifiable Data breaches

June 5, 2017

Australia’s mandatory data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017,  takes effect on 22 February next year.  It has been a long time coming.

Last Friday the Privacy Commissioner released an exposure draft resources, whatever that means, for business and agencies on their obligations under the Act.  It is open for comment until 14 July 2017, Bastille Day (hopefully that symbolises nothing).

The broad overview Read the rest of this entry »

Privacy Commissioner releases survey on Australian Community Attitudes to Privacy in 2017

May 18, 2017

It is something of a rite of passage for the Privacy Commissioner to release a report on privacy compliance or a survey about community attitudes to privacy around Privacy week.  This year is no different, with a 51 page report on a survey on Australian’s attitudes to privacy, privacy risks and trust in government and organisations.  The point of reference by comparison is a similar survey in 2013.  While the results are in the main consistent with 2013, there is a growing level of concern about online privacy.  This is not Read the rest of this entry »

Privacy Commissioner and dating apps

February 14, 2017

Dating apps are notorious for both collecting a huge amount of highly sensitive personal information and being the subject of data breaches.  Ashley Madison data breach being just the most dramatic instance.

The Privacy Commissioner has issued a dos and don’ts on 4 dating apps, Tinder, Grindr, Happn and Bumble.  As far as it goes it is Read the rest of this entry »

Privacy Commissioner issues a response to the Mandatory Data Breach Notification legislation

The Privacy Commissioner has issued a statement regarding the passage of the Mandatory Data breach notification Bill.  The Privacy Commissioner has Read the rest of this entry »

Australian and Canadian Privacy Commissioner release report into Ashley Madison data breach

September 4, 2016

The Australian Privacy Commissioner has taken action against Ashley Madison data breach in July 2015 was a sensation.  As has the Canadian Privacy Commissioner.  They have released joint findings.  Joint findings are found here.

It is likely to be an influential findings as the combined report does undertake a detailed analysis of both the facts and the expectations under the various privacy principles.  Given the dearth of authorities this will provide valuable guidance.

As with many data breaches/interference with privacy complaints followed up by regulators the initial cause of the breach/interference gives rise to a broader investigation which almost invariably highlights deficiencies in compliance throughout the organisation.  It is commonly the case that a breach of security has many causes; out of data software protection, poor protocols, inadequate staff training, excessive data retention far beyond the date when it is usable or relevant to the organisations operations and a lack of understanding as to identity verification.

Ashley Madison, or more accurately its corporate entity Avid Life Media Inc (“ALM”), entered Read the rest of this entry »