Privacy and Information Commissioner releases guide to managing data breaches…just in time for the commencement of the Notifiable Data Breach legislation

February 21, 2018

The draft guidelines relating to the impending Data breach legislation coming into effect have now been finalised and were released yesterday.  All 64 pages of them.

While the guidelines are not regulations they will be very important when developing processes and procedures necessary to deal with a data breach.  They will also be important when dealing with data breach.  What is notable about this Guideline is that while it is comprehensive in one respect, addressing key issues in each category, and provides a very useful structure when dealing with a data breach it is drafted in broad and sometimes opaque terms.  That means there will need to be consideration of relevant principles of law when dealing with particular provisions of the Privacy Act.  The absence of case law does not assist.  It is a starting point only for Read the rest of this entry »

The Australian Information and Privacy Commissioner, Timothy Pilgrim, to retire on 24 March 2018

February 20, 2018

According to a report in the Mandarin,Last man standing: information and privacy commissioner Timothy Pilgrim to retire, Timothy Pilgrim, the Privacy and Information Commissioner is to retire on 24 March 2018. It is also reported in itnews, computerworld and zdnet.

Timothy Pilgrim has been one of the better privacy commissioners.  That is a comparative measure only.  His predecessors ranged from ineffective to hopeless.  As a result the privacy and data security culture has been poor.  Pilgrim was far more active than his predecessors both in terms of work rate and general profile.  But objectively measured he was a timid and tentative regulator.  Even with a limited budget from 2014 the Office of the Information Commissioner took a very low profile.  His determinations were excessively conservative and Read the rest of this entry »

A refreshing and timely story on the Commonwealth bank accused of misleading the Privacy Commissioner and the Privacy Commissioner cops criticism in handling that deception

December 20, 2017

Tonight’s 7.30 program has a story, titled  Commonwealth Bank accused of misleading the Privacy Commissioner about a privacy complaint where the sting is the Commonwealth Bank failing to provide proper disclosure of documents. The determination is Read the rest of this entry »

With mandatory Data Breach Notification legislation coming into effect in February 2018 the Information Commissioner releases draft Notifiable Data breach guidelines and puts retailers on notice about their obligations.

November 6, 2017

It is less than 6 months before the mandatory data breach notification laws take effect.  February 22 2018 to be precise.  It will impact all organisations and agencies covered by the Privacy Act and may  require them to report data breaches of personal information.  This has been the norm in 48 states of the United States for some time.  In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual.  That is an indicator of the frequency and impact of data breaches on business and government.  Cyber crime for profit and malicious hacking is a chronic problem.  In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach.  There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.

The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach.  There is little point trying to comply while dealing with a data breach.  Notifications must be made within 30 days from the date the breach is detected.  That is the outer limit.  While the time frame seems generous, given the Read the rest of this entry »

Privacy Commissioner investigates data breach at Flight Centre and Cosmetic Institute

August 23, 2017

On 15 July 2017 I posted on the very serious data breach by Flight Centre.  It has been covered fairly widely by the media, on the ABC, MSN Nine and the Sydney Morning Herald to name a few.

A month later the Privacy Commissioner has decided to investigate the data breach.  It made its announcement on 18 August 2017.  The announcement provides:

On 15 August 2017, the Acting Australian Information Commissioner opened an investigation into Flight Centre, examining an alleged data breach involving the release of the personal information of customers to third-party suppliers.

Flight Centre is cooperating with the Office of the Australian Information Commissioner’s (OAIC) inquiries. Once the investigation has concluded a further statement will be published.

If any person has any concerns about how their privacy has been managed they can contact the OAIC at or on 1300 363 992.

This announcement has Read the rest of this entry »

‘LP’ v The Westin Sydney (Privacy) [2017] AICmr (7 June 2017): APP 3.5 and 12, secret recording of telephone conversation by The Westin

June 14, 2017

The Privacy Commissioner handed down a decision finding that the The Westin Sydney interfered with the complainant’s privacy in LP’ and The Westin Sydney (Privacy) [2017] AICmr 53.  The Westin was found to have interfered with the privacy of LP by recording his telephone conversation without advising him beforehand.  It is a decision that has not been publicised.  That is a shame and quite different to the practice by the Information Commissioner in the United Kingdom and the Federal Trade Commission in the United States.  It is a practice failing by the Australian Privacy Commissioner.


LP  booked a room at The Westin. On the afternoon of 17 January 2016, he arrived and checked in. The Westin employee who handled his check-in informed him that there would be a 10 to 20 minute delay until his room became available.  While LP was waiting in the hotel’s executive lounge he received a call on his mobile phone from a Westin employee who advised that the preferred room was not be available until later that afternoon. LP was then asked whether he wanted to wait for a similar room on a different floor, or if he would prefer an alternate smaller room on the same floor that was available immediately. LP agreed to accept the alternate room, but was unhappy [4].

LP subsequently complained to The Westin about his treatment, including the unavailability of his preferred room. While responding to this complaint, on 18 January 2016, the Executive Assistant Manager of The Westin referred to the recording of LP with a Westin employee. LP had been unaware that The Westin had recorded the call [5].

On 19 January 2016, LP emailed Read the rest of this entry »

EU General Data Protection Regulation less than a year away. The Privacy Commissioner issues guidance

June 12, 2017

In slightly less than a year, from 25 May 2018 to be precise, the the General Data Protection Regulation (“GDPR”) will take effect throughout the European Union.  Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  It is more a continuum of the existing data protection laws rather than a new system.  That said it is a Read the rest of this entry »

Data breach at Comestic Institute attracts the attention of the Privacy Commissioner

June 6, 2017

Personal information relating to medical matters is highly sensitive.  The Cosmestic Institute, based in Bondi,  specialised in providing cosmetic surgery, holds a particularly subset of that type of information; before and after photographs, photographs of a highly intimate nature and details which are almost invariably kept confidential

Naked photos and medical records of hundreds of women were published on line at least as late last Saturday.  Possibly earlier.  It appears that the publication of this highly sensitive information included patient names, Medicare numbers and naked images of 500 people.  The breach involved Read the rest of this entry »

Privacy Commissioner issues Draft guidelines and resources on Notifiable Data breaches

June 5, 2017

Australia’s mandatory data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017,  takes effect on 22 February next year.  It has been a long time coming.

Last Friday the Privacy Commissioner released an exposure draft resources, whatever that means, for business and agencies on their obligations under the Act.  It is open for comment until 14 July 2017, Bastille Day (hopefully that symbolises nothing).

The broad overview Read the rest of this entry »

Privacy Commissioner releases survey on Australian Community Attitudes to Privacy in 2017

May 18, 2017

It is something of a rite of passage for the Privacy Commissioner to release a report on privacy compliance or a survey about community attitudes to privacy around Privacy week.  This year is no different, with a 51 page report on a survey on Australian’s attitudes to privacy, privacy risks and trust in government and organisations.  The point of reference by comparison is a similar survey in 2013.  While the results are in the main consistent with 2013, there is a growing level of concern about online privacy.  This is not Read the rest of this entry »