On 15 July 2017 I posted on the very serious data breach by Flight Centre.  It has been covered fairly widely by the media, on the ABC, MSN Nine and the Sydney Morning Herald to name a few.

A month later the Privacy Commissioner has decided to investigate the data breach.  It made its announcement on 18 August 2017.  The announcement provides:

On 15 August 2017, the Acting Australian Information Commissioner opened an investigation into Flight Centre, examining an alleged data breach involving the release of the personal information of customers to third-party suppliers.

Flight Centre is cooperating with the Office of the Australian Information Commissioner’s (OAIC) inquiries. Once the investigation has concluded a further statement will be published.

If any person has any concerns about how their privacy has been managed they can contact the OAIC at www.privacy.gov.au or on 1300 363 992.

This announcement has Read the rest of this entry »

The Privacy Commissioner handed down a decision finding that the The Westin Sydney interfered with the complainant’s privacy in LP’ and The Westin Sydney (Privacy) [2017] AICmr 53.  The Westin was found to have interfered with the privacy of LP by recording his telephone conversation without advising him beforehand.  It is a decision that has not been publicised.  That is a shame and quite different to the practice by the Information Commissioner in the United Kingdom and the Federal Trade Commission in the United States.  It is a practice failing by the Australian Privacy Commissioner.

FACTS

LP  booked a room at The Westin. On the afternoon of 17 January 2016, he arrived and checked in. The Westin employee who handled his check-in informed him that there would be a 10 to 20 minute delay until his room became available.  While LP was waiting in the hotel’s executive lounge he received a call on his mobile phone from a Westin employee who advised that the preferred room was not be available until later that afternoon. LP was then asked whether he wanted to wait for a similar room on a different floor, or if he would prefer an alternate smaller room on the same floor that was available immediately. LP agreed to accept the alternate room, but was unhappy [4].

LP subsequently complained to The Westin about his treatment, including the unavailability of his preferred room. While responding to this complaint, on 18 January 2016, the Executive Assistant Manager of The Westin referred to the recording of LP with a Westin employee. LP had been unaware that The Westin had recorded the call [5].

On 19 January 2016, LP emailed Read the rest of this entry »

In slightly less than a year, from 25 May 2018 to be precise, the the General Data Protection Regulation (“GDPR”) will take effect throughout the European Union.  Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  It is more a continuum of the existing data protection laws rather than a new system.  That said it is a Read the rest of this entry »

Personal information relating to medical matters is highly sensitive.  The Cosmestic Institute, based in Bondi,  specialised in providing cosmetic surgery, holds a particularly subset of that type of information; before and after photographs, photographs of a highly intimate nature and details which are almost invariably kept confidential

Naked photos and medical records of hundreds of women were published on line at least as late last Saturday.  Possibly earlier.  It appears that the publication of this highly sensitive information included patient names, Medicare numbers and naked images of 500 people.  The breach involved Read the rest of this entry »

Australia’s mandatory data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017,  takes effect on 22 February next year.  It has been a long time coming.

Last Friday the Privacy Commissioner released an exposure draft resources, whatever that means, for business and agencies on their obligations under the Act.  It is open for comment until 14 July 2017, Bastille Day (hopefully that symbolises nothing).

The broad overview Read the rest of this entry »

It is something of a rite of passage for the Privacy Commissioner to release a report on privacy compliance or a survey about community attitudes to privacy around Privacy week.  This year is no different, with a 51 page report on a survey on Australian’s attitudes to privacy, privacy risks and trust in government and organisations.  The point of reference by comparison is a similar survey in 2013.  While the results are in the main consistent with 2013, there is a growing level of concern about online privacy.  This is not Read the rest of this entry »

Dating apps are notorious for both collecting a huge amount of highly sensitive personal information and being the subject of data breaches.  Ashley Madison data breach being just the most dramatic instance.

The Privacy Commissioner has issued a dos and don’ts on 4 dating apps, Tinder, Grindr, Happn and Bumble.  As far as it goes it is Read the rest of this entry »

The Privacy Commissioner has issued a statement regarding the passage of the Mandatory Data breach notification Bill.  The Privacy Commissioner has Read the rest of this entry »

The Australian Privacy Commissioner has taken action against Ashley Madison data breach in July 2015 was a sensation.  As has the Canadian Privacy Commissioner.  They have released joint findings.  Joint findings are found here.

It is likely to be an influential findings as the combined report does undertake a detailed analysis of both the facts and the expectations under the various privacy principles.  Given the dearth of authorities this will provide valuable guidance.

As with many data breaches/interference with privacy complaints followed up by regulators the initial cause of the breach/interference gives rise to a broader investigation which almost invariably highlights deficiencies in compliance throughout the organisation.  It is commonly the case that a breach of security has many causes; out of data software protection, poor protocols, inadequate staff training, excessive data retention far beyond the date when it is usable or relevant to the organisations operations and a lack of understanding as to identity verification.

Ashley Madison, or more accurately its corporate entity Avid Life Media Inc (“ALM”), entered Read the rest of this entry »

The Privacy Commissioner issued a statement today announcing that he is investigating a possible breach by the MUA.  The media release provides:

The facts are outlined in Read the rest of this entry »