Peter A Clarke

The work of the Information and Privacy Commissioner continues to not go on.  But the Government has appointed a permanent successor to the previous Commissioner, Timothy Pilgrim.  The Interim Information Commissioner and Privacy Commissioner, Angelene Falk, has been appointed Read the rest of this entry »

The Australian Information Commissioner has released another quarterly report of notified data breaches.  It has grown into a 33 page document from its humbler beginnings of a single page.  At the outset it is relevant to note that these figures are not the last word on actual data breaches.  There is a balancing act organisations go through before deciding to notify.  That is a weakness in the legislation.  There is also likely to be some non compliance with the legislation.  Finally many organisations are not subject to the operation of the Privacy Act and therefore will not notify because they do not have to.  That said it is a valuable report.

Putting the issue of data breaches in its broader context itgovernance has calculated that there were data breaches and cyber attacks in July 2018 which resulted in unauthorised access to 139,731,894 records.  And health records were a significant percentage of the records affected.

In the quarter there was 242 notifications, compared to 63 in the previous quarter, which were Read the rest of this entry »

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »

The Australian in Facebook hit by Australian compensation case for data theft reports that the litigation funder IMF Bentham have lodged a representative complaint with the Office of the Information Commissioner arising out of the Cambridge Analytica use of personal information gleaned from Facebook.  One of the more egregious breaches of privacy by Facebook in recent times.  Which is saying something!  The story is also picked up by the Guardian in Compensation sought for Australians caught up in Facebook privacy breach.

Representative claims before the Information Commissioner is a rarely used provision.  The IMF Bentham quite lengthy statement relevantly Read the rest of this entry »

The Australian Government Agencies Privacy Code came into effect yesterday.  That is effectively today.

As the Privacy Commissioner notes on its media release under the Code agencies are Read the rest of this entry »

On 8 December 2017 Price Waterhouse Coopers, better known as pwc, undertook a review of the Privacy (Credit Reporting) Code 2014.  On 29 May 2018 the acting Information Commissioner and Privacy Commissioner has approved variations to the Privacy Credit Reporting Code 2014.

As a result of that review the Commissioner has amended the following Read the rest of this entry »

It is hard to be more disappointed with the Privacy Commissioner given the consistently inadequate determinations and tepid regulation.  But the Acting Commissioner has managed to show that with time and effort even more dreadful decisions are possible in privacy regulation in Australia.  That is amply displayed in the Commissioner’s response to the Centrelink release of personal information about a Ms Fox who wrote an article critical of Centrelink’s automated debt recovery system as it was used upon her.

The Commissioner’s “concluding statement” Read the rest of this entry »

The Commonwealth Bank of Australia has suffered a major data breach involving the records of 20 million customers.  In 2016.  It has only made this public now after media reports.  The CBA only made a statement after the media reports.  That is a dreadful approach to data breaches.  Conceal until you can’t.  Then obfuscate.  The CBA is not an outlier in its reaction to this data breach.  Unfortunately it is all too common in Australia.  Perhaps that will change with the mandatory data breach notification scheme but proper enforcement is required.  Incredibly the Information Commissioner was notified in 2016.  And took no enforcement action.  No enforceable undertakings even.  That was, and remains, a dreadful mistake.  The Australian Prudential Regulation Authority that has been more active and transparent than the Information Commissioner’s Office in dealing with privacy breaches.  If that is not an indictment on the Information Commissioner Read the rest of this entry »

The Acting Privacy Commissioner, Angelene Falk, recently gave a speech titled Privacy in Digital Media and Digital Advertising.

It is a speech very much in the vein of the previous Privacy Commissioner, completely unobjectionable, very reasonable, topical and accurate.  It hit the current affairs notes, commenting on Facebook/Cambridge Analytica and the topical regulatory change, the upcoming implemention of the GDPR in Europe.  It also is completely neutral about what the regulator expects in concrete terms and what it may do in “fostering a privacy culture…”  And that does not bode all that well for a change in direction for one of the least effective regulators at the Commonwealth level.  Bromides and exhortations to comply with the law are fine but never as effective as strategic and forceful enforcement which will send a message to the market.

The speech relevantly Read the rest of this entry »

The Office of the Australian Information Commissioner has published the first quarterly report on data breach notifications under the mandatory data breach notification legislation which came into effect on 22 February 2018. Not surprisingly the on a pro rata basis the number of notifications far exceeds the rate of notification under the previously voluntary scheme, 63 breaches in 6 weeks as opposed to 114 notifications in the last 52 weeks of the voluntary scheme.  If the rate of notifications remain consistent then 546 reports could be expected, almost 5 times the rate under the voluntary scheme. Because the legislation requires the organisation and agency to undertake self assessment as to whether a breach requires notification and some organisations will seek to take a less conservative approach, and take a risk in doing so, the figures are probably not a complete record of data breaches Read the rest of this entry »