Information Commissioner releases privacy guidance on Healthcare identifiers on digital vaccination certificates

March 10, 2022

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance Read the rest of this entry »

Information Commissioner releases Notifiable Data Breaches Report for the period July – December 2021

The Information Commissioner has released the latest report on notifiable data breaches for the second half of 2021.  There were 464 data breaches from July to December 2021.  A total of 464 data breaches throughout all of Australia for a 6 month period. According to itgovernance there were 5.1 million records breached worldwide in February 2022 alone. Why there is such a ridiculously low number reported to the Commissioner is ample evidence of how flawed the data breach regime remains. 

There are a number or reasons for this failure in public policy.  A starting point is =the limited coverage of the Privacy Act.  The small business exemption as well as the journalist and political party exemption leaves a large part of the economy which collects, holds and uses data outside of the coverage.  The Data Breach Notification Scheme is self assessment using a long list of factors to determine whether there has been serious harm.  For some organisations Read the rest of this entry »

Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem

September 16, 2021

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

Data breaches everywhere with 2.3 billion records breached worldwide in February 2021 and the grand total of 539 breaches to the Australian Information Commissioner between July – December 2020. A lack of credibility in the Australian mandatory data breach notification scheme.

March 7, 2021

It governance has provided its list of data breaches and cyber attacks in February 2021, estimating that 2.3 billion records were breached. The cyber attacks range from the relatively modest in number, with 208 records of the Watermark Retirement Communities residents across 10 states being affected, to the catastrophically large attack, involving millions of user records of Raychat being destroyed and the records of 102 million consumers of two mobile operators in Brazil.  There were also other significant data breaches, including 400 million records of a delivery company, Bykea, being leaked in Pakistan and Australia’s Oxfam discovered that its database of 1.7 million records were being offered for sale on a hacker forum. The humiliating Oxfam data breach required it to issue the now all too familiar sort of candid post of where matters are at on 1 March 2021 which Read the rest of this entry »

Attorney General announces a review of the Privacy Act 1988 with submissions due by 29 November 2020

October 30, 2020

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

Government releases exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020

May 5, 2020

The Commonwealth Attorney General’s Department has released an exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020.

The Attorney General’s media release provides:

The COVIDSafe app is a critical tool in helping our nation fight the COVID-19 pandemic.

With more than 4 million COVIDSafe registrations many Australian’s are already doing their part to help protect and save lives.

Attorney-General, Christian Porter, today released draft legislation which will codify the existing protections for individuals’ data collected by the COVIDSafe app that have been established in the Health Minister’s Biosecurity Act Determination.

The Privacy Amendment (Public Health Contact Information) Bill 2020, will reinforce the protections set out in the Determination made by the Minister for Health under the Biosecurity Act 2015on 25 April 2020, placing the protections into primary legislation through amendments to the Privacy Act 1988. Read the rest of this entry »

Australian Information Commission v Facebook Inc [2020] FCA 531 (22 April 2020): application for service outside of Australia, the Commissioner’s prima facie case. The opening round in the first civil proceeding for breach of the Privacy Act by the Commissioner

April 26, 2020

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely Read the rest of this entry »

Information Commissioner releases report that 537 notifiable data breaches for the last half of 2019 while worldwide the estimate of data records accessed unlawfully in 2019 reached 12.3 billion!

March 15, 2020

At the end of February the Australian Information Commissioner released the Report of Notifiable Data Breaches for the July – December 2019 period.  There were 537 notifications, up from 460 in the previous 6 months and making 997 for the 2019 calendar year. 

As usual health service providers top the list, with 117 notifications, followed by finance with 77 notifications.  Interestingly though less than 10% of notifications there were 40 notifications from the legal/accountancy and management services.  In terms of numbers of individuals affected 132 notifications, about 20%, affected only one person’s personal information but one breach affected more than 10,000,000. The majority of notifications, 309, affected from 2 to 1,000 individuals while 13 notifications covered between 25,000 – 10,000,000. 

Contact information was Read the rest of this entry »

The Australian Information Commissioner commences civil penalty proceedings against Facebook under section 13G of the Privacy Act

March 10, 2020

Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court.  The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).

It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018.  The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.

This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy.  Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented.  What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach.  That will be a significant Read the rest of this entry »

Call to reform Privacy Act because of data haul by Google and others

November 11, 2019

Even after writing about privacy for a decade and more, it still never ceases to amaze me that media write in breathless tones about the problem with organisations using and misusing data and personal information as if it was some form of revelation.  The only thing that has changed has been the great efficiency in the misuse.  The latest offering is the Australian’s piece Giants’ data haul sparks call to reform privacy act which is a bit of a spruik dressed up as an article for a conference to be hosted by the Consumer Policy Research Centre on 19 November 2019.

The chief executive is calling for “urgent reform of the Privacy Act” to better protect consumers.  She also wants a Consumer Data Right.  The call to reform the Privacy Act is misconceived.  There is no point increasing the powers of Read the rest of this entry »