Peter A Clarke

In December 2023 the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Act 2023 (Qld).  Amendments to the Information Privacy Act 2009 (Qld) will come into effect on 1 July 2025.

The most notable reform is the introduction of new Queensland Privacy Principles (QPPs) that replace the existing Information Privacy Principles and the National Privacy Principles.

The most relevant QPPs are  QPP 11, QPP 12 and QPP 13.

• QPP 11 requires agencies to take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure.
• QPP 12 requires agencies to give an individual access to a document in their control, containing the individual’s personal information.
• QPP 13 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

QPP 11

QPP 11 requires:

• agencies to take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure; and
• agencies to  destroy or de-identify personal information once it is no longer needed for any purpose for which it could be used or disclosed under the QPPs.

The reasonable steps an agency must take to ensure the security of personal information will Read the rest of this entry »

In 7 days Australia will have a stautory tort of serious invasion of privacy.  It is found in Schedule 2 of the Privacy and Other Legislation Amendment Bill 2024.  

The scope of the tort is a matter of conjecture but it is certain to have an impact on corporate governance especially regarding data harvesting, data usage and consent.

In particular it will have Read the rest of this entry »

Today Part 3 of the Cyber Security Act 2024, which sets out the mandatory ransomware and cyber extortion reporting regime, commences. All reporting business entities are required to disclose ransomware and cyber extortion reporting using the form on ASD’s webpage found on cyber.gov.au..   lIt has been reported by the AFR where it describes how organisations, primarily companies, covered by the Privacy Act 1988 to disclose ransom payments resulting from a data breach. The payment is not an offence. It is also reviewed in cyberdaily’s article Pay up: Understanding Australia’s new ransomware reporting requirements. 

The Home Affairs Deparment has set up a comprehensive site explaining the operation of the Cyber Security Act.That includes the Ransom Rules regime.  Companies would do well to seek professional advice about how the regime operates. 

The AFR has an interesting piece on it which Read the rest of this entry »

Legal sites are regular targets of cyber attacks.  They contain considerable personal and financial information.  The Legal Practice Board of Western Australia has recently been subject of a data breach by the Dire Wolf ransomware gang involving the exfiltration of data, including personal information, which has been published on the darknet. The Dire Wolf Gang posted about the theft on 26 May 2025.  The Board published a statement on 27 May 2025. The gang claims to have stolen 300 gigabytes of data. It claims that it will post half the stolen data on 15 June and the balance on 30 June

The Board has apparently issued an ex parte injunction regarding the use of the material found on the dark net.  This form of injunctive relief has become a relatively common response to organisations that have suffered a data breach and discovered that the stolen data has been placed on the dark web for sale.  The limitations of the injunctions are obvious.  An injunction has no more of a deterrent effect than a criminal prosecution.  The second limitation is that thieves and those that buy the data are commonly located out of the jurisdiction and often based in a location which does not respond promptly, if at all, to orders of Australian courts.

These injunctions effectiveness have not been tested.  Irrespective, organisations can refer to the injunctions as part of a rapid and comprehensive response to the data breach.  That may be relevant for the regulators as well as the persons whose personal information has been stolen.  It does not address the why the breach occurred in the first place.  That is an entirely different issue.  It is particularly telling that the Board seemed to be Read the rest of this entry »

On 10 June 2025 Australia will have a statutory tort of serious invasion of privacy.  It fills a yawning gap in the law.

The impact of the law is an unknown but businesses who collect and use use data which includes personal information should evaluate their operations to prioritise data security and data minimisation.  Given that Privacy Commissioner has enhanced powers to issue infringement notices such an exercise would also minimise exposure to intrusions from the regulator. This could involve modifying ways to deliver personalised services without unnecessary Read the rest of this entry »

The Federal Trade Commission (the “FTC”) is the prime regulator of privacy related issues involving companies and agencies in the United States. It has been quite successful in obtaining settlements from large companies such as Facebook. The invariable way of attracting jurisdiction is a claim by a company that is misleading about what it does with information or its data security. And that is what happened with GoDaddy. GoDaddy claimed to have provided “award winning security”. But it didn’t. Didn’t to the point that it failed to implement standard security tools and practices. Worse, it suffered security breaches between 2019 and 2022 involving access to customer’s website and data. The FTC commenced proceedings in January this year and GoDaddy entered into an order with the FTC last week.

Features of the order are Read the rest of this entry »

Encryption is a critical part of privacy (to prevent misuse of information) and data security. It is also something that is very poorly understand and even more badly implemented. Properly implemented encryption provides real protection of personal information. It is not the only answer but encrypting personal information goes a long way towards showing there has been a real attempt made to comply with APP 11 of the Privacy Act 1988. The key issue when assessing a data breach is whether personal information has been accessed and misused.  If personal information has been encrypted then an organisation has a good story to tell the regulator, notwithstanding the breach, if there is an investigation.

The UK Information Commissioner has released a guidance on the use of encryption. While it refers to UK legislation the principles are equally applicable to the APPs in the Privacy Act.

Some of relevant points Read the rest of this entry »

The London Borough of Hammersmith and Fulham has been reprimanded by the UK Information Commissioner’s Office for leaving personal information of 6,528 people, including 2,342 children (worse, of whom 96 were unaccompanied asylum seekers), on its publicly viewable site for almost 2 years. The breach was almost certainly caused by an action by an employee responding to an FOI request made by WhatDoTheyKnow.com in October 2021. In responding to the FOI request the council provided an Excel spreadsheet which contained 35 hidden workbooks. That material was posted on both the Council site as well as the WDTK site. It was WDTK that noticed the data breach when, in November 2023, while doing a review of information on its site it found the personal information and advised the Council. The information was immediately removed from both sites.

This type of mistake is quite common with government agencies.  It is human error.  Often a combination of a lack fo attention to detail and poor privacy training.

The ICO media release provides:

We have reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years.  

The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information.   Read the rest of this entry »

The Information Commissioner releases a report of data breaches semi annually. Those statistics are data breaches reported to the Commissioner under the Notifiable Data Breaches Scheme or because the organisation or agency chooses to report out of an abundance of caution or because the data breach has been reported in the media. There is not an automatic requirement to notify the Commissioner of a data breach. And there are entities that are exempt from coverage of the Privacy Act 1988, notably Small Businesses. And there are organisations that do their best to keep data breaches quiet. According to the report for the period July to December 2024 the Commissioner was notified of 595 data breaches. That makes for a total of 1,113 notifications in the year. That is over 200 more notifications than 2023 which had 893 notifications.

What needs to be understood is that these figures are only reflective of a trend in data breaches.  The number of actual data breaches suffered by Australian entitities is far larger that those reported to the regulator.

Some interesting statistics regarding Read the rest of this entry »

Governments hold masses of personal and financial information, usually acquired by compulsion. Which makes government websites a very attractive target for hackers. Government privacy protections can be spotty, good in parts and full of flaws elsewhere. Some departments are much better than others. In the UK the Legal Aid Agency has suffered a cyber attack resulting in criminal and financial information being stolen according to the Times. Meanwhile in Australia the MyGov network has been hacked and ATO refunds have been taken using stolen identies according to the Australian.  This has prompted a strident and very long response from the ATO.  The Australian followed up with an article about My Gov with More ATO tax hacking victims emerge as expert warns of myGov security issues.

Hackers are also running a worldwide cyber espionage campaign, dubbed Roundpress, using zero day vulnerabilities and n-day flaws.

The Times article Read the rest of this entry »