Home affairs data breach exposes data of 700,000

May 4, 2020

Another depressingly familiar data breach involving the Federal Government’s handling of personal information.  This time the Guardian reports the breach involving access to personal details of 774,000 migrants and applicants.  In this case the breach involved the inadvertent display through the SkillsSelect platform of those who expressed an interest in migrating to Australia.  The defect in the platform’s operation permits someone accessing details of a persons age, qualifications and marital status as well as other information. 

What is interesting is that the information dates back to 2014.  According to the Guardian story expressions of interest are stored for 2 years.  Yet the database includes information stretching back 6 years.  That in itself is a concern. 

It will be interesting to see if Read the rest of this entry »

Group complaint lodged with the Information Commissioner against Optus for data breach involving 50,000 customers in October 2019

April 27, 2020

Lawyers weekly has just reported that Maurice Blackburn has made a representative complaint against  arising out of a data breach in October 2019. It is the first representative complaint made under the Privacy Act 1988.  It seems 2020 is proving to be an active year for use of the Privacy Act with the Commissioner commencing civil penalty proceedings, for the first time, and now this representative complaint.

Maurie Blackburn describes the complaint as Read the rest of this entry »

Australian Information Commission v Facebook Inc [2020] FCA 531 (22 April 2020): application for service outside of Australia, the Commissioner’s prima facie case. The opening round in the first civil proceeding for breach of the Privacy Act by the Commissioner

April 26, 2020

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely Read the rest of this entry »

Another email bungle, privacy breach involving names, addresses and birthdates

April 23, 2020

The Guardian reports on another email bungle resulting in a significant privacy breach, this time by the Australian Traffic Network.   In an email an operator at the Australian Traffic Network sent out a document containing personal information of more than a 100 current and former staff as part of an internal email to existing staff.  An email was originally sent on Monday to staff asking about eligibility for the jobkeeper payment.  A follow up the next day was the data breach as it contained a table of staff names with their addresses and dates of birth.  It provoked concern within the organisation, little wonder given Read the rest of this entry »

Significant data breach at the Federal Court of Australia revealing names of protection visa applicants

March 31, 2020

It was serendipitous that last Wednesday I presented a paper, via Zoom, at a Legalwise Seminar on Data Breaches: How to Respond, Notify and Remedy  given today’s report that there has been a significant data breach by the Federal Court, an agency for the purposes of the Privacy Act 1988.  The, to use the Federal Court’s spokesman’s description, “major systemic failure” involved the searchable database permitting the identity of 400 asylum seekers being disclosable. 

This breach would fall within Part IIIC of the Privacy Act 1988, the mandatory data breach notification regime. Going through the process would require an assessment of the breach, a determination as to whether the breach is likely to cause serious harm and, if so, the means of notifying the affected individuals.  Based on the ABC report of the breach there would be legal and practical issues to address with each step.  As to the assessment process it is concerning that Read the rest of this entry »

Information Commissioner releases report that 537 notifiable data breaches for the last half of 2019 while worldwide the estimate of data records accessed unlawfully in 2019 reached 12.3 billion!

March 15, 2020

At the end of February the Australian Information Commissioner released the Report of Notifiable Data Breaches for the July – December 2019 period.  There were 537 notifications, up from 460 in the previous 6 months and making 997 for the 2019 calendar year. 

As usual health service providers top the list, with 117 notifications, followed by finance with 77 notifications.  Interestingly though less than 10% of notifications there were 40 notifications from the legal/accountancy and management services.  In terms of numbers of individuals affected 132 notifications, about 20%, affected only one person’s personal information but one breach affected more than 10,000,000. The majority of notifications, 309, affected from 2 to 1,000 individuals while 13 notifications covered between 25,000 – 10,000,000. 

Contact information was Read the rest of this entry »

The Australian Information Commissioner commences civil penalty proceedings against Facebook under section 13G of the Privacy Act

March 10, 2020

Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court.  The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).

It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018.  The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.

This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy.  Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented.  What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach.  That will be a significant Read the rest of this entry »

Alinta Energy alleged non compliance with privacy regulations highlights what is all too common with poor regulation

March 2, 2020

Today the 7.30 program and the 9 Fairfax press report on possible non compliance with data storage conditions imposed on Alinta when it was sold to overseas, Chinese, purchasers. The source of the story is damaging internal documents questioning compliance. 

The essence of the story, that Alinta is not complying with its obligations under the Privacy Act regarding data security obligations, is not as exciting as the media outlets suggest.  It collects personal information of 1.1 million customers.  As do many large corporations and agencies.  It may not be properly protecting that data.

Inadequate data security is a problem endemic throughout the business sector.  Because regulation is light touch to the point of no contact compliance is patchy at best.  Some sectors are better than others, with banking, insurance and mining having reasonable structures and better compliance than other sectors because they are more often the targets of hackers and the consequences of a breach are significant.  But for many businesses cyber security is an optional extra.  

What makes the Alinta story notable is that there were strict data security conditions imposed on the purchaser, a Chinese entity, as part of the approval process. There is no culture of privacy protection in China and the Chinese government has a well deserved reputation in getting whatever benefit it can from western businesses, including the use of personal information.  Having access to over a million peoples data can be useful.

A better story would have been Read the rest of this entry »

Report that Australian government releases sensitive health information to the police without warrants

January 29, 2020

It has long been known that the legislation in place to regulate the collection, use and protection of personal information is both porous, with many exceptions, and incomplete, not covering all organisations that collect personal information.

Even with these chronic problems with privacy legislation, the Medical Republic has discovered and reported on a government practice of releasing medical records to police without the need for a warrant or court order.  The process is entirely administrative, without any right of review by the person whose data is being provided to police.  The Guardian has also reported on the issue in Australian government secretly releasing sensitive medical records to police.

I provided comment on this little known scheme, amongst other privacy experts.

This process covering medical records held under the medical benefits and pharmaceutical benefits scheme completely undermines the protections that are supposed to reside in the Privacy Act. It is anachronous that Read the rest of this entry »

California now has comprehensive consumer privacy protection… well at least compared to the rest of the United States. Will it result in changes to Federal Privacy laws?

January 3, 2020

California’s much touted, and feared in some quarters, privacy law is now 2 days old and the West Coast of the USA has not slid into the sea. The Attorney General of California has set out the operation of the California Consumer Protection Act (CCPA) here with a short fact sheet.

It is common practice in the United States for significant law reform to emanate from the States and then for the Federal Government to legislate to cover the field and generally supersede those state laws.  That is particularly the case where the law applies to commerce that crosses state boundaries, clearly a federal law.  Often times that is done to establish uniformity and avoid duplication and efficiency.  Also states tend to be incubators for public policy experimentation.  Successful policies tend to get picked up and adopted federally.  That happened with welfare reform in the 1990s.  That occasionally occurred in Australia however the States are rarely so ambitious these days and are content to have the Commonwealth organise uniformity through the COAG process, amongst other fora.  The problem is that the genius of experimenting with new concepts has been suppressed for the sake of sameness.  In the area of privacy that has resulted in a dismal Federal Act and Read the rest of this entry »