The Australian Information Commissioner releases a Guide to health privacy

October 12, 2019

The Australian Information Commissioner has recently released a Guide to Health Privacy.  At over 50 pages it is quite comprehensive.  It is less equivocal than previous guides published by the Information Commissioner.  That is not to say it does not descend into vague generality more than it should. The Commissioner’s guidelines have no force of law under the Privacy Act 1988.  That obvious fact has been stated by the Administrative Appeals Tribunal and the Federal Court.  As they are not regulations their use as a legal document is relatively limited.  They do however serve as a standard which the Information Commissioner expects agencies and organisations to follow in order to comply with the Privacy Act.

While some of the Commissioner’s previous and current guidelines are so vague, rubbery and equivocal as to be of little use that is not really the key regulatory issue.  The problem has always been the reluctance by the regulator in taking enforcement action.  That has been a 30 year problem. The powers available to the Commissioner have grown over the years.  That has not been matched by Read the rest of this entry »

Prince Harry sues the Sun and the Mirror alleging phone hacking

October 5, 2019

A few days ago the Duchess of Sussex commenced proceedings against the Mail on Sunday alleging misuse of private information, a breach of copyright and contravention of the General Data Protection Directive. Now Prince Harry has commenced proceedings against the Sun and the Daily Mirror in relation to the hacking of his phone.

The pleadings are not public so it is not possible to comment on the technical basis for the claim however it would appear to be also a misuse of personal information case, with the hacking of his phone being used as a basis for stories.  He is using the law firm Cliffords who brought many of the claims arising out of the practice of News of the World in hacking the phones of members of the public.  Those cases settled.  It should be born in mind that, as the Media Standards Trust reported in its 52 page report,  most of the victims of phone hacking were not famous or Read the rest of this entry »

Duchess of Sussex sues the Mail on Sunday for misuse of private information, breach of copyright and breach of the GDPR

October 2, 2019

It is widely reported (in the Guardian, the Australian, the Nine Fairfax Press, the ABC etc) that Meghan, Duchess of Sussex has commenced proceedings in the High Court for misuse of private information.  She has, as is often the case involving the use of private communications which find their way into the media’s hands, also alleged a breach of copyright.  Additionally a breach of the General Data Protection Regulation is another cause of action.

The basis for the claim is a private letter from Meghan to her estranged father. Parts of that letter was extracted in an article in February 2019.

The United Kingdom courts have been industrious in developing the equitable cause of action of misuse of private information in the context of considering the operation of Articles 8 and 10 of the Human Rights Act.  The development has proceeded to Read the rest of this entry »

Law firms are increasingly the target of data breaches

September 13, 2019

The Australian in Anxiety rising as law firms confirm cyber breaches reports on a survey conducted by the Australian Legal Practice Management Association and GlobalX that found almost 20 per cent of Australian law firms that responded had been victims of a cybersecurity breach. This figure is consistent with US findings, such as the Australian Bar Association 2017 Legal Technology Survey.

This is hardly news.  The American Bar released a report in January 2019 dealing with the threat to US law firms which also set out in a practical terms processes and systems which reduce a law firms exposure to a data security.  Australian law societies have come some way in doing something similar but not to the same extent. Unfortunately there seems to be a cultural problem with law firms resisting spending enough on IT security, spending what budgets they have badly and generally failing to develop and maintain decent privacy and data protection policies.  Training tends to be superficial and irregular.  Given the weakest part of any cyber defence is the humans manning the phones, responding to emails and operating the computers this is commonly a disaster waiting to happen.  Often the usual targets for phishing targets, junior administrative staff are ill prepared for an attack.

Law firms are particularly prone to phishing and hacking of email accounts.  Law firms, particularly those with a focus on commercial and property law, hold significant sums and bank details.  Law firms are also prone to ransomware.  In 2017 DLA Piper suffered a ransomware attack which forced it to shut down its world wide digital operations.

The other problem with law firms’ data security is the Read the rest of this entry »

Commonwealth Attorney General’s office involved in a privacy breach

September 2, 2019

Sometimes, in fact often times, reality provides better copy than fiction.  The Australian reports that the the office of Christian Porter, the Commonwealth Attorney General, has been involved in a privacy breach.  In sending an email regarding the religious discrimination bill the office revealed the email addresses of more than 100 recipients.  Many of the addressees are religious figures but the list also included a judge and lawyers.

While the Australian’s report Read the rest of this entry »

Information Commissioner releases the 6th notifiable breaches report, revealing 245 notifications between April and June 2019. She also announces moving to reporting semi annually rather than quarterly

August 29, 2019

The Information Commissioner has released the latest report on reported, rather than actual data breaches, for the last quarter; April – June 2019.  The report highlights what has long been known, that human factors are a major cause of breaches.

The report reveals that:

  • 34% of the breaches were caused by human error;
  • 62% were motivated by malicious or criminal attacks
  • the number of reported breaches, at 245 is statistically greater than the breaches in the January – March period of 215 but in line with the previous 2 quarters of 245 and 262.
  • 1 breach affected over a million people, 21 breaches affected over a thousand but less than 5,000 people, 52 breaches affected between 100 and 1,000 and the largest category of 61 breaches affected a single person. The report does not identify which industries are affected by breaches impacting a large number of people.
  • contact information was affecetd in 220 of the breaches while financial details were affected in 102 and health information on 67 occasions.
  • as is commonly the case wrong email addresses were the cause of the most human errors. Most of those errors were in the health sector.
  • phishing is by far and away the most common cause of cyber incidents
  • the most notifications were from the health sector, 47, while finance had 42 notifications followed by lawyers and accountants, 24.

Read the rest of this entry »

Foreign Investment Review Board calls for data to be protected in foreign takeovers

August 21, 2019

It is now trite to say that data is a source of power and wealth.  The new oil to hear some commentators tell.  Data analytics is a rapidly expanding and developing field with Artificial Intelligence is driving that development.  Companies collect as much personal information as they can and use it for analysis and marketing just to name two uses.   Organisations often collect more information than is required and keep it for much longer than necessary.  Both are poor privacy practices which attracts no censure from the regulator. 

David Irvine, chief of the Foreign Investment Review Board highlighted in a speech last Monday 19 August 2019 the obvious point that in takeovers by foreign companies personal information of Australians will be part of what is taken over.  The FIRB will be Read the rest of this entry »

Victorian Information Commissioner finds that Public Transport Victoria has breached the privacy of myki users. A cause of action?

August 15, 2019

In a brilliant piece of analysis Dr Chris Culnane, Associate Professor Benjamin Rubinstein and Associate Professor Vanessa Teague of the University of Melbourne have demonstrated in their paper released today titled Stop the Open Data Bus, We Want to Get Off that de identification of unit record level data does not work without substantially altering the data to the point where its value is reduced.  The analysis was based on the data released by the Victorian Government in to a data science competition.  The authors have demonstrated that a combination of only needing a small number of points of information to make an individual unique and poor quality anonymisation and security techniques makes it quite easy to reidentify individuals. 

In the case of the myki data the authors found that “little to no de identification took place on the bulk of the data.”  They found it was a straightforward task to re identify two of the co authors cards.  They also established that is possible to identify a stranger from public information about their travel patterns, for example twitter to name just one source.  They identified Read the rest of this entry »

The Western Australian Government announces that it will start the process to implement privacy legislation in that state

August 12, 2019

Western Australia and South Australia have been outliers in not having any statutory framework for the protection of personal information. That is likely to change, a little, with the Western Australian Government through its Attorney General releasing a discussion paper titled Privacy and Responsible Information Sharing for the Western Australian public sector

As the name suggests whatever structure is implemented will only apply to personal information collected, used and stored by the Government and its agencies, statutory authorities and other instrumentalities. Even though it is a discussion paper the Government is clearly envisaging following the legislative structure adopted in New South Wales, Victoria and Queensland. Each of those jurisdictions has a privacy and data protection act and has established Read the rest of this entry »

A significant data breach of medical histories at Neoclinical, an example of how not to respond to a data breach meanwhile the ACCC commences action against HealthEngine for selling its customers data. Big problems with data security in the health sector, no news there…

August 8, 2019

Paradoxically the one type of data that is regarded as most sensitive, health information, is often the most poorly protected.  The privacy protection culture is poor and insufficient resources are put into protecting personal information and staff training is often times rudimentary.  There is a constant stream of breaches reported including in the last fortnight thousands of pharmaceutical records leaked in the US, a data breach in Presbyterian Healthcare Services in Alberquerque resulted in unauthorised access to 183,000 patients, the all too regular instance of medical records in paper form being left on the street, this time in London Canada and a health Centre in Kentucky paying $70,000 ransom to unlock medical records of 20,000 patients. There are clear challenges in securing personal information in health centres and hospitals with many individuals having access to data at many terminals however the challenges are surmountable.  Most data breaches are a result of poor practices and insufficient time, money and effort going into setting up proper hardware and software, establishing proper processes and training and then more training.

The Nine/Fairfax press reports on a major data breach at Neoclinical, a company which matches individuals with active clinical trials.  The data is sensitive by definition but it is even more concerning given the data that Neoclinical heald was users responses to questions qualifying them for clinical trials.  Those sort of questions go to medical diagnoses illicit drug use and treatments received.  The breach involved its 37,170 users.  The breach was detected by UpGuard which sent an email to Neoclinical.  Neoclinical did not notify the Information Commissioner about the breach when notified or even shortly after.  It did nothing until Read the rest of this entry »