The Health Industry is notorious for its data breaches. In Australia, United States, the United Kingdom and Europe. It us a chronic problem with many causes; dreadful culture, especially amongst medical staff, poor systems, poor training, large numbers of staff with many ways of accessing data and such a rich load of personal information concentrated on one system. The information we are expected to provide to doctors, hospitals, ambulance providers, respite centers..the list goes on. In many cases the information is sufficiently broad and detailed to commit identity theft. The Age reports in ‘Curious’ pharmacist spied on patient records at The Alfred that an employed pharamacist accessed the personal information of 7,000 patients over a 4 year period without authorisation. That access included viewing the records of fellow staff members. This is a depressingly common occurence, which I post on regularly such as August last year with Health advisor in the UK fined for unlawfully accessing patient records. And in NSW such conduct resulted in a nurse having her registration cancelled. and UK Information Commissioner prosecutes unauthorised access to personal information..part of a growing problem just by way of example. The Guardian reported last year that 24 UK doctors were censured in a 5 year period for medical record breaches. Earlier this week Ontario hospitals suffered a data breach as a result of a cyber attack. That data breach was caused by a ransomware group Daixin team and it is leaking the data. Last Friday a Medibank owned health insurer, ahm, had to take down its online insurance quote form because personal information entered by one person was made available to another when the latter tried to fill out the form.

The Alfred Health released a statement today about the privacy breach. There is not too much in the way of good corporate citzenry involved in this release. The investigation began in June. The pharmacist was subsequently sacked.

The Alfred Health’s statement provides:

The last sentence is the most apt, having technology and systems to improve detection of unusual behaviour.  Of course there are such programs and of course they operate in the health sector.  That it took the Alfred 4 years to detect unusual behaviour, Read the rest of this entry »

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is Read the rest of this entry »

Its annual report time. And the Information Commissioner is no exception to this exercise ordained by law. And, in the tradition of the Australian Public Service, it was released on a Friday. The 19th October to be exact, even though the Information Commissioner signed the report as being 3 October 2023. That way it avoids serous scrutiny by the traditional media. There is no time to push out a story for the weekend papers and the electronic media would have no interest in that being a weekend story. By Monday the caravan has moved on.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) delivered work for the Australian community through unprecedented times in 2022–23 as millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme.

Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.

“Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation. This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.

“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms.”

Commissioner Falk said the OAIC had sought to influence quality freedom of information (FOI) decision making by providing guidance to government agencies and working with them to improve the system. However, the OAIC still requires sufficient resources to meet current demand and address backlogs.

This year, applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years, and FOI complaints fell 2% to 212.

The OAIC finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 35% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.

“We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure,” Commissioner Falk said.

The OAIC performs an important privacy complaint handling role for the community. In 2022–23, it received 34% more privacy complaints (3,402, a record number) than in 2021–22.

In a year in which data breaches were so prominent, the OAIC received a 5% increase in notifications.

“Not surprisingly, our Australian Community Attitudes to Privacy Survey 2023 released soon after the end of the reporting period in August 2023, found that data breaches are seen as the number one privacy concern by the community,” Commissioner Falk said.

During 2022–23, the OAIC launched significant investigations into Optus, Medibank Private, Latitude Group and Australian Clinical Labs in relation to their data breaches. Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.

The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission. During 2022–23, the OAIC provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.

During the reporting period, the OAIC contributed to the Attorney-General’s Department’s review of the Privacy Act 1988. The Australian Government released its response to the review in September 2023 and legislation is expected in 2024.

“In the May 2023 Budget, the OAIC received additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future,” Commissioner Falk said.

“This is an opportunity full of promise and will occur alongside a change in the composition of the OAIC following the Australian Government’s announcement that the 3 statutory office holder model will be reinstated, with an Information Commissioner (as agency head), FOI Commissioner and Privacy Commissioner.

“The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”

Read the OAIC Annual report 2022–23.

Key 2022–23 statistics

• • Received 1,647 applications for IC review of FOI decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%).
  • Received 212 FOI complaints (down 2%) and finalised 124 FOI complaints (down 44%). The fall in complaints finalised was due to a focus on finalising IC reviews received in 2018 and 2019.
  • Received 3,402 privacy complaints (up 34%) and finalised 2,576 privacy complaints (up 17%).
  • Received 895 notifications under the NDB scheme (up 5%) and finalised 77% of notifications within 60 days against a target of 80%.
  • Handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%).

The overview provides:

In 2022–23 the OAIC delivered our work for the  Australian community through unprecedented times, as tens of millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme in 2018.
With the welcome support of additional government funding for privacy, we commenced and have
substantially progressed major investigations into these breaches. They have brought into sharp relief the requirement for boards across corporate Australia, Ministers and Secretaries of Departments, to prioritise investment in protecting personal information and limiting its collection and retention. As cyber-attacks become increasingly prevalent and impactful, it’s individuals who are at risk of harm but business and others with custody of personal information at risk of serious reputational damage.
This is why the OAIC seeks to serve the Australian people by putting the individual at the centre of our approach. We focus on applying our regulatory tools to promote access to government-held information and protect personal information. This means assessing where potential community impacts are most significant, being targeted in our approach, maximising the use of our resources, and adapting to a rapidly changing and increasingly complex environment.
Achieving that goal requires certain foundations to be in place: appropriate law, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and
importantly, collaboration.
The OAIC has developed these foundations to take a proportionate and proactive approach to identifying and reducing harms. We have sought to influence quality Freedom of Information (FOI) decision-making by providing guidance to agencies and working with them to improve the system. However, to achieve the vision for the OAIC’s role in FOI requires sufficient resources to meet current demand and address backlogs which have arisen since the office’s establishment, resulting in a legacy case load that persists and continues to grow.
This year applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years primarily attributable to the Department of Home Affairs; and FOI complaints fell 2% to 212.
We finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 37% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.
In 2018 the OAIC began efforts to garner support for a review of its functions and resourcing requirements, to ensure the organisation is positioned to meet the needs of the community. We have been consistent and persistent in our representations across all our functions. In the May 2023 Budget we were pleased to receive additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future. Read the rest of this entry »

The National Institute of the Science and Technology (“NIST”) is hugely influential in providing systems and setting out standards in the area of cyber security. It has no real peer. That doesn’t mean it is given the credit it should be by many practitioners. The NIST has released Cybersecurity Log Management Planning Guide.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for such things as identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for the required period of time.

The guide aims to assist organizations improve cybersecurity log management practices.

The Abstract provides:

A log is a record of events that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments. Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for many purposes, including identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for the required period of time. This document defines a playbook intended to help any organization plan improvements to its cybersecurity log management.

A log is a record of the events that occur within an organization’s computing assets, including  physical and virtual platforms, networks, services, and cloud environments.

Log management:

• is the process for generating, transmitting, storing, accessing, and disposing of log data.
• facilitates log usage and analysis to identify and investigate cybersecurity incidents, finding operational issues, and ensures that records are stored for the required period of time.

The guide sets out Read the rest of this entry »

The privacy concerns regarding the use of AI have always been present. As usual, they have been pushed into the background as the potential and use of AI has dominated the debate. That does not mean that AI developers and users are exempt under the law. As Snap has discovered in the United Kingdom. The UK Information Commissioner has issued a preliminary enforcement notice against Snap regarding its failure to properly assess privacy risks when using its generative AI chatbot “My AI”. The UK Information Commissioner found that Snap’s risk assessment was defective, particularly as it related to children.

The media release provides:

• • Snap issued with preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’
  • Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.

The Information Commissioner’s Office (ICO) has issued Snap, Inc and Snap Group Limited (Snap) with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by Snap’s generative AI chatbot ‘My AI’.

The preliminary notice sets out the steps which the Commissioner may require, subject to Snap’s representations on the preliminary notice. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. This means not offering the ‘My AI’ product to UK users pending Snap carrying out an adequate risk assessment. Read the rest of this entry »

On the long and winding road that is privacy reform another turn has been reached. The Federal Government today released its response to the Privacy Act Review Report.

The Attorney General’s media release sounds a triumphalist tone commiting the Government to stronger protection after a landmark review.  It provides:

The Albanese Government has committed to stronger privacy protections for Australians in its response today to the landmark review of the Privacy Act.

Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones. But when they are asked to hand over their personal data they rightly expect it will be protected.

The Government’s response to the review agrees, or agrees in-principle, with the majority of the review’s proposals, including:

• • giving individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information;
  • establishing stronger protections for children, including the introduction of a Children’s Online Privacy Code;
  • making entities accountable for handling individuals’ information and enhancing requirements to keep information secure, including destroying data when it is no longer needed; and
  • providing entities with greater clarity on how to protect individuals’ privacy, and simplifying their obligations when handling personal information on behalf of another entity.

The Government will also work with the small business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses.

These next steps build on legislation passed last year which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.

The Attorney-General’s Department will conduct an impact analysis and continue to work with the community, business, media organisations and government agencies to inform the development of legislation and guidance material in this term of Parliament. The Government will also consider appropriate transition periods as part of the development of any legislation.

Privacy reform will complement other critical reforms being progressed by the Government, including Digital ID, the 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia.

The Albanese Government is committed to ensuring Australians can benefit from the latest technologies, while knowing that their personal information is safe and secure.

Why it is necessary to continue to consult is a mystery. The Australian Law Reform Commission underwent a comprehensive consultation, taking submissions and then providing a massive report in 2008. It did this again before its 2014 Report.  The Victorian and New South Wales Law Reform Commissions have followed similar exercises.  And then the Attorney General’s Department issued an Issues Paper, then a Discussion Paper and finally a Report.  There is ample empircal data of how privacy legislation operates overseas.  Supporters of reform will remain supporters, opponents will remain opponents.  Another round of consultations and impact analysis will only delay reforms that should have been impleted 15 years ago.  It will give opponents another chance to water down reforms.  And they will take it if history is any guide. 

The Australian covers the release with Labor targets small business privacy hit and Major privacy overhaul will thrust TikTok into legal spotlight. The Guardian covers the release with New laws will give Australians the right to sue for ‘serious’ breaches of privacy. The Sydney Morning Herald covers the story with Personal data to get greater protection, but targeted ads will keep coming.  The ABC provides an overview with Government to overhaul privacy laws, including opting out of advertising, a right to be forgotten, and new rules for small businesses. 

Most of the coverage is of sweeping reforms in the offing.  But not all.  In Govt kicks Privacy Act can down the road Information Age, the publication of the Australian Computer Society highlights that the Government has agreed to immediate implementation of relatively few proposals, 38 of the 116 recommendations. The Government agreed in principle with 68 of the recommendations. The most significant proposals are only agreed in principle and with some, such as the small business exemption and employment records exemption the time frame is open ended. Similarly Itnews interprets the response as stalling on some privacy reforms in Gov stalls on some privacy reforms with conditional support.

Some context is required to gauge how significant the response is.  In 2008 the Australian Law Reform Commission published its landmark report on the Privacy Act, Report 108.  It contained a root and branch review of the Privacy Act and provided a full suite of reform proposals.  The Government of the day tentatively selected a few of the recommendations and amended the Privacy Act.  It was a missed opportunity.  Those recommendations are generally the gold standard in reform.  The 2014 ALRC report was quite good but not as comprehensive as its 2008 Report.  It was the basis of the Attorney General’s Privacy Review Report to which the Government responded to today.  That said the Attorney General’s Review was quite tentative and cautious.  It is a pale imitation of the 2008 ALRC suite of recommendations. 

If the Government implements all the recommendations it has agreed to or agreed in principle then the Privacy Act will be much improved and people will have greater privacy protecitons.  That said, it will be an incomplete reform because the Attorney General’s Department Report is incomplete.  The reforms will be significant but the concern remains as to when the reforms will be enacted and whether they will be watered down in the next round of consultations on the agreed in principle proposals. 

Not surprisingly the Information Commissioner welcomes the proposed reforms. The regulator is a big winner in the suite of reforms. Its media release provides:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Australian Government’s response to the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 as a crucial step in ensuring Australia’s privacy framework is strengthened for the future.

“This is a vital set of proposals that will deliver significant gains for the Australian community,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

The OAIC’s Australian Community Attitudes to Privacy Survey makes clear the high priority Australians place on having the right legislative framework in place to hold regulated entities to account for the way they handle personal information. The survey found 89% of Australians would like to see government pass more legislation that protects their personal information.

“As the privacy regulator, it is pleasing to see support for the positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework,” Commissioner Falk said.

“This is the most significant change to the Privacy Act in decades, and will require organisations to ensure that their practices are fair and reasonable in the first place.

“This will provide confidence to the Australian community that like a safety standard, privacy must be built into products and services from start.

“Key developments include enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community.”

Reforms will also provide a greater range of enforcement powers to the OAIC, establish stronger privacy protections for children and enhance requirements in relation to the security of personal information and its destruction when it is no longer needed.

“As privacy regulator, the provision of tools and support will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to identify systemic privacy issues,” Commissioner Falk said.

There are a number of proposals that are subject to consultation and developing sufficient impact strategies before legislation is finalised, including changes to the small business exemption and the employee records exemption.

“We support the removal of these exemptions and acknowledge that it is important to engage with the business community so that we can fully understand and assist with their transition. The OAIC stands ready to support small businesses to make their compliance with privacy requirements easy,” Commissioner Falk said.

The Australian Government will consult with stakeholder groups before drafting further legislation to go before Parliament in 2024. The OAIC is well prepared and committed to lending its expertise to the next phase of this ambitious reform.

The proposed privacy reforms follow the passing in November 2022 of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.

Part of the reason there is a poor privacy culture in Australia goes beyond the poor legislation.  It is the dreadful history of regulation by the Privacy Commissioner and now the Information Commissioner.  The regulator has been tentative and ineffective.  A quick example, the Commissioner has had civil penalty actions possible since 2014.  How many civil penalty proceedings were commenced.  Answer, one. Against Facebook, arising out of the Cambridge Analytica scandal.  And that has not even got to trial yet.  Have Australian companies been such paragons of virtue that there was no scope to bring any actions against them.  There have been many breaches where the Commissioner could have taken action.  To be fair, the current incumben is much better than her predecessors. 

The Report provides:

Introduction

The digital economy has led to innovation, advances in productivity and efficiency and a range of other benefits for Australians. However, the vast data flows underpinning digital ecosystems have also created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams. Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.

Australians are seeking greater protection in the handling of their personal information. The 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey (2023 ACAP survey) makes clear the high priority Australians place on the security of their personal information. Three in five (62%) of Australians surveyed see the protection of their personal information as a major concern in their life, and 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Only 32% feel in control of their data privacy, and 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation in this area. Read the rest of this entry »

Why it is necessary to continue to consult is a mystery. The Australian Law Reform Commission underwent a comprehensive consultation, taking submissions and then providing a massive report in 2008. It did this again before its 2014 Report.  The Victorian and New South Wales Law Reform Commissions have followed similar exercises.  And then the Attorney General’s Department issued an Issues Paper, then a Discussion Paper and finally a Report.  There is ample empircal data of how privacy legislation operates overseas.  Supporters of reform will remain supporters, opponents will remain opponents.  Another round of consultations and impact analysis will only delay reforms that should have been impleted 15 years ago.  It will give opponents another chance to water down reforms.  And they will take it if history is any guide. 

The Australian covers the release with Labor targets small business privacy hit and Major privacy overhaul will thrust TikTok into legal spotlight. The Guardian covers the release with New laws will give Australians the right to sue for ‘serious’ breaches of privacy. The Sydney Morning Herald covers the story with Personal data to get greater protection, but targeted ads will keep coming.  The ABC provides an overview with Government to overhaul privacy laws, including opting out of advertising, a right to be forgotten, and new rules for small businesses. 

Most of the coverage is of sweeping reforms in the offing.  But not all.  In Govt kicks Privacy Act can down the road Information Age, the publication of the Australian Computer Society highlights that the Government has agreed to immediate implementation of relatively few proposals, 38 of the 116 recommendations. The Government agreed in principle with 68 of the recommendations. The most significant proposals are only agreed in principle and with some, such as the small business exemption and employment records exemption the time frame is open ended. Similarly Itnews interprets the response as stalling on some privacy reforms in Gov stalls on some privacy reforms with conditional support.

Some context is required to gauge how significant the response is.  In 2008 the Australian Law Reform Commission published its landmark report on the Privacy Act, Report 108.  It contained a root and branch review of the Privacy Act and provided a full suite of reform proposals.  The Government of the day tentatively selected a few of the recommendations and amended the Privacy Act.  It was a missed opportunity.  Those recommendations are generally the gold standard in reform.  The 2014 ALRC report was quite good but not as comprehensive as its 2008 Report.  It was the basis of the Attorney General’s Privacy Review Report to which the Government responded to today.  That said the Attorney General’s Review was quite tentative and cautious.  It is a pale imitation of the 2008 ALRC suite of recommendations. 

If the Government implements all the recommendations it has agreed to or agreed in principle then the Privacy Act will be much improved and people will have greater privacy protecitons.  That said, it will be an incomplete reform because the Attorney General’s Department Report is incomplete.  The reforms will be significant but the concern remains as to when the reforms will be enacted and whether they will be watered down in the next round of consultations on the agreed in principle proposals. 

Not surprisingly the Information Commissioner welcomes the proposed reforms. The regulator is a big winner in the suite of reforms. Its media release provides:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Australian Government’s response to the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 as a crucial step in ensuring Australia’s privacy framework is strengthened for the future.

“This is a vital set of proposals that will deliver significant gains for the Australian community,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

The OAIC’s Australian Community Attitudes to Privacy Survey makes clear the high priority Australians place on having the right legislative framework in place to hold regulated entities to account for the way they handle personal information. The survey found 89% of Australians would like to see government pass more legislation that protects their personal information.

“As the privacy regulator, it is pleasing to see support for the positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework,” Commissioner Falk said.

“This is the most significant change to the Privacy Act in decades, and will require organisations to ensure that their practices are fair and reasonable in the first place.

“This will provide confidence to the Australian community that like a safety standard, privacy must be built into products and services from start.

“Key developments include enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community.”

Reforms will also provide a greater range of enforcement powers to the OAIC, establish stronger privacy protections for children and enhance requirements in relation to the security of personal information and its destruction when it is no longer needed.

“As privacy regulator, the provision of tools and support will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to identify systemic privacy issues,” Commissioner Falk said.

There are a number of proposals that are subject to consultation and developing sufficient impact strategies before legislation is finalised, including changes to the small business exemption and the employee records exemption.

“We support the removal of these exemptions and acknowledge that it is important to engage with the business community so that we can fully understand and assist with their transition. The OAIC stands ready to support small businesses to make their compliance with privacy requirements easy,” Commissioner Falk said.

The Australian Government will consult with stakeholder groups before drafting further legislation to go before Parliament in 2024. The OAIC is well prepared and committed to lending its expertise to the next phase of this ambitious reform.

The proposed privacy reforms follow the passing in November 2022 of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.

Part of the reason there is a poor privacy culture in Australia goes beyond the poor legislation.  It is the dreadful history of regulation by the Privacy Commissioner and now the Information Commissioner.  The regulator has been tentative and ineffective.  A quick example, the Commissioner has had civil penalty actions possible since 2014.  How many civil penalty proceedings were commenced.  Answer, one. Against Facebook, arising out of the Cambridge Analytica scandal.  And that has not even got to trial yet.  Have Australian companies been such paragons of virtue that there was no scope to bring any actions against them.  There have been many breaches where the Commissioner could have taken action.  To be fair, the current incumben is much better than her predecessors. 

The Report provides:

Introduction

The digital economy has led to innovation, advances in productivity and efficiency and a range of other benefits for Australians. However, the vast data flows underpinning digital ecosystems have also created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams. Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.

Australians are seeking greater protection in the handling of their personal information. The 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey (2023 ACAP survey) makes clear the high priority Australians place on the security of their personal information. Three in five (62%) of Australians surveyed see the protection of their personal information as a major concern in their life, and 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Only 32% feel in control of their data privacy, and 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation in this area. Read the rest of this entry »

The Federal Trade Commission (“FTC”) and the US Department of Health and Human Services (“HHS”) have jointly released an updated guidance on collecting, using and sharing of Consumer Health Information.   As with Australia, New Zealand and the United Kingdom guidances play an important part of setting out standards and expectations regulators expect of individuals, companies and agencies who handle personal information.  It is something of the myth that the United States has no privacy protections.  In some areas the Federal regulations are very strong and breaches can result in harsh penalties.  One such area is a health data.  The United States has very stringent laws regarding the collection, use and storage of health information.

The guidance is not wholly translatable to the Australian environment.  The US legislation is quite specific and detailed.  That said, principles and methodologies applicable in handling health information is broadly similar.  Principles involved in securing information are virtually identical. 

The media release provides:

Ever wondered about the intersection of some of the health privacy and security-related laws and rules enforced by the Federal Trade Commission and the Department of Health and Human Services? You’re not alone, which is why FTC and HHS have teamed up to update a joint publication – Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule  – that helps businesses learn more about their legal obligations. Read the rest of this entry »

ASIC and the the ACCC have become active dealing with privacy issues where they have some jurisdiction through their respective governing acts. Part of that is because those matters fall within their remit but more significantly because regulation in the privacy/cybersecurity space has been so tepid, slow and tentative by the Information Commissioner. Just as nature abhors a vacuum if one regulator is slow on the uptake other regulators fill the void. And that explains ASIC’s announcement at the Australian Financial Review Cyber Summit yesterday, as reported by the ABC, that it will target companies with weak cyber security plans. The Austalian Financial review also reports on this initiative with ASIC to target boards, execs for cyber failures. It has also been reported by the SMH with Watchdog takes aim at company directors over cybersecurity.

Traditionally such targeting would be the sole remit of the Information Commissioner targetting a breach of APP 11. But cyber security breaches affect corporate activities, the bailiwick of ASIC, and representations about protecting privacy, ACCC’s patch, that other regulators have every right, and expectation, to become involved.

Clearly companies will be

At the Cyber security Summit the MInister for Home Affairs, Clare O’Neil, gave a speech on cyber security announcing 6 cyber shields which are:

• strong citizens and businesses that understand that they actually do have the power to protect themselves. By 2030 the government wants  citizens and business to understand the cyber threat, understand those actions that they can take to protect themselves and have proper supports in place so that when they are the victim of cyber attack they’re able to “get back up off the mat very quickly.”
• Safe products.  By 2030 the government wants clear global standards for digital safety in products that will help drive the development of security into those products from their very inception. 
• World-class threat sharing and threat blocking. By 2030 the government wants threat intelligence to be exchanged between government and business at real-time machine speed and then threats blockOur fourth cyber shield will be protecting Australians’ access to critical infrastructure.ed before they cause any harm.
• Protecting Australians’ access to critical infrastructure. 
• sovereign capability. By 2030 the Government wants to be a thriving cyber ecosystem where cyber security is a really desirable profession for young people around the country and that Australia has the system that’s adaptable in itself.
•  undertaking coordinated global action and pushing for a more resilient region.

The 6 cyber shields, so described, are aspirational targets.  Welcome, but definitely sign posts rather than dealing with the many immediate problems of dealing with data breaches.  Some  are heavily policy oriented, such as threat sharing, co ordinated global activity and sovereign capability.  The most practical are the building understanding of cyber threats and having people respond to those threats.  That is and always was complying with the APPs under the Privacy Act.  To date that has been an optional extra for most businesses.  With most not being concerned about enforcement there has been Read the rest of this entry »

The Office of the Information Commissioner has released the latest Data Breach Report for the first half of 2023. It was a reduction over the previous 6 months.  It should be noted that there are usually more data breaches in the second half of a year. 

Some of the interesting points made in the report was:

• Health services continued to be the most affected by data breaches, with 63 notifications of the total of 409.
• 42% of the data breaches resulted from cyber security incidents
• 288 of of the attacks were malicious or criminal attack
• human error breaches were the fastest to be identified in 30 days or fewer. 

• 21 of the 23 breaches that affected over 5,000 Australians were caused by cyber incidents. Of these,

  • 7 were caused by ransomware,

  • 7 by compromised or stolen credentials ,

  • 4 by hacking and 1 each by brute-force attack, malware and phishing (compromised credentials).

  • 2 breaches that affected over 5,000 Australians in this period were caused by a rogue employee or insider threat and theft of paperwork or a data storage device.

• 87% of information affected was contact information, such as an individual’s name, home address, phone number or email address.
• in 78% of cases the breaches were identified in 30 days or less.

The media release provides:

The need for organisations to strengthen data security and promptly respond to suspected breaches is highlighted in the latest Notifiable data breaches report, released today.

The Office of the Australian Information Commissioner (OAIC) expects organisations to have robust and proactive procedures in place to protect the personal information they hold, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach. Read the rest of this entry »

Dymocks became aware of a data breach on 6 September 2023. It became aware via someone telling it that customer data had been put on the dark web.  Dymocks notified customers on 8 September 2023. That is quite a quick notification which was more inspired by stolen customers data being posted on the dark web more than best practice. Dymocks notification on its website is quite good, brilliant by the dismal standards usually displayed by Australian companies. The content of the notice makes it clear that Dymock’s is a long way from completing its damage assessment.  It put out the Notice to get ahead of the story.  That is generally a good idea.  To see how bad things can get when an affected organisation doesn’t advise its customers look at the way Optus and Medibank handled their respective data breaches. 

Dymocks doesn’t know much data has been exfiltrated (but it is reported elsewhere that up to 836,000 unique email addresses were stolen), it doesn’t know when the breach occurred, it doesn’t know what data was taken but suggests it is probably personal information but is definitely not financial information.  That Dymocks discovered the data breach from a party finding customer data on the dark web highlights a weakness in its data security.  It is passe to merely rely on a perimeter defence and have no other means of monitoring hostile activity within the site.  Organisations should use programs to test their cyber defences, such as Nessus and Metasploit.   Perimeter defences get breached, often by use of purloined authentications, as was the case with HWL Ebsworth.  Threat intelligence tools should be part of any organisation that collects and uses significant amounts of personal information.  Companies should be using intrusion detection systems such as SolarWinds Event Manager, to name one of many.    
The notice provides:

Read the rest of this entry »