Hundreds of email addresses shared by Victorian Victims of Crime Assistance Tribunal email error

October 1, 2024

The ABC reports in Hundreds of email addresses shared in Victims of Crime Assistance Tribunal administrative error that there was an accidental share of email addresses of victims of crime in an email advising of changes to the compensation application process. It appears that the email was a sent to multiple addressees, 480 the ABC has seen, however the addressees were not blind copied so the recipient could read the email address of other recipients.  The addresses included first and last names.  VOCAT sent 2 recall emails, which means very little. 

The damage is done.  Given the addressees are victims of crime, some of which may involve stalking, the presumed damage would be greater than might otherwise be the case. Damages in privacy cases have not been significant in Australian cases.  That is primarily because there have been relatively few reported cases where damages have been considered.  In the United Kingdom the courts also took a restrained approach to damages however with increased litigation and the bench’s greater understanding of how privacy breaches can impact a person the awards have risen.  And egregious privacy breaches have increased the ceiling over time.  In Victoria a complaint can be made under the Privacy and Data Protection Act 2014 with VCAT hearing a complaint.  Under Section 77(1)(a)(iv) it has jurisdiction to award damages of up to $100,000.  There has been only one instance where an award of damages has been made, Zeqaj v Victoria Police (Human Rights) [2018] VCAT 1733.  In that case the breach was proved and an award in the sum of $1,000 was made.  That is derisory.  The analysis was also very disappointing.  The jurisprudence in VCAT should not make a complainant optimistic.  It is very difficult to succeed, hence the award provision in the Act is virtually dead letter.  The analysis by VCAT is very disappointing and not consistent with privacy litigation in the UK or the USA, let alone Europe.   The Office of the Victorian Information Commissioner has a page titled Assessing compensation claims for loss in privacy complaints where it provides an overview of the law. It is fairly basic and not particularly sophisticated given the development of privacy in common law jurisdictions. It is useful given all complaints must proceed through the Victorian Information Commissioner. Many complaints are mediated and resolved there. Better that than taking one’s chances in VCAT. 

This type of error is all too common and especially prevalent in the public service. It is entirely preventable.  Proper training and Read the rest of this entry »

Victorian Information Commissioner launches an investigation into the University of Melbourne for using surveillance technology against students who were involved in a campus sit in

August 15, 2024

Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that “Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that it ” University of Melbourne”.. is a diverse, multi-cultural and multi-faith community..”, it “has a duty to uphold the principles of academic freedom and freedom of speech, and respect for legitimate and peaceful protest is core to our university’s values, as well as an activity protected by law”, it “operates fairly and in accordance with the law. Our policies also provide the basis for addressing actions or behaviours that adversely affect other members of the University community” and “to understand and implement appropriate support for students and graduate researchers during this time, with an increase in provisions for health and wellbeing, assessments, and safety on our campuses.” Waffly boilerplate that many organisations cobble together to cover and justify other activities and mask other behaviours not so consistent with the principles of the Enlightment which Universities should use as a touchstone. Such as using surveillance technology to bring action against students for conducting a sit in. As a result of disciplinary hearings 21 students received warnings. OVIC has now confirmed that it will launch an investigation into the University of Melbourne under the Privacy and Data Protection Act 2014.

The confirmation was reported by the Australian in “OVIC to probe Melbourne Uni over student surveillance” which provides:

The Office of the Victorian Information Commissioner will launch an investigation into the University of Melbourne after the academic institution used surveillance technology to gather evidence against students involved in a sit-in at a campus building.
Last month OVIC confirmed it was conducting preliminary enquiries with the university.
Victorian Information Commissioner Sean Morrison on Thursday confirmed the office has now decided to escalate the matter.
“Following conducting preliminary inquiries, the Privacy and Data Protection Deputy Commissioner has decided to commence an investigation under the Privacy and Data Protection Act 2014,” he said in a statement to The Australian.
“Given this is an active matter OVIC is unable to comment further until the investigation has concluded.”
In July, 21 students faced misconduct hearings before senior university representatives.
The students were notified of the disciplinary proceedings when the university sent them an email informing them they had breached its code of conduct during demonstrations and cited evidence from CCTV footage and Wi-Fi data obtained from the university’s network tracking their movements within the Arts West building during the 10-day sit in. Read the rest of this entry »

A & J Morphett Nominees Pty Ltd v JBT Lawyers Pty Ltd & Anor [2022] VSC 238 (17 May 2022): role of Stakeholder, where deposit held by solicitor as stakeholder on behalf of both parties to sale transaction & failed to refund deposit to purchaser who validly terminated the contract.

May 22, 2022

In A & J Morphett Nominees Pty Ltd v JBT Lawyers Pty Ltd & Anor [2022] VSC 238 Justice Dixon in upholding an appeal made important statements for practitioners on the role of stakeholders.

FACTS

On 26 November 2018 the appellant and Chloe Estelle Pty Ltd entered into the contract with the appellant paying the deposit of $42,000 to the respondent on 6 December 2018 [4].

On 21 March 2019, the appellant by written notice terminated the contract and requested that the respondent repay the deposit to it [4].

The appellant, A & J Morphett Nominees Pty Ltd, commenced proceedings against Chloe Estelle Pty Ltd, as first defendant, and the respondent, JBT Lawyers Pty Ltd, as second defendant in the Magistrates Court.  In its defence the respondent admitted that it received the deposit sum as a stakeholder as alleged by the appellant [6].

On 24 June 2019, the appellant entered default judgment in the proceeding against Chloe Estelle Pty Ltd, which included an amount for interest and costs [7]. The appellant did not recover against Chloe Estelle Pty Ltd as it was and on 18 July 2019, an administrator was appointed and it was subsequently ordered to be wound up. The liquidators made no claim for the deposit.

It was never been in dispute that the respondent received that sum as a stakeholder for the appellant and Chloe Estelle Pty Ltd [3].

On 29 March 2019, the Federal Circuit Court, per Small J,made an order in a Family Law dispute between different parties.  It relevantly Read the rest of this entry »

Police photographs of Dean Laidley and photographs taken inside police station a significant data breach and invasion of his privacy.

May 4, 2020

The arrest and charging of Dean Laidley for what has been described as stalking is a matter of public record.  He appeared before the Melbourne Magistrates Court and was remanded.  As no suppression or pseudonomysation orders  were made those details can be reported. 

However photographs police take of those charged are not public documents.  They are taken for the purpose of properly recording the processing of a person into custody.  Their purpose does not extend to providing colour to a story.  Further, other photographs taken in a police station of a suspect or a person charged are not for public consumption. Frankly there is no good reason for taking other still photographs. 

It is then appalling to see that the Herald Sun has Read the rest of this entry »

Victorian Information Commissioner finds that Public Transport Victoria has breached the privacy of myki users. A cause of action?

August 15, 2019

In a brilliant piece of analysis Dr Chris Culnane, Associate Professor Benjamin Rubinstein and Associate Professor Vanessa Teague of the University of Melbourne have demonstrated in their paper released today titled Stop the Open Data Bus, We Want to Get Off that de identification of unit record level data does not work without substantially altering the data to the point where its value is reduced.  The analysis was based on the data released by the Victorian Government in to a data science competition.  The authors have demonstrated that a combination of only needing a small number of points of information to make an individual unique and poor quality anonymisation and security techniques makes it quite easy to reidentify individuals. 

In the case of the myki data the authors found that “little to no de identification took place on the bulk of the data.”  They found it was a straightforward task to re identify two of the co authors cards.  They also established that is possible to identify a stranger from public information about their travel patterns, for example twitter to name just one source.  They identified Read the rest of this entry »

Victoria appoints its first Information Commissioner

August 30, 2017

As of 1 September 2017 the State of Victoria will have an Information Commissioner, replacing the position of Privacy Commissioner.  The Information Commissioner will also be responsible for Freedom of Information applications.

The inaugural Information Commissioner is Sven Bluemmel.  Mr Bluemmel was Read the rest of this entry »

Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour

October 16, 2016

Misuse of confidential information and regular data breaches has been a longstanding and systemic problem for the Victorian Police Force.  In the past two years I have posted on problems with the misuse of the LEAP database, which contains personal information of Victorians, here and here.  Police documents containing sensitive personal information were found in the possession of outlaw bikie gang members in 2013.

In his 2016 annual report Victorian Commissioner for Privacy and Data Security set out problems in the Victorian Police with data management.  There was a 36% increase in data security breaches over the previous year.  The Commissioner identified Read the rest of this entry »

Misuse of private information/breach of confidence injunction in Victorian Supreme Court … according to Herald Sun

August 8, 2014

Breach of confidence actions involving personal information are more famously litigated in the United Kingdom.  Privacy related actions have developed and matured there while the action remains more tentative in Australia.  Or at least less developed.  That is not to say equity does not afford protection.  And that includes injunctive relief.  The Herald Sun reports in Suzie Wilks’ estranged husband Nick O?Halloran in court bid to prevent publication of top-secret letter about an injunction granted to a Mr O’Halloran by the Supreme Court last week.  There is no formal publication of any order or reasons for decision  according to Read the rest of this entry »

White hat hacks into Public Transport Victoria website

January 8, 2014

The Age reports in Schoolboy hacks Public Transport Victoria website how a 16 year old, Joshua Rogers, hacked into the Public Transport Victoria (“PTV”) website. The article notes that after Joshua notified the PTV of the security flaws it kindly notified the police and the Privacy Commissioner.  The reasons were not provided.  It will be interesting to see how both guardians, one of law and order and the other of privacy, will respond to the challenge.  Given PTV’s database contains vast amounts of personal information, including credit card details,the reported inadequacy of its on line security is a major concern.  Hopefully the Privacy Commissioner will take a robust approach when investigating this alleged failing. It would be fascinating to see what the results of a Privacy Impact Assessment by the PTV will reveal. Of course that won’t be made public.  Assuming it happens.

The article provides:

Personal information Read the rest of this entry »

Annual report of the Victorian Privacy Commissioner 2012/13 tabled in Victorian Parliament

September 20, 2013

The 2-12/13 annual report of the Victorian Privacy Commissioner was been tabled in Parliament on 19 September 2013 .  It is found here.  It provides for interesting reading, if that takes and holds your attention (as it does for me).

Some of the interesting statistics are that during 2012-13:

? the total number of complaints handled remains consistent with previous years;
? by a significant margin, Victorian government departments have been the subject of the highest number of privacy breach investigations over the past five reporting periods;
? the amount of complaints referred to VCAT for determination remains consistent with previous years;
? 76% of complaints referred to conciliation Read the rest of this entry »

Verified by MonsterInsights