The transcript of the piece is found here.  It provides:

MARK COLVIN: The former editor of Rupert Murdoch’s News of the World Rebekah Brooks was one of six people charged last night in relation to Britain’s Operation Elveden. That’s the operation that’s looking into the bribery and suborning of public servants like police and tax officers. Many more charges are expected over time from Operation Weeting – that’s the one that’s looking into the hacking scandal more generally.

So it might seem a bad time to be arguing for journalists to get more access to public information. But that is exactly the argument of Heather Brooke, author of The Revolution Will be Digitised: Dispatches from the Information War.

British-born but American educated, she thinks that radical transparency is actually a way of preventing press abuse. Heather Brooke’s here for the Sydney Writers’ Festival: I put it to her that some would be sceptical of her argument when sections of the media – in Britain especially – had been shown to be so corrupt.

HEATHER BROOKE: (laughs) Well, I always thought that the press in Britain were so sensationalistic mostly because they couldn’t access information legitimately and so the only way they could get information was they either had to get it through favouritism or a kind of collusion with the powers that be, or illegitimately.

MARK COLVIN: By bribery as we now know.

HEATHER BROOKE: Well, and I always wondered, like how do journalists do their jobs in Britain? Because when I worked as a – I used to work as a crime reporter amongst my different jobs in America – and the way you could cover crime there is it was all through public records. You know you could get all the crime reports, you could get all the jail arrests, you could see all the fire reports, everything – you just went in and you looked at them.

In Britain all that stuff is secret. Even to this day you can’t access any of that information. So if you’re a reporter in Britain, like how do you cover crime?

MARK COLVIN: You’re even very limited in what you can report from certain courts.

HEATHER BROOKE: Yeah exactly. Well you know now we have some idea how they’re doing it. They’re basically taking police out to lunch, taking them to bars, drinking with them.

MARK COLVIN: Slipping them brown envelopes.

HEATHER BROOKE: Yeah, there’s cases to show that.

MARK COLVIN: Tens of thousands of pounds, we know that now.

HEATHER BROOKE: And so… but I guess for me the point is what was the motivation to do that? Was it to just get basic information to write stories in the public interest, or was it to find out what Prince Harry was doing on his time off; who he was going to, which night clubs he was going to? Which, you know some might argue there’s a public interest in that, but it’s a bit more dubious.

But I don’t know, there’s an interesting thing as well, that if you’re going to have to spend money to get information, you want a story that’s going to bring a lot of eyeballs onto your site; you’re not going to do it for some sort of very worthy public interest story. And so it does kind of in a way incentivise sensationalism.

The reason that freedom of information is good for the press is that it makes the cost of doing public service journalism lower and so it’s more likely that you can do it.

MARK COLVIN: Because we now know that Glenn Mulcaire the private investigator was paid over £1 million over a number of years.

HEATHER BROOKE: Wow! (laughs) he had a good job.

MARK COLVIN: Yeah but that’s expensive journalism isn’t it?

HEATHER BROOKE: Yeah and that’s the thing. I mean I think a lot of what he was doing was basic – was just basic fact finding. I mean finding out did people have criminal records; finding out where people lived; doing reverse phone directory searches. So, as I say for example in America all that stuff is legal and legitimate – in Britain it’s not, so instantly you’re pushed into this blackmarket.

I was just writing about a piece in Dispatches that went out on Monday in Britain and it was all about private investigation firms. And their business is not with the media, their business is with corporations, corporate intelligence.

So I do feel in a way that this focus on the press is a little bit misplaced because if we’re really concerned about violations of privacy, the press is not our problem – the press publishes what they find. The thing that we need to be concerned about are the people that don’t publish what they’re up to and that would be the intelligence agencies and corporations.

MARK COLVIN: And how much more do they know about us, generally, then they would have say 20 years ago?

HEATHER BROOKE: A lot more. This is the other sort of dark side of digital information. So on the one hand it’s fantastic we can all type in Google and suddenly we can find everything out. On the other hand, it means that all of that Google information for example can be harvested by a government and they can start running algorithms and from those algorithms they can start predicting who they think is a trouble maker, or who do they think might be a potential terrorist.

MARK COLVIN: Can they predict how you’re going to vote yet?

HEATHER BROOKE: Well there’s huge industries, particularly in America. One of the people I talk to in my book was running the Obama data part of the campaign and that’s all that they do they just buy up huge amounts of data from all these huge data brokers, contact point USA and things.

MARK COLVIN: So they work out from the kind of magazines you subscribe to for instance.

HEATHER BROOKE: Yeah.

MARK COLVIN: People who subscribe to gun magazines are I believe much more likely to vote Republican.

HEATHER BROOKE: Yeah.

MARK COLVIN: And so they triangulate all that, they get down the area you live, they can work out how much money you earn every year, all that kind of thing and work out a lot about you.

HEATHER BROOKE: They can. And the worrying thing about that is so much of it is subjective – they’re making predictions based on past behaviour or other people’s behaviour. But particularly when a government starts doing that and starts labelling people as being potential criminals, I mean that’s when you really think okay, I’m starting to get into Minority Report here – you know, I’m going to be arrested for pre-crime.

But we are actually already seeing that, when people get put on watch lists, or no-fly lists, not because they’ve ever been charged or convicted of anything, just because they were talking to these people who we think are bad people or they have a relative who was friends with a person who we think is a terrorist even though he’s never been convicted.

MARK COLVIN: There are two sides in any war; how do we defend ourselves in an information war?

HEATHER BROOKE: The first point is to be aware of what you’re doing online. We all leave this digital footprint when we’re online and we need to think about who owns that information that we are leaving online.

I mean I don’t want us to become privacy fetishists where we just get all precious, you can’t take my picture if you’re standing in a public street – like don’t take my picture – it’s like it’s a public street, come on!

I don’t think we should be like that, but certainly when it comes to governments’ quest to start controlling the internet – and this is not just authoritarian governments like China or Russia – it’s governments like Australia, like America, like Britain, who increasingly are following the path of China and thinking you know what we do actually want to know what everybody’s doing online, we do want access to all your Skype conversations, all your Twitter information, all your Google searches and then we’re going to start harvesting all that and running algorithms on it to think about whether we think you’re a potential future trouble maker or maybe an opposition; somebody who’s going to cause us issues in the future.

When we see bills that come forward like in America with the SOPA PIPA, these piracy acts or these bills that are about controlling the internet, we need to really know that that’s what’s happening. It’s a power battle and it’s a battle over the free internet.

The piece is interesting as it shows how privacy is compromised with the digitisation of information.  Her perspective is distinctly American where data protection legislation is rudimentary compared to Australia’s which still less than optimal.

It is a tome but a welcome one.

I have extracted it here (without footnotes and page numbering):

Key terms ALRC means the Australian Law Reform Commission
Agency has the meaning set out in s 6 of the Privacy Act and includes, amongst other things, a Minister, an Australian Government department, an ACT Government department, and a Norfolk Island agency.
Privacy Act means the Privacy Act 1988 (Cth).1 Personal information has the meaning as set out in s 6 of the Privacy Act:
… personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Data breach means, for the purpose of this guide, when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.
Note: The Privacy Act regulates the handling of personal information, and does not generally refer to ‘data’. As such, in the interest of consistency with the Act, the previous edition of this guide used the term ‘personal information security breach’.
However, the term ‘data breach’ has since entered into common usage in Australia and in various other jurisdictions. Accordingly, in the interests of clarity and simplicity, this guide uses the term ‘data breach’ rather than ‘personal information security breach’.
IPPs means the Information Privacy Principles set out in s 14 of the Privacy Act, which apply to agencies unless a listed exemption applies (see s 7 of the Privacy Act).
NPPs means the National Privacy Principles set out in Schedule 3 of the Privacy Act, which apply to organisations unless a listed exemption applies.
OAIC means the Office of the Australian Information Commissioner.
Organisation has the meaning set out in s 6C of the Privacy Act and, in general, includes all businesses and non-government organisations with an annual turnover of more than $3 million, all health service providers and a limited range of small businesses (see ss 6D and 6E of the Privacy Act).
TFN means Tax File Number. Part III of the Privacy Act includes provisions relating to TFNs. The OAIC has issued guidelines under s 17 of the Privacy Act to regulate the use of TFNs.

Background The purpose of this guide
This guide was developed to assist agencies and organisations to respond effectively to data breaches.
The OAIC developed this guide in August 2008 in response to requests for advice from agencies and organisations, and in recognition of the global trends relating to data breach notification. In July 2011, the OAIC revised this guide to keep pace with the changing attitudes and approaches to data breach management.
In its 2008 report titled For Your Information: Australian Privacy Law and Practice2 (Report 108), the ALRC recommended that the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a ‘real risk of serious harm’ to the affected individuals (recommendation 51-1). The OAIC strongly supports that recommendation.
The Government has advised that it will consider the ALRC’s recommendation in its second stage response to Report 108.
Accordingly, this guide is aimed, in part, at encouraging agencies and organisations to voluntarily put in place reasonable measures to deal with data breaches (including notification of affected individuals and the OAIC), while legislative change is considered by the Government.
Scope of this guide
Data breach notification is an important option in responding to a data breach. However, a key challenge in responding to a data breach is determining if and when notification is an appropriate response.
This guide provides general guidance on key steps and factors for agencies and organisations to consider when responding to a data breach, including notification of breaches.
This guide encourages a risk-analysis approach. Agencies and organisations should evaluate data breaches on a case-by-case basis and make decisions on actions to take according to their own assessment of risks and responsibilities in their particular circumstances.
This guide also highlights the importance of preventative measures as part of a comprehensive information security plan (which may include a data breach response plan).
It is not intended that the advice in this guide be limited to data breaches that are breaches of the IPPs or NPPs.3 Rather, the guide is intended to apply to any situation where personal information has been compromised.

Who should use this guide?
This guide has been developed for use by Australian Government, ACT Government, and Norfolk Island agencies, and private sector organisations, that handle personal information and are covered by the Privacy Act.
State and Northern Territory government agencies, as well as private sector entities not covered by the Privacy Act, may find the guide helpful in outlining good privacy practice. However, the OAIC would not have a role in receiving notifications about data breaches experienced by those entities.
State and Northern Territory government agencies should also consider the role of relevant Privacy or Information Commissioners (or applicable privacy schemes) in their own jurisdictions.
Data breaches
How do data breaches occur?
Data breaches occur in a number of ways. Some examples include:
•    lost or stolen laptops, removable storage devices, or paper records containing personal information
•    hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased
•    databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation
•    employees accessing or disclosing personal information outside the requirements or authorisation of their employment
•    paper records stolen from insecure recycling or garbage bins
•    an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address, and
•    an individual deceiving an agency or organisation into improperly releasing the personal information of another person.

Preventing data breaches – obligations under the Privacy Act
Security is a basic element of information privacy.4 In Australia, this principle is reflected in the Privacy Act in both the IPPs and the NPPs.
Agencies and organisations are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure. This requirement is set out in IPP 4 for public sector agencies and NPP 4 for private sector organisations5 (see Appendix A for IPP 4 and NPP 4).
Section 18G(b) of the Privacy Act imposes equivalent obligations on credit reporting agencies and all credit providers. Similarly, guideline 6.1 of the statutory TFN guidelines6 requires TFN recipients to protect TFN information by such security safeguards as are reasonable in the circumstances.
Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan. Notification of the individuals who are or may be affected by a data breach, and the OAIC, may also be a reasonable step (see page 8).
Other obligations
Many agencies are subject to agency-specific legislative requirements that add further protections for personal information (such as secrecy provisions), as well as legislative and other requirements which apply more generally across government.7 These other requirements can include the Australian Government’s Protective Security Policy Framework8 and the Information Security Manual.9
Organisations may also be subject to additional obligations through sector-specific legislation in respect of particular information they hold. For example, Part 13 of the Telecommunications Act 1997 (Cth)10 imposes obligations on the telecommunications industry in relation to the handling of certain telecommunications-related personal information. Some organisations may also have common law duties relating to the confidentiality of particular information.

Considerations for keeping information secure
Note: Some of the information in Step 4 of this guide (Preventing future breaches, page 31) could equally be used by agencies or organisations as a way of assessing what security measures are necessary to prevent data breaches.
What are the reasonable steps (as required by IPP 4 and NPP 4) necessary to secure personal information will depend on context, including (but not limited to):
•    the sensitivity (having regard to the affected individual(s)) of the personal information held by the agency or organisation
•    the harm that is likely to result to individuals if there is a data breach involving their personal information
•    the potential for harm (in terms of reputational or other damage) to the agency or organisation if their personal information holdings are breached, and
•    how the agency or organisation stores, processes and transmits the personal information (for example, paper-based or electronic records, or by using a third party service provider).
Appropriate security safeguards for personal information need to be considered across a range of areas. This could include maintaining physical security, computer and network security, communications security and personnel security. To meet their information security obligations, agencies and organisations should consider the following steps:
•    Risk assessment – Identifying the security risks to personal information held by the organisation and the consequences of a breach of security.
•    Privacy impact assessments – Evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.11
•    Policy development – Developing a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security.
•    Staff training – Training staff and managers in security and fraud awareness, practices and procedures and codes of conduct.
•    The appointment of a responsible person or position – Creating a designated position within the agency or organisation to deal with data breaches. This position could have responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches.12
•    Technology – Implementing privacy enhancing technologies to secure personal information held by the agency or organisation, including through such measures as access control, copy protection, intrusion detection, and robust encryption.
•    Monitoring and review – Monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place.
•    Standards – Measuring performance against relevant Australian and international standards as a guide.13
•    Appropriate contract management – Conducting appropriate due diligence where services (especially data storage services) are contracted, particularly in terms of the IT security policies and practices that the service provider has in place, and then monitoring compliance with these policies through periodic audits.14
Further, in seeking to prevent data breaches, agencies and organisations should consider their other privacy obligations under the IPPs and NPPs. Some breaches or risks of harm can be avoided or minimised by not collecting particular types of personal information or only keeping it for as long as necessary. Consider the following:
•    What personal information is it necessary to collect? Personal information that is never collected, cannot be mishandled. IPP 1 and NPP 1 require that agencies and organisations, respectively, only collect personal information that is necessary for one or more of their functions or activities. IPP 3 also requires that a collector of personal information take steps to ensure that the information collected is relevant to the purpose for which it was collected.
•    How long does the personal information need to be kept? NPP 4.2 requires organisations to securely destroy or permanently de-identify information that is no longer needed for the permitted purposes for which it may be used or disclosed.
The IPPs do not contain a similar express obligation. However, destruction or de- identification of information that this no longer required will usually be a reasonable step to prevent the loss or misuse of that information (as required by IPP 4).
Accordingly, agencies should carefully consider retention practices, subject to record keeping requirements such as those contained in the Archives Act 1983 (Cth)15 (including their Records Disposal Authorities16) or other legislation.

Why data breach notification is good privacy practice
Notifying individuals when a data breach involves their personal information supports good privacy practice for the following reasons:
•    Notification as a reasonable security safeguard – As part of the obligation to keep personal information secure, notification may, in some circumstances, be a reasonable step in the protection of personal information against misuse, loss or unauthorised access, modification or disclosure (as required by IPP 4 and NPP 4).
•    Notification as openness about privacy practices – Being open and transparent with individuals about how personal information may be handled is recognised as a fundamental privacy principle.17 Being open about the handling of personal information may include telling individuals when something goes wrong and explaining what has been done to try to avoid or remedy any actual or potential harm.18
•    Notification as restoring control over personal information – Where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, where an individual’s identity details have been stolen, once notified, the individual can take steps to regain control of their identity information by changing passwords or account numbers, or requesting the reissue of identifiers.
•    Notification as a means of rebuilding public trust – Notification can be a way of demonstrating to the public that an agency or organisation takes the security of personal information seriously, and is working to protect affected individuals from the harms that could result from a data breach. Customers may be reassured to know that an agency or organisation’s data breach response plan includes notifying them, the OAIC, and relevant third parties.
The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice, and in the interest of maintaining a community in which privacy is valued and respected.
The role of the Office of the Australian Information Commissioner
A data breach may constitute a breach of information security obligations under the Privacy Act; for example, the obligations imposed by the IPPs or NPPs, the TFN guidelines, or the credit reporting provisions of the Act. In those circumstances, the breach will be an interference with an individual’s privacy;19 individuals can complain about such interferences to the OAIC.
The OAIC has the function of investigating possible breaches of the Privacy Act. It also has the function of providing advice to agencies and organisations on any matter relevant to the operation of the Privacy Act. As such, the OAIC may provide general information on how to respond to a data breach.

Step 3(d) of this guide provides guidance on when it may be appropriate to notify the OAIC of a data breach. Consistent with its statutory functions, the OAIC may consider whether it needs to investigate the conduct. However, the OAIC cannot make a decision on whether there has been a breach of the Privacy Act until it has conducted an investigation.
If an individual thinks an agency or organisation covered by the Privacy Act has interfered with his or her privacy, and they have been unable to resolve the matter directly with the agency or organisation, they can complain to the OAIC. The OAIC may investigate and may attempt to resolve the matter by conciliation between the parties.
The Privacy Act does not impose specific penalties for breaches of the IPPs or NPPs. However, the Commissioner may make determinations requiring the payment of compensation for damages or other remedies, such as the provision of access or the issue of an apology. These determinations can be enforced by the Federal Court or Federal Magistrates Court.
Deliberate contraventions of some of the credit reporting provisions in Part IIIA of the Privacy Act carry specific penalties.
The OAIC also has the power to initiate an investigation on its own motion in appropriate circumstances without first receiving a complaint.
Agencies should also be aware that, under s 27(1)(j) of the Privacy Act, the Information Commissioner can inform the Minister responsible for the Privacy Act of action that needs to be taken by an agency in order to achieve compliance by the agency with the IPPs.
The OAIC conducts its investigations in private. However, in general, the OAIC will publish the outcomes of its investigations (in consultation with the subject agency or organisation).
In some circumstances, consistent with its roles of education and enforcement, the OAIC may publicise information about the information management practices of an agency or organisation.

Responding to data breaches: four key steps
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach:
Step 1: Contain the breach and do a preliminary assessment Step 2: Evaluate the risks associated with the breach Step 3: Notification Step 4: Prevent future breaches
Each of the steps is set out in further detail below.
A chart summarising the data breach response process is set out at page 34. Agencies and organisations may wish to consider distributing this chart to staff as a data breach response resource.
General tips:
•    Be sure to take each situation seriously and move immediately to contain and assess the suspected breach.
•    Breaches that may initially seem immaterial may be significant when their full implications are assessed.
•    Agencies and organisations should undertake steps 1, 2 and 3 either simultaneously or in quick succession. In some cases it may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs.
•    The decision on how to respond should be made on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, agencies and organisations may choose to take additional steps that are specific to the nature of the breach.
Step 1: Contain the breach and do a preliminary assessment
Once an agency or organisation has discovered or suspects that a data breach has occurred, it should take immediate common sense steps to limit the breach. These may include the following:

Contain the breach
Take whatever steps possible to immediately contain the breach.
For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a breach.
For example, if it is detected that a customer’s bank account has been compromised, can the affected account be immediately frozen and the funds transferred to a new account?
Initiate a preliminary assessment
Move quickly to appoint someone to lead the initial assessment. This person should have sufficient authority to conduct the initial investigation, gather any necessary information and make initial recommendations. If necessary, a more detailed evaluation may subsequently be required.
Determine whether there is a need to assemble a team that could include representatives from appropriate parts of the agency or organisation.
Consider the following preliminary questions:
•    What personal information does the breach involve?
•    What was the cause of the breach?
•    What is the extent of the breach?
•    What are the harms (to affected individuals) that could potentially be caused by the breach?
•    How can the breach be contained?
Does anyone need to be notified immediately?
Determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.
In some cases it may be appropriate to notify the affected individuals immediately (for example, where there is a high level of risk of serious harm to affected individuals).
Escalate the matter internally as appropriate, including informing the person or group within the agency or organisation responsible for privacy compliance.
It may also be appropriate to report such breaches to relevant internal investigation units.
If the breach appears to involve theft or other criminal activity, it will generally be appropriate to notify the police.
If the data breach is likely to involve a real risk of serious harm to individuals, or receive a high level of media attention, inform the OAIC. The OAIC may be able to provide guidance and assistance.
For more information on what the OAIC can and cannot do, see page 32.

Other matters
Where a law enforcement agency is investigating the breach, consult the investigating agency before making details of the breach public.
Be careful not to destroy evidence that may be valuable in determining the cause or would allow the agency or organisation to take appropriate corrective action.
Ensure appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.
An example of breach containment and preliminary assessment
An online recruitment agency accepts re?sume?s from jobseekers and makes them available to recruiters and employers on a password protected website.
Jane, a jobseeker whose re?sume? is on the website, receives an email which she suspects is a ‘phishing’ email. The email is personalised and contains information from her re?sume?. It contains a number of spelling mistakes and offers her a job. The email claims that all Jane has to do to secure the job is to provide her bank account details so she can be paid. Jane advises the recruitment agency of her suspicions, and forwards a copy of the email to the recruitment agency.
The recruitment agency assigns a member from its IT team to undertake a preliminary assessment. It is found that the email is indeed a phishing email. It claims to be from a recruiter and directs the recipient to a website which asks them to enter further information. It also installs spyware on the recipient’s computer.
The recruitment agency attempts to establish how phishers came to have the re?sume? details of the jobseeker. The recruitment agency’s preliminary assessment reveals that the phishers have stolen legitimate user names and passwords from recruiters who use the agency’s website and have fraudulently accessed jobseeker information.
The IT team escalates the issue internally by informing senior staff members and quickly contains the breach by disabling the compromised recruiter accounts. Based on the IT team’s preliminary assessment, senior staff move to evaluate risks associated with the breach and consider what actions should be taken to mitigate any potential harm.
Step 2: Evaluate the risks associated with the breach
To determine what other steps are immediately necessary, agencies and organisations should assess the risks associated with the breach.
Consider the following factors in assessing the risks:
a)    The type of personal information involved. b)    The context of the affected information and the breach. c)    The cause and extent of the breach. d)    The risk of serious harm to the affected individuals. e)    The risk of other harms.
12
(a) Consider the type of personal information involved
Considerations
Comments and examples
Does the type of personal information that has been compromised create a greater risk of harm?
Some information is more likely to cause an individual harm if it is compromised, whether that harm is physical, financial or psychological.
For example, government-issued identifiers such as Medicare numbers, driver’s licence and health care numbers, health information, and financial account numbers such as credit or debit card numbers might pose a greater risk of harm to an individual than their name or address.
Also, a combination of personal information typically creates a greater risk of harm than a single piece of personal information.
It may also matter whether the information is permanent or temporary. Permanent information, such as someone’s name, place and date of birth, or medical history cannot be ‘re-issued’.
The permanence of the information may be more significant if it is protected by encryption – over time, encryption algorithms may be broken, so such information may be at greater longer term risk of being compromised. On the other hand, temporary information may have changed by the time it has been decrypted.
Who is affected by the breach?
Employees, contractors, the public, clients, service providers, other agencies or organisations?
Remember that certain people may be particularly at risk of harm. A data breach involving name and address of a person might not always be considered high risk. However, a breach to a women’s refuge database containing name and address information may expose women who attend the refuge to a violent family member. There may be less risk if the breach only relates to businesses that service the refuge.
(b) Determine the context of the affected information and the breach
Considerations
Comments and examples
What is the context of the personal information involved?
What parties have gained unauthorised access to the affected information?
For example, a list of customers on a newspaper carrier’s route may not be sensitive information. However, the same information about customers who have requested service interruption while on vacation may be more sensitive.
The sensitivity of personal information that may also publicly available information (such as the type found in a public telephone directory) also depends on context. For example, what might be the implications of someone’s name and phone number or address being associated with the services offered, or the professional association represented?
To whom was the information exposed? Employee records containing information about employment history such as performance and disciplinary matters or a co-worker’s mental health might be particularly sensitive if exposed to other employees in the workplace and could result in an individual being the subject of humiliation or workplace bullying.

Have there been other breaches that could have a cumulative effect?
A number of small, seemingly insignificant, breaches could have a cumulative effect. Separate breaches that might not, by themselves, be assessed as representing a real risk of serious harm to an affected individual, may meet this threshold when the cumulative effect of the breaches is considered.
This could involve incremental breaches of the same agency or organisation’s database. It could also include known breaches from a number of different sources.
How could the personal information be used?
Could the information be used for fraudulent or otherwise harmful purposes, such as to cause significant embarrassment to the affected individual?
Could the compromised information be easily combined either with other compromised information or with publicly available information to create a greater risk of harm to the individual?
(c) Establish the cause and extent of the breach
Considerations
Comments and examples
Is there a risk of ongoing breaches or further exposure of the information?
What was the extent of the unauthorised access to or collection, use or disclosure of personal information, including the number and nature of likely recipients and the risk of further access, use or disclosure, including via mass media or online?
Is there evidence of theft?
Is there evidence that suggests theft, and was the information the target? For example, where a laptop is stolen, can it be determined whether the thief specifically wanted the information on the laptop, or the laptop hardware itself?
Evidence of theft could suggest a greater intention to do harm and heighten the need to provide notification to the individual, as well as law enforcement.
Is the personal information adequately encrypted, anonymised or otherwise not easily accessible?
Is the information rendered unreadable by security measures that protect the stored information? Is the personal information displayed or stored in such a way so that it cannot be used if breached?
For example, if a laptop containing adequately encrypted information is stolen, but is subsequently recovered and investigations show that the information was not accessed, copied or otherwise tampered with, notification to affected individuals may not be necessary.
What was the source of the breach?
For example, did it involve external or internal malicious behaviour, or was it an internal processing error? Does the information seem to have been lost or misplaced?
The risk of harm to the individual may be less where the breach is unintentional or accidental, rather than intentional or malicious.
For example, the client may have a common surname which leads a staff member to accidentally access the wrong client record. The access records show that the staff member immediately closed the client record once they became aware of their mistake. The risk of harm will be less in this case than in the case where a staff member intentionally and deliberately opens a client’s record to browse the record, or to use or disclose that information without a legitimate business reason for doing so.

Has the personal information been recovered?
For example, has a lost laptop been found or returned? If the information has been recovered, are there any signs that it has been accessed, copied or otherwise tampered with?
What steps have already been taken to mitigate the harm?
Has the agency or organisation contained the breach? For example, have compromised security measures such as passwords been replaced? Has the full extent of the breach been assessed? Are further steps required?
Is this a systemic problem or an isolated incident?
When checking the source of the breach, it is important to check whether any similar breaches have occurred in the past. Sometimes, a breach can signal a deeper problem with system security. This may also reveal that more information has been affected than initially thought, potentially heightening the awareness of the risk posed.
How many individuals are affected by the breach?
If the breach is a result of a systemic problem, there may be more people affected than first anticipated.
Even where the breach involves accidental and unintentional misuse of information, if the breach affects many individuals, the scale of the breach may create greater risks that the information will be misused. The agency or organisation’s response should be proportionate.
While the number of affected individuals can help gauge the severity of the breach, it is important to remember that even a breach involving the personal information of one or two people can be serious, depending on the information involved.
(d) Assess the risk of harm to the affected individuals
Considerations
Comments and examples
Who is the recipient of the information?
Is there likely to be any relationship between the unauthorised recipients and the affected individuals?
For example, was the disclosure to an unknown party or to a party suspected of being involved in criminal activity where there is a potential risk of misuse? Was the disclosure to a person against whom the individual has a restraining order, or to co-workers who have no need to have the information?
Or was the recipient a trusted, known entity or person that would reasonably be expected to return or destroy the information without disclosing or using it? For example, was the information sent to the individual’s lawyer instead of being sent to them, or to another party bound by professional duties of confidentiality or ethical standards?
What harm to individuals could result from the breach?
Examples include:
•    identity theft •    financial loss •    threat to physical safety •    threat to emotional wellbeing •    loss of business or employment opportunities •    humiliation, damage to reputation or relationships, or •    workplace or social bullying or marginalisation.

(e)    Assess the risk of other harms
Considerations
Comments and examples
Other possible harms, including to the agency or organisation that suffered the breach
Examples include:
•    the loss of public trust in the agency, government program, or organisation
•    reputational damage
•    loss of assets (for example, stolen computers or storage devices)
•    financial exposure (for example, if bank account details are compromised)
•    regulatory penalties (for example for breaches of the Privacy Act) •    extortion •    legal liability •    breach of secrecy provisions in applicable legislation.
An example of evaluating the risks associated with the breach
A newspaper publisher receives a call from a newsagent that sells its newspapers. The newsagent says that the address labels on the bundles of newspapers delivered to his shop appear to show subscriber information printed on the other side. The information includes names, addresses and credit card details.
Following a preliminary investigation, the newspaper publisher confirms that some labels have been inadvertently printed on the back of subscriber lists.
As a first step to containing the breach, the publisher attempts to contact newsagencies that have received the newspapers and asks them to check the labels on the bundles and securely destroy any that show subscriber details on the back.
With these first steps completed, the newspaper publisher begins to evaluate the risks associated with the breach.
The information that was involved in the breach was name, address and credit card information. The newspaper has a large number of subscribers. Further investigations into the breach are unable to reveal how many subscribers’ details have been exposed.
The bundles of newspapers displaying subscriber information have been delivered to newsagencies in the early hours of the morning. The newspaper publisher notes that the subscriber information was therefore at risk of unauthorised access during the time between delivery and when the newsagents arrived to open shop.
Further investigations reveal that many newsagencies have already discarded the labels before checking could be carried out as to whether they contained subscriber information. This means that, in many cases, the subscriber lists may not have been securely destroyed.
The newspaper publisher concludes that the exposure of this information could present a real risk of serious harm (in this case, financial harm) to many individuals. Based on the conclusion that this is a serious breach, the publisher moves to notify subscribers. Given the large number of potentially affected individuals and the risk of serious financial harm, the publisher also notifies the OAIC, particularly as there is a real possibility that individuals may complain about the breach.

Government agency discovers routine breaches
An Australian Government agency undertakes a periodic audit of user access records. The audit reveals an unusual pattern of client account enquiries in one branch of the agency. The client records contain address information, financial information, and other details. The enquiries have occurred over a 12 month period.
After some investigation, which includes interviewing the relevant staff, managers and the department head, it is determined that a specific staff member, John, has been browsing the client accounts of his family and friends without any legitimate business purpose (and therefore without authorisation). There is no evidence that client information has been disclosed to any third party.
The agency recognises that some of the information in the client accounts (the financial information in particular) is sensitive information that is not readily available. The agency considers that there is real risk of embarrassment or other harms from the release of that information, especially to a person such as John, who has a personal relationship with the affected individuals and could combine the information with the details about the individuals that he already knows.
On that basis, the agency decides to notify the individuals affected by the unauthorised access. It also takes measures to prevent unauthorised access to client accounts by staff, and to ensure that all staff are aware of their obligations to act appropriately.
The agency considers that, having regard to the sensitivity of the information and the context of the breach, the breach is sufficiently serious to warrant notification to the OAIC.
Step 3: Notification
Agencies and organisations should consider the particular circumstances of the breach, and:
a) decidewhethertonotifyaffectedindividuals,and,ifso
b) consider when and how notification should occur, who should make the notification, and who should be notified
c) considerwhatinformationshouldbeincludedinthenotification,and d) consider who else (other than the affected individuals) should be notified.
Notification can be an important mitigation strategy that has the potential to benefit both the agency or organisation and the individuals affected by a data breach. The challenge is to determine when notification is appropriate. While notification is an important mitigation strategy, it will not always be an appropriate response to a breach. Providing notification about low risk breaches can cause undue anxiety and de-sensitise individuals to notice. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required.
In general, if a data breach creates a real risk of serious harm to the individual, the affected individuals should be notified.

Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. Agencies and organisations should:
•    take into account the ability of the individual to take specific steps to mitigate any such harm, and
•    consider whether it is appropriate to inform third parties such as the OAIC, the police, or other regulators or professional bodies about the data breach.
(a) Deciding whether to notify affected individuals
Agencies and organisations should consider whether their obligations under IPP 4 or NPP4 require them to notify affected individuals and the OAIC20 (as a ‘reasonable step’ to ensure the security of personal information that they hold).
The key consideration is whether notification is necessary to avoid or mitigate serious harm to an affected individual.
Agencies and organisations should consider the following factors when deciding whether notification is required:
•    What is the risk of serious harm to the individual as determined by step 2?
•    What is the ability of the individual to avoid or mitigate possible harm if notified of a breach (in addition to steps taken by the agency or organisation)? For example, would an individual be able to have a new bank account number issued to avoid potential financial harm resulting from a breach? Would steps such as monitoring bank statements or exercising greater vigilance over their credit reporting records assist in mitigating risks of financial or credit fraud?
•    Even if the individual would not be able to take steps to fix the situation, is the information that has been compromised sensitive, or likely to cause humiliation or embarrassment for the individual?
•    What are the legal and contractual obligations to notify, and what are the consequences of notification?
There may be adverse consequences if an agency or organisation does not notify affected individuals. For example, if the public, including the affected individuals, subsequently find out about the breach through the media, there may be loss of public trust in the agency or organisation (which, in turn, could have its own costs).
(b) Notification process
At this stage, the organisation or agency should have as complete a set of facts as possible and have completed the risk assessment to determine whether to notify individuals. The following tables set out some of the considerations in the notification process.
Sometimes the urgency or seriousness of the breach dictates that notification should happen immediately, before having all the relevant facts.

When to notify
In general
Other considerations
Individuals affected by the breach should be notified as soon as reasonably possible.
If law enforcement authorities are involved, check with those authorities whether notification should be delayed to ensure that the investigation is not compromised.
Delaying the disclosure of details about a breach of security or information systems may also be appropriate until that system has been repaired and tested or the breach contained in some other way.
How to notify
In general
Other considerations
The recommended method of notification is direct – by phone, letter, email or in person – to the affected individuals.
Indirect notification, either by website information, posted notices, media, should generally only occur where direct notification could cause further harm, is cost-prohibitive, or the contact information for affected individuals is not known.
Preferably, notification should be ‘standalone’ and should not be ‘bundled’ with other material unrelated to the breach, as it may confuse recipients and affect the impact of the breach notification.
In certain cases, it may be appropriate to use multiple methods of notification.
Agencies and organisations should also consider whether the method and content of notification might increase the risk of harm, such as by alerting the person who stole the laptop of the value of the information on the laptop, if it would not otherwise be apparent.
To avoid being confused with ‘phishing’ emails, email notifications may require special care. For example, only communicate basic information about the breach, leaving more detailed advice to other forms of communication.

Who should notify
In general
Other considerations
Typically, the agency or organisation that has a direct relationship with the customer, client or employee should notify the affected individuals.
This includes where a breach may have involved handling of personal information by a third party service provider, contractor or related body corporate.
Joint and third party relationships can raise complex issues. For example, the breach may occur at a retail merchant but involve credit card details from numerous financial institutions, or the card promoter may not be the card issuer (for example, many airlines, department stores and other retailers have credit cards that display their brand, though the cards are issued by a bank or credit card company). Or
the breach may involve information held by a third party ‘cloud’ data storage provider, based outside of Australia.
The issues in play in each situation will vary. Organisations and agencies will have to consider what is best on a case by case basis. However some relevant considerations might include:
•    Where did the breach occur?
•    Who does the individual identify as their ’relationship’ manager?
•    Does the agency or organisation that suffered the breach have contact details for the affected individuals? Are they able to obtain them easily? Or could they draft and sign off the notification, for the lead organisation to send?
•    Is trust important to the organisation’s or agency’s activities?
Who should be notified?
In general
Other considerations
Generally, it should be the individual(s) affected by the breach. However, in some cases it may be appropriate to notify the individual’s guardian or authorised representative on their behalf.
There may be circumstances where carers or authorised representatives should be notified as well as, or instead of, the individual.
Where appropriate, clinical judgement may be required where notification may exacerbate health conditions, such as acute paranoia.

(c) What should be included in the notification?
The content of notifications will vary depending on the particular breach and the notification method. In general, the information in the notice should help the individual to reduce or prevent the harm that could be caused by the breach. Notifications should include the types of information detailed in the table below.
Incident Description
Information about the incident and its timing in general terms. The notice should not include information that would reveal specific system vulnerabilities.
Type of personal information involved
A description of the type of personal information involved in the breach.
Be careful not to include personal information in the notification, to avoid possible further unauthorised disclosure.
Response to the breach
A general account of what the agency or organisation has done to control or reduce the harm, and proposed future steps that are planned.
Assistance offered to affected individuals
What the agency or organisation will do to assist individuals and what steps the individual can take to avoid or reduce the risk of harm or to further protect themselves.
For example, whether the agency or organisation can arrange for credit monitoring or other fraud prevention tools, or provide information on how to change government issued identification numbers (such as a driver’s licence number).
Other information sources
Sources of information designed to assist individuals in protecting against identity theft or interferences with privacy.
For example, guidance on the OAIC’s website at www.oaic.gov.au and the Attorney-General’s Department website at www.ag.gov.au/www/agd/agd. nsf/page/Crimeprevention_Identitysecurity.
Agency/ organisation contact details
Contact information of areas or personnel within the agency or organisation that can answer questions, provide further information or address specific privacy concerns.
Where it is decided that a third party will notify of the breach, a clear explanation should be given as to how that third party fits into the process and who the individual should contact if they have further questions.
Whether breach notified to regulator or other external contact(s)
Indicate whether the agency or organisation has notified the OAIC or other parties listed in the table at step 3(d).
Legal implications
The precise wording of the notice may have legal implications; organisations and agencies should consider whether they should seek legal advice. The legal implications could include secrecy obligations that apply to agencies.

How individuals can lodge a complaint
With the agency or organisation
Provide information on internal dispute resolution processes and how the individual can make a complaint to the agency or organisation or industry complaint handling bodies.21
With the OAIC (where the agency or organisation is covered by the Privacy Act)
Explain that if individuals are not satisfied with the response by the agency or organisation to resolve the issue, they can make a complaint to the OAIC. The OAIC’s contact details are set out at page 33.
With the relevant state or territory privacy or information regulator (where the agency or organisation is not covered by the Privacy Act).
See Appendix B for the contact details of State and Territory regulators.

(d) Who else should be notified?
In general, notifying the OAIC, or other authorities or regulators should not be a substitute for notifying affected individuals. However, in some circumstances it may be appropriate to notify these third parties.

The OAIC strongly encourages agencies and organisations to report serious data breaches to the OAIC. The potential benefits of notifying the OAIC, together with what it can and cannot do about a notification, are set out at page 32.
The following factors should be considered in deciding whether to report a breach to the OAIC:
•    any applicable legislation that may require notification
•    the type of the personal information involved and whether there is a real risk of serious harm arising from the breach, including non- monetary losses
•    whether a large number of people were affected by the breach
•    whether the information was fully recovered without further disclosure
•    whether the affected individuals have been notified, and
•    if there is a reasonable expectation that the OAIC may receive complaints or enquiries about the breach.
Police
If theft or other crime is suspected.
The Australian Federal Police should also be contacted if the breach may constitute a threat to national security.
Insurers or others
If required by contractual obligations.
Credit card companies, financial institutions or credit reporting agencies
If their assistance is necessary for contacting individuals or assisting with mitigating harm.
Professional or other regulatory bodies
If professional or regulatory standards require notification of these bodies. For example, other regulatory bodies, such as the Australian Securities and Investments Commission, the Australian Competition and Consumer Commission, and the Australian Communications and Media Authority have their own requirements in the event of a breach.
Other internal or external parties not already notified
Agencies and organisations should consider the potential impact that the breach and notification to individuals may have on third parties, and take action accordingly. For example, third parties may be affected if individuals cancel their credit cards, or if financial institutions issue new cards.
Consider: •    third party contractors or other parties who may be affected
•    internal business units not previously advised of the breach, (for example, communications and media relations, senior management), or
•    union or other employee representatives.
Agencies that have a direct relationship with the information lost/stolen
Agencies and organisations should consider whether an incident compromises Australian Government agency identifiers such as TFNs or Medicare numbers. Notifying agencies such as the Australian Taxation Office for TFNs or Medicare Australia for Medicare card numbers may enable those agencies to provide appropriate information and assistance to affected individuals, and to take steps to protect the integrity of identifiers that may be used in identity theft or other fraud.
An example of notification of affected individuals
A bank customer, Margaret, receives mail from her bank. When she opens the envelope she notices that correspondence intended for another customer – Diego – has been included in the same envelope. The correspondence includes Diego’s name, address and account details.
Margaret contacts the bank to report the incident. The bank asks that she return the mail intended for Diego to them.
The bank then contacts Diego by phone to notify him of the breach, apologises to him, and advises that it will be investigating the matter to determine how the incident occurred and how to prevent it from reoccurring. The bank also offers to restore the security of Diego’s customer information by closing his existing account and opening a new account. In addition, the bank agrees to discuss with Diego any further action he considers should be taken to resolve the matter to his satisfaction and provides a contact name and number that Diego can use for any further enquiries.
The bank investigates the matter, including getting reports from the mailing house it uses to generate and despatch customer correspondence. While the mailing house has a number of compliance measures in place to manage the process flow, it appears that an isolated error on one production line meant that two customer statements were included in one envelope.
Following its assessment of the breach, the bank is satisfied that this is an isolated incident. However, it reviews the compliance measures taken by the mailing house has in place to ensure they are sufficient to protect customer information from unintentional disclosure through production errors. The bank writes to Diego and informs him of the outcome of its investigation.
An example of notification of affected individuals and the OAIC
A memory stick containing the employee records of 200 employees of an Australian Government department goes missing. Extensive searches fail to locate the memory stick. The information contained in the employee records includes the names, salary information, TFNs, home addresses, phone numbers, birth dates and, in some cases, health information (including disability information) of current staff. The data on the memory stick is not encrypted.
Due to the sensitivity of the unencrypted information – not only the extent and variety of the information, but also the inclusion of health and disability information in the records – the department decides to notify employees of the breach. Anticipating that individuals may, at some point, complain, it also notifies the OAIC of the breach and explains what steps it is taking to resolve the situation.
A senior staff member emails the affected staff to notify them of the breach. In the notification she offers staff an apology for the breach, explains what types of information were involved, notes that the OAIC has been informed of the breach, and explains what steps have been put in place to prevent this type of a breach occurring in the future. The senior staff member also provides staff with details about how they can have a new TFN issued, and informs staff that they can make a complaint to the OAIC if they are unhappy with the steps the agency has taken.
An example of notification of affected individuals, OAIC and police
FunOnline, a popular online gaming service provider, sells access to its gaming network on a subscription basis. FunOnline collects and holds a range of personal information from its customers in order to create a user account and deal with subscription payments, including names, dates of birth, email addresses, postal addresses, and credit card numbers.
During a routine security check, FunOnline discovers through the use of intrusion detection software that the server containing its account information has been compromised, and the account information of over 500,000 customers has been accessed without authorisation and, most likely, copied.
FunOnline takes immediate steps to contain the breach (including temporarily shutting down its servers) and notifies the OAIC. Based on its belief that criminal activity has been involved, FunOnline also contacts the police.
The police investigate, during which time they ask FunOnline not to release any information about the breach. FunOnline uses this period to engage a technology security firm to enhance the security of its accounts systems.
As soon as the police are satisfied it will not compromise their investigation, FunOnline notifies the affected customers. FunOnline explains exactly what happened and when, that the police have been investigating, and that the OAIC has been notified. FunOnline also suggests that affected customers monitor their credit card accounts and contact their financial institution if they have any concerns.
An example of notification of affected individuals, OAIC and police
A small business that rents out household items keeps credit reports of rental applicants on site in hard copy. The reports have been stamped ‘out of date’.
A box of the reports goes missing. The small business is unable to locate the reports and fears they have been stolen. The credit reports include the name, current or last known address and two previous addresses, driver’s licence number, date of birth and employer details.
The small business believes that missing reports may have been stolen. Accordingly, the small business contacts the police.
Due to the types of information that have been lost (which, in combination, may create a serious risk of identity theft) the small business judges that the breach is serious enough to warrant notification of rental applicants and the OAIC.
The small business knows that the credit reports relate to applicants from the last two months. It decides to notify individuals who have applied for rentals during this period that information contained in their credit report may have been compromised. In the notification, the small business advises individuals to monitor their credit reports for suspicious activity, and commits to more secure storage of credit reports in the future.
To meet that commitment, the small business reviews its physical security measures. The small business implements changes to the security measures including storing reports in a locked cabinet, and ensuring that staff understand the importance of handling the reports appropriately.
An example of no notification
In contravention of policy, a staff member at an Australian Government department takes a memory stick out of the office so that he can work on some files at home. At some point between leaving work and arriving at home, the staff member loses the memory stick. He reports it missing the next day.
Despite the assistance of the transport authority, the department is unable to locate the memory stick. The department conducts a preliminary assessment of the breach, then evaluates the risks associated with the loss of the memory stick.
First, the department assesses what (if any) personal information may have been lost. While the memory stick did not contain client records, it did contain the names, phone numbers and business email addresses of about 120 external stakeholders involved in a project lead by the department, along with email correspondence from these stakeholders.
Further evaluation reveals that data held on the stick is protected by high level encryption technology. The department consults with its IT team to confirm that the encryption on the memory stick is adequately secure and, following confirmation by that team, decides that notification of individuals whose personal information was held on the memory stick is unnecessary.

An example of no notification
A pathologist receives a phone call from a GP, Dr Jones, with whom he has a professional relationship. Dr Jones advises the pathologist that she has just received a fax from the pathologist’s office disclosing test results for an individual that is not her patient. When the pathologist checks his records, he discovers that the test results were intended for a different GP.
The pathologist asks Dr Jones to destroy the test results and considers whether notification of the patient is warranted.
The pathologist recognises that Dr Jones is bound by ethical duties, and is familiar with principles of confidentiality and privacy. Accordingly, the pathologist is confident that Dr Jones can be relied upon not to mishandle the information contained in the test results and the disclosure is unlikely to pose a serious risk to the privacy of the patient.
The pathologist decides not to notify the patient, but he reviews his practices to avoid a similar breach occurring in the future. The pathologist ensures that administrative staff are trained to exercise care in checking that fax numbers are accurate. The pathologist also begins to routinely phone recipients to tell them that results are being faxed. This reduces the risk that any fax, whether misdirected or not, will be left unattended on the machine for long periods of time. It also allows the intended recipient to let the pathologist know if a fax was not received.
Step 4: Prevent future breaches
Once the immediate steps are taken to mitigate the risks associated with the breach, agencies and organisations need to take the time to investigate the cause and consider whether to review the existing prevention plan or, if there is no plan in place, develop one.
A prevention plan should suggest actions that are proportionate to the significance of the breach, and whether it was a systemic breach or an isolated event.
This plan may include:
•    a security audit of both physical and technical security
•    a review of policies and procedures and any changes to reflect the lessons learned from the investigation, and regular reviews after that (for example, security, record retention and collection policies)
•    a review of employee selection and training practices, and •    a review of service delivery partners (for example, offsite data storage providers).
The plan may include a requirement for an audit at the end of the process to ensure that the prevention plan has been fully implemented.
Suggested preparations for responding to a data breach include the following:
•    Develop a breach response plan – While the aim should be to prevent breaches, having a breach response plan may assist in ensuring a quick response to breaches, and greater potential for mitigating harm.
The plan could set out contact details for appropriate staff to be notified, clarify the roles and responsibilities of staff, and document processes which will assist the agency or organisation to contain breaches, coordinate investigations and breach notifications, and cooperate with external investigations.
•    Establish a breach response team – Depending on the size of the agency or organisation, consider establishing a management team responsible for responding to personal information breaches. The team could include representatives from relevant areas that may be needed to investigate an incident, conduct risk assessments and make appropriate decisions (for example, privacy, senior management, IT, public affairs, legal).
The team could convene periodically to review the breach response plan, discuss new risks and practices, or consider incidents that have occurred in other agencies or organisations.
It may also be helpful to conduct ‘scenario’ training with team members to allow them to develop a feel for an actual breach response. Key issues to test in such training would be identifying when notification is an appropriate response, and the timing of that notification.
•    Identify relevant service providers – Consider researching and identifying external service providers that could assist in the event of a data breach, such as forensics firms, public relations firms, call center providers and notification delivery services. The contact details of the service providers could be set out in the breach response plan. This could save time and assist in responding efficiently and effectively to a data breach.
•    Enhance internal communication and training – Ensure staff have been trained to respond to data breaches effectively, and are aware of the relevant policies and procedures. Staff should understand how to identify and report a potential data breach to the appropriate manager(s).
•    Enhance transparency – Include information in the agency or organisation’s privacy policy about how it responds to breaches. This could include letting individuals know when and how they are likely to be notified in the event of a breach, and whether the agency or organisation would ask them to verify any contact details or other information.
This would make clear to individuals how their personal contact information is used in the event of a breach, and may also assist individuals to avoid ‘phishing’ scam emails involving fake breach notifications and requests that recipients verify their account details, passwords and other personal information.

Tips for preventing future breaches
Some of the measures that have resulted from real-life data breaches include:
•    the creation of a senior position in the agency or organisation with specific responsibility for data security22
•    the institution of a ban on bulk transfers of data onto removable media without adequate security protection (such as encryption)
•    disabling the download function on computers in use across the agency or organisation, to prevent the download of data onto removable media
•    the institution of a ban on the removal of unencrypted laptops and other portable devices from government buildings
•    the institution of a policy requiring the erasing of hard disk drives and other digital storage media (including digital storage integrated in other devices such as multifunction printers or photocopiers) prior to being disposed of or returned to the equipment lessor
•    the use of secure couriers and appropriate tamper proof packaging when transporting bulk data, and
•    the upgrading of passwords (for example, an increase from 6 to 8 characters, including numbers and punctuation), and the institution of a policy requiring passwords to be changed every 8 weeks.
Technological advances allow increasingly larger amounts of information to be stored on increasingly smaller devices. This creates a greater risk of data breaches due to the size and portability of these devices, which can be lost or misplaced more easily when taken outside of the office. There is also a risk of theft because of the value of the devices themselves (regardless of the information they contain).
Preventative steps that agencies and organisations can take include conducting risk assessments to determine:
whether and in what circumstances (and by which staff), personal information is permitted to be removed from the office, whether it is removed in electronic form on DVDs, USB storage devices such as memory sticks, portable computing devices such as laptops, or in paper files23
whether their stored data, both in the office and when removed from the office, requires security measures such as encryption and password protection.

Responding to a large scale data breach: an illustration of how to work through the four key steps
A health insurer discovers that a backup tape containing customer details and other data has been lost. The information on the tape was not encrypted. The insurer routinely creates two copies of each backup tape. One tape is stored on site; the other tape is stored securely off-site. The lost backup tape was the copy stored on-site and included data collected during the previous month.
Step 1 – Containing the breach and the preliminary assessment
The Chief Executive Officer nominates the Risk and Compliance Manager to lead an investigation. The Risk Manager’s initial assessment suggests that the tapes were lost when the insurer’s IT department moved some records between floors.
The Risk Manager interviews the staff involved in moving the records, reviews the relocation plan and arranges for the building to be searched. Despite these efforts, the tape cannot be found.
The Risk Manager moves on to assessing the breach. She thinks that the breach was most likely the result of poor practices and sloppy handling. However, while there is no evidence that the tape was stolen, theft cannot be ruled out. The type of information that has been lost and how it could be used is an important part of the risk assessment.
Step 2 – Evaluate the risks associated with the breach
The evaluation shows that the information on the tapes falls into 3 main groups:
Group 1
Group 2
Group 3
Type of Information
Enquiry information collected via the website to provide quotes.
Only included state, date of birth and gender and was retained for statistical marketing purposes.
Application information, including full name, address, contact details, and date of birth. Also includes Medicare card number, and credit card details.
Claims information, including full name, member number, contact details, and clinical information about the treatment being claimed.
Identity apparent or ascertainable?
No – the information is aggregated statistical data only.
Yes.
Yes.
Sensitivity
None.
Substantial identifying information, Medicare card number and financial details.
Substantial identifying information, as well as information about the individual’s health condition.
Group 1
Group 2
Group 3
How could the information be used?
The information is likely to be of little or no use other than for statistical purposes.
The information could be used for identity theft and financial fraud. There is a lesser possibility that it could be used to attempt fraud against the Medicare and PBS systems.
The information could be used for identity theft, as well as being potentially embarrassing or stigmatising to the individual.
Source
Probably unintentional and accidental. But theft is also a possibility. As the source of the breach is unclear, and given the sensitivity of much of the information, the insurer decides to assume a worst case scenario.
Severity
The information was not encrypted or recovered. The large number of records involved and the sensitivity of the many of the records (health and financial information, as well as identifying information), make this a serious breach.
A real risk of serious harm?
No.
Yes – the information could be used to cause serious harm to individuals.
This could include identity theft, financial fraud, and fraud against the Medicare and PBS systems. Possibly health fraud.
Yes – if misused, the identification information could be used for identity theft.
Serious harm could also arise from misuse of the health information, including stigma, embarrassment, discrimination or disadvantage or, in extreme cases, blackmail.
Current contact details held?
No.
Yes, from current member list and external sources.
Yes, from current member list and external sources.
The evaluation shows that there is a real risk of serious harm for Group 2 and 3 individuals, and that the information in Group 1 is not personal information.
Step 3 – Notification
The evaluation indicates that Group 2 and 3 individuals should be notified about the breach, and that there is a real risk of serious harm to their interests. If notified, individuals could take steps to mitigate the risks of identity theft and financial fraud. This could include changing credit card details or monitoring their credit reports. While there may be limited steps that can be taken to mitigate the risks of their health information being mishandled, individuals should still be informed given the heightened sensitivities of this information.
The Risk Manager also considered whether notification would cause harm by leading to unfounded concern or alarm.

Taking all these factors and the evaluation into account, it is decided that individuals in Groups 2 and 3 should be notified. Separate letters are drawn up for each group, outlining the general types of information that are affected.
The Risk Manager also arranges for the notification letters to include:
• • •
a general description of the type of information that has been lost for each group what individuals can do to mitigate the harm caused by the breach, and who they can call to get further information or assistance.
For example, the notification to individuals in Group 2 tells them that the information they provided on their application form, including their Medicare number and credit card details, may have been compromised. If an individual is concerned about either, they are advised to contact Medicare Australia or their financial institution to change their registration and account details. Group 3 individuals are told that a record containing their claims information has been lost, including the clinical details held on their file.
Both letters explain that there is no evidence of theft, and that the company is notifying the individuals as a precautionary measure only.
The notifications also include contact details for the insurer’s customer care area and the OAIC, and suggest that individuals should check their credit card account statements and credit reports for any unusual activity.
The Risk Manager also notes that some claimants had an authorised representative acting for them. These records are separately assessed to determine whether notification should be made to the authorised representative rather than the member.
Staff in the insurer’s customer care area are briefed about the breach and given instructions about how to help customers responding to a notification.
Given the large number of individuals affected, and the sensitive nature of the information, the insurer notifies the OAIC. The insurer explains what steps it has taken to address the breach. It also advises the OAIC of the contact details for the insurer’s customer care area, so that customers contacting the OAIC can be redirected to the insurer if appropriate.
Step 4 – Preventing future breaches
Once immediate steps have been taken to respond to the breach, the Chief Information Officer (CIO) carries out an audit of the security policies for storage and transfer of backup tapes and reviews the access of staff in the area. The CIO also makes some amendments to the compliance program to ensure non-compliance with IT Security policies will be detected and reported in the future.

Reporting a data breach to the Office of the Australian
Information Commissioner
Agencies and organisations are strongly encouraged to notify the OAIC of a data breach where the circumstances indicate that it is appropriate to do so, as set out in Step 3(d). The potential benefits of notifying the OAIC of a data breach may include the following:
•    An agency or organisation’s decision to notify the OAIC on its own initiative is likely to be viewed by the public as a positive action. It demonstrates to clients and the public that the agency or organisation views the protection of personal information as an important and serious matter, and may therefore enhance client/public confidence in the agency or organisation.
•    It can assist the OAIC in responding to enquiries made by the public and managing any complaints that may be received as a result of the breach. If the agency or organisation provides the OAIC with details of the matter and any action taken to address it, and prevents future occurrences, then, based on that information, any complaints received may be able to be dealt with more quickly. In those circumstances, consideration will need to be given to whether an individual complainant can demonstrate that they have suffered loss or damage, and whether additional resolution is required. Alternatively, the OAIC may consider that the steps taken have adequately dealt with the matter.
Reporting a breach does not preclude the OAIC from receiving complaints and conducting an investigation of the incident (whether in response to a complaint or on the Commissioner’s ‘own motion’).
If the agency or organisation decides to report a data breach to the OAIC, the following provides an indication of what the OAIC can and cannot do.
What the OAIC can do
•    Provide general information about obligations under the Privacy Act, factors to consider in responding to a data breach, and steps to take to prevent similar future incidents.
•    Respond to community enquiries about the breach and explain possible steps that individuals can take to protect their personal information.
What the OAIC cannot do
•    Provide detailed advice about how to respond to a breach, or approve a particular proposed course of action. Agencies and organisations will need to seek their own legal or other specialist advice.
•    Agree not to investigate (either using the Commissioner’s own motion investigation powers, or if a complaint is made to the OAIC) if the OAIC is notified of a breach.
When the OAIC receives a complaint about an alleged breach of the Act, in most cases, the OAIC must investigate. As set out above, the OAIC may also investigate an act or practice in the absence of a complaint on the Commissioner’s ‘own motion’. The OAIC uses risk assessment criteria to determine whether to commence an own motion investigation. Those criteria include:
•    whether a large number of people have been, or are likely to be affected, and the consequences for those individuals
•    the sensitivity of the personal information involved
•    the progress of an agency or organisation’s own investigation into the matter
•    the likelihood that the acts or practices involve systemic or widespread interferences with privacy
•    what actions have been taken to minimise the harm to individuals arising from the breach, such as notifying them and/or offering to re-secure their information, and
•    whether another body, such as the police, is investigating.
These factors are similar to those included in the risk assessment criteria for responding to a data breach.
What to put in a notification to the OAIC
Any notice provided to the OAIC should contain similar content to that provided to individuals (see page 21). It should not include personal information about the affected individuals. It may be appropriate to include:
•    a description of the breach

•    the type of personal information involved in the breach

•    what response the agency or organisation has made to the breach

•    what assistance has been offered to affected individuals

•    the name and contact details of the appropriate contact person, and

•    whether the breach has been notified to other external contact(s).
How to contact the OAIC
Telephone: TTY:
1300 363 992 (local call cost, but calls from mobile and payphones may incur higher charges)
1800 620 241 (this number is dedicated for the hearing impaired only, no voice calls)
Post: Facsimile: Enquiries:    enquiries@oaic.gov.au Website:    www.oaic.gov.au
GPO Box 5218, Sydney NSW 2001 or GPO Box 2999, Canberra ACT 2601
02 9284 9666

Data breach response process
MAINTAIN INFORMATION SECURITY—NPP4 AND IPP4
Protect information from misuse, loss and unauthorised access, modification or disclosure.
To comply with their obligations under the NPPs and IPPs, agencies and organisations should consider:
• • • •
the sensitivity of the personal information the harm likely to flow from a security breach developing a compliance and monitoring plan, and regularly reviewing their information security measures.
DATA BREACH OCCURS
Personal information is lost or subjected to unauthorised access, modification, use or disclosure, or other misuse.
Step 1 Step 2
Step 3
Contain the breach and make a preliminary assessment
Evaluate the risks for individuals associated with the breach
Consider breach notification
•    Take immediate steps to contain breach
•    Designate person/team to coordinate response
•    Consider what personal information is involved
•    Determine whether the context of the information is important
•    Establish the cause and extent of the breach •    Identify what is the risk of harm •    Risk analysis on a case-by-case basis •    Not all breaches necessarily warrant notification
KEY STEPS IN RESPONDING TO A DATA BREACH
SHOULD AFFECTED INDIVIDUALS BE NOTIFIED?
Where there is a real risk of serious harm, notification may enable individuals to take steps to avoid or mitigate harm. Consider:
•    legal/contractual obligations to notify
•    risk of harm to individuals (identity crime, physical harm, humiliation, damage to reputation, loss of business or employment opportunities
Process of notification
•    When? – As soon as possible
•    How? – Direct contact preferred (mail/phone)
•    Who? – Entity with the direct relationship with the affected individual
• What? – Description of breach, type of personal information involved, steps to help mitigate, contact details for information and assistance.
SHOULD OTHERS BE NOTIFIED?
•    Office of the Australian Information Commissioner
•    Police/law enforcement
•    Professional or regulatory bodies
•    Other agencies or organisations affected by the breach or contractually required to notify
Step 4
Review the incident and take action to prevent future breaches
•    Fully investigate the cause of the breach
•    Consider developing a prevention plan
•    Option of audit to ensure plan implemented
•    Update security/response plan
•    Make appropriate changes to policies and procedures
•    Revise staff training practices

Appendix A – IPP 4 and NPP 4 Information Privacy Principle 4
Storage and security of personal information
A record keeper who has possession or control of a record that contains personal information shall ensure:
(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
(b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonable within the power of the record keeper is done to prevent unauthorised use or disclosure of information contained in the record.
National Privacy Principle 4
Data security
4.1    An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2    An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

FACTS

The facts are quite extraordinary. The Plaintiff, Zhou, the registered proprietor of a property in Braybrook [2],owed the fifth defendant, Mr Wu, a judgement debt of over $100,000. The property was subject to a mortgage in favour of Suncorp and a charge of Council rates. Pursuant to a warrant of seizure and sale the Sheriff undertook two auctions of the property.  Prior to the first auction (see generally [23] - [31])  the Valuer General valued the property at $630,000 following a kerbside valuation and provided a copy of the valuation to the Sheriff.  At the time of this auction Zhou had putative equity in the sum of $171,615.76.  This sum became the Sheriff’s reserve at auction [26]. No bids were received at the first auction and the property was passed in [27]. The Sheriff then applied to the the Supreme Court where, per Muckhtar AsJ , it permitted the Sheriff to sell the property without a reserve [28] , save for the the following orders [29]:

1. Subject to paragraph 3 there be leave to the Sheriff to conduct a sale of the property known as 2 Wirraway Avenue, Braybrook (in exercise of powers under a warrant of seizure and sale filed 9 November 2009) without a reserve price provided that such leave does not thereby derogate from, or relieve the Sheriff of a duty at law to the owner of the land when exercising a power of sale.

…………..

3.There be leave to the owner of the property to notify the Plaintiff of an intention to discharge the order in paragraph 1, and apply to this Court for a discharge of that order. Unless such an application is filed and served within 10 days after the date of the service of this order, the order will take effect upon the Plaintiff’s solicitor giving to the Sheriff evidence of service of this order and the absence of any application to discharge it.

(Emphasis added)

At the time of the second auction (see [32] – [40] generally) the market value of the property was accepted as being $630,000, with the sum of $457,345.50 outstanding on the mortgage and $7691.10 owing as council rates.  Zhou had equity in the sum of  $164,963.40 [33]. The Sheriff offered the property for sale without a reserve price.  The First Defendant, Mr Kousal (“Kousal”), described as an experienced purchased a property at public options conducted by the Sheriff [37], made the final and successful bid of $1,000. The property was knocked down to  Kousal. Soon after purchasing the property Kousall wrote to Zhou asking what his intentions were regarding remaining in the property and he later spoke to him through an interpreter.  He commenced legal proceedings ([42] – [43]) against Suncorp seeking orders delivering up the duplicate certificate of title of the property so that Kousal could register his interest in the property with the Registrar of Titles.  Zhou sought and obtained an injunction restraining the Registrar of Titles from registering any transfer on the property [44].

Zhou alleged the Sheriff owed him a duty to act reasonably in his interests in executing a warrant and obtain a fair price for the interest being sold under that warrant [45]. He alleged that Kousal  knew or ought to have known that a bid of $1,000 was illusory, unfair, unreasonable and as a consequence the purported sale was unconscionable in equity and ought be set aside [46].  Interestingly the court, (at [48]) raised with Zhou’s counsel whether a writ of certiorari was also arguable on the grounds of jurisdictional error on the part of the Sheriff. Curiously this option (and broad hint) was not adopted.

DECISION

Claim against the purchaser (Kousal)

His Honour cited the equitable principles underpinning the claim against Kousal, ( [52] – [58])  stating:

…the present litigation was conducted on the well established equitable principle that a transaction may be set aside where unconscientious advantage was alleged to be have been taken by one party of the disabling condition or circumstances of the other. In such cases, equity may intervene either because the will of the complainant is overborne so that it is not independent and voluntary or when advantage is taken of an innocent party who is unable to make a worthwhile judgment as to what is in his or her best interests.

The court did not accept that Zhou’s lack of command in English was such as to constitute a special disability. The evidence pointed to Zhou being able to function adequately as an owner builder in a 10 year period (see [61] – [64]). It was relevant, consistent with authority, that there was no evidence that Kousal knew of the alleged disability.  Prior to the second auction Kousal did not know nor had he met Zhou [64].

Zhou’s counsel framed the disability in terms of the following:

….by reason of the sale by the Sheriff being of a compulsory nature under the statute, and conducted under the provisions of the Sheriff Act, and being further conducted pursuant to the order of Mukhtar AsJ, which permitted, amongst other things, the sale to be conduced without a reserve, Zhou was placed under a special disability in relation to the sale of his property.

The court identified the two broad categories of special disadvantage the purposes of the debt equitable doctrine as [67]:

(a) special disadvantage which is constitutional: that is, deriving from age, illness, poverty, inexperience, lack of education or some other such circumstances peculiar to the complainant; or

(b) special disadvantage which is situational: that is, deriving from particular features of a relationship between actors in the transaction such as emotional dependence of one on the other.

The principles are not fixed or rigid ( [68] – [70]) and the kinds of special disability which may invoke the principles can take a wide variety of forms [71]. The court found that Zhou suffered from neither constitutional or situational disability [73] and that any special disadvantage that applied to him applied equally to all that falls within the Sheriff’s  jurisdiction ([75] – [76]).  As such there was nothing special about this disability for the purposes of the equitable doctrine. Accordingly Kousal had a legitimate expectation that the sale conducted by the Sheriff was according to law and he was entitled to make the bid he did even if it was unreasonable.

Claim against the sheriff

The court undertook a detailed analysis of the history in operation of writs of fi fa, which empowered, at common law, the Sheriff to undertake a sale of seized properties ([82] –[113]).  His Honour noted that, at common law:

• there is a duty in selling property to act reasonably in the interests of both the judgment creditor and debtor respectively in order to obtain a fair price [93]
• a sale not properly conducted was not a real sale [95]

Under section 24 of the Sheriff Act the Sheriff is empowered to sell properties seized in accordance with the relevant court and enforcement legislation [116]. His Honour found, at [117], that the common law duties continue to apply after the operation of the Sheriff Act, being:

..important protections for both judgment creditors and judgment debtors alike. They should not be swept away except by clear words which abrogate the duties or which seek to protect the Sheriff from suit, provided he observes the statutory requirements.

(Emphasis added)

Vickery J found that the immunity from suit granted the Sheriff under section 25  applies only to sales of properties sold validly where all statutory requirements have been met ([118] – [119]).  A sale which is conducted where the statutory requirements have not been met the immunities will not apply [120].  The immunity would not in any event be relevant because an order setting aside a sale conducted by the Sheriff will not, in the usual case, give rise to any liability being imposed on the Sheriff in respect of the sale of the property [121].

The power of the Sheriff to sell the property is limited by the operation of section 24, [122],whereby property can only be sold:

(a) if the transaction can in truth be regarded as a “sale” and not an illusory sale founded upon a price which is so low that it could be said that there was no sale at all, or that it was not a real sale or that it was in fact illusory;

(b) if the sale is undertaken in accordance with the relevant court and enforcement legislation, or a warrant that authorises the seizure of property; and

(c) if the sale in undertaken for the purpose of applying the proceeds of the sale to the payment of a payable amount.

The Sheriff is also bound to apply the principles of common law in the conduct of a valid sale [123]. Those principles are [124]:

(a) The Sheriff is bound to act reasonably in the interests of both the judgment creditor and the judgement debtor in order to obtain a fair price;

(b) A fair price is not necessarily the market value, for it is well recognised that compulsory sales under legal process rarely bring the full value of the property sold. In making a determination as to the adequacy of the highest bid, the Sheriff is entitled to take into account that the sale, being a compulsory process, is usually one at which a full and fair market value for the property will not be expected and some allowance must be made for low prices being obtained at such sales;

(c) In determining the fair price in all the circumstances, matters from the prospective buyer’s perspective must be weighed. Such factors may include: the fact that buyers must be prepared to complete their purchases on the spot; the fact that buyers, particularly in the case of real estate, will not have usually have had the opportunity to inspect the property sold (at least internally); the fact that the title to the property may be encumbered or it may be physically occupied, giving rise to risks for the purchaser in acquiring clear title or rights of occupation without undue expense or delay; and other such risks which may be attendant for the purchaser on the purchase;

(d) Another factor to be weighed in the balance will be the amount, if any, obtained for the judgment creditor after the expenses of the sale have been deducted;

(e) If it is apparent to the Sheriff that in fact or in all probability the highest bid received is so far below the true value of the property offered for sale that he would be acting unreasonably if he was to accept it, the Sheriff should not accept the bid and pass in the property;

(emphasis added)

If the Sheriff breaches his common law duty and sells property for a price which, in all circumstances is unfair, [124], then:

(i) the transaction may be set aside. On setting the transaction aside, no damages would arise in the usual case for which the Sheriff could be liable; or

(ii) where the price obtained on the highest bid is so low that it could be said that there was no sale at all, or that it was not a real sale or that it was in fact illusory, there would be no sale within s 24 of the Sheriff Act, and therefore no sale within Division 5 with the result that the immunity of the Sheriff from a suit in damages conferred by s 25 would be removed. … if the transaction is not set aside and loss and damage is in fact sustained, the Sheriff could be exposed to an award of damages at common law.

His Honour found that the second auction was not conducted in accordance with common law and the Sheriff Act, and further there was a breach of the order of the Supreme Court (see [126] – [132]). Given the proceeds of sale did not even cover costs of conducting the second auction his Honour found the only proper inference to be drawn was that the second auction was carried out for the purposes of offsetting to a substantial degree the costs incurred by the Sheriff  [134]. This is not permissible and therefore it was not a sale conducted under the Sheriff Act [135].  If the sale was set aside there is no loss and damage suffered by Zhou hence the immunities under section 25 do not apply [137].  The sale conducted pursuant to the second auction could not as a matter of law be allowed to stand [139]. The sale was set aside and accordingly Kousal did not have good title to the property.

ISSUE

The issue of obtaining a fair price is an occasional and real issue when dealing with mortgagee sales by creditors, often banks.  This decision makes it clear that the Sheriff has a common law duty to take steps to sell a property for a fair price as well as statutory obligations.  While the court set out principles that are applicable when selling a property they are drawn in broad terms and requiring a balancing of factors.  While auctioning of a property for $1,000, less than the cost of conducting the auction itself, is an extreme case and one where, on its face, it appears unfair and inequitable there is a real question of what would be the appropriate quantum such that the Sheriff complies his common law duty.  There is no obligation to obtain market price on the sale of seized properties.  The nature of forced sales are such that it is common to find that optimum prices are not realised. A significant question a legal representative for the Sheriff or another party undertaking a distress sale pursuant to a warrant, or by other means, is to what extent of undervalue, with regard to a valuation as a comparator (as was applicable here), constitutes unfairness.

The Court adopted a cautious and, given the circumstances, prudent approach to Kousal’s liability. The facts did not sustain a claim of a special disability and it was relevant that Kousal had no prior knowledge of or interaction with Zhou prior to successfully bidding for the property.  On the well established case law of Amadio and its descendants there was no basis for claiming an breach of equitable obligations by Kousal.  He was necessarily drawn in as a purchaser of the property.

It relevantly provides:

It’s great to be here on the last day of Privacy Awareness Week (or PAW), a joint initiative of the Asia Pacific Privacy Authorities forum.

Before I say a few words about the week, I’ll cut to the chase and give you an update on the most recent privacy law reform announcement made by the Attorney-General this week.

Attorney’s announcement

As many here today would know, the Attorney has justannounced some major legislative reforms to the Privacy Act that will be achieved through amendments scheduled to be introduced into the Parliament in the Winter sitting period.

These include many of the changes we have been anticipating since the ALRC released its 2008 report into Australia’s privacy laws, For your Information: Australian Privacy Law and Practice.

Consumer benefits

Turning first to the expected consumer benefits identified by the Attorney as a result of these reforms, there will be:

• clearer and tighter regulation of the use of personal information for direct marketing
• privacy protections extended to unsolicited information
• easier access for consumers to correct information held about them and
• tighter rules on sending personal information outside Australia.

Overall there will be more powers for the Privacy Commissioner to resolve complaints, conduct investigations and promote privacy compliance.

Direct marketing changes

I know that some of you here today will be interested to know what’s in store for direct marketing.

Under the reforms, the use and disclosure of personal information by private sector organisation for the purposes of direct marketing will be addressed in its own principle – APP7.

Currently some specific limitations apply to private sector organisations’ use and disclosure of personal information for direct marketing under National Privacy Principle (NPP) 2, ‘Use and Disclosure’.

The new direct marketing principle (APP 7) applies to personal information regardless of whether it was initially collected for the purpose of direct marketing or for another purpose.

This is in contrast to the current restrictions in NPP 2, which only apply if direct marketing is a secondary use of personal information. It does not cover information gathered for the primary purpose of marketing.

I think it’s fair to say that direct marketing is an area of community concern.
Our office supported the creation of a direct marketing principle in its 2007 submissions to the ALRC’s privacy review, so we welcome the greater protection and clarity that this new principle brings.

Some of the more important requirements in APP 7 include:

• APP 7 requires that organisations provide a simple means by which individuals may easily request not to receive direct marketing communications.  Additionally, organisations must include in all marketing communications a prominent statement that the individual may opt out of receiving those communications, or otherwise draw the individual’s attention to this fact.

This enhances the current requirement in NPP2, by requiring organisations to provide a simple means of opting.

• APP 7 also requires that if an individual requests not to receive marketing communications, the organisation must not charge the individual for making the request and must give effect to the request within a reasonable period of time.

Currently under NPP 2, organisations are not allowed to charge individuals to opt out of receiving marketing materials. However, the requirement that requests be fulfilled in a timely way is new and reflects the importance of implementing the individual’s request quickly.

• APP 7 enables individuals to ask organisations not to pass on their details for marketing purposes and requires organisations to tell individuals where they got their details if asked.

This requirement will enable people to find out how a marketing company got their details. It will also enhance transparency and help people to control how their personal information is handled.

It’s worth mentioning that APP 7 does not replace or overrule Acts such as the Do Not Call Register Act 2006 or the Spam Act 2003. So if individuals have opted into the Do Not Call Register, they will continue to be on that register.

Credit reporting

Turning now to the credit reporting arrangements, changes include a clearer obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings.

On the consumer side, there will easier access for individuals to correct credit reporting information.

There will also be a prohibition against the collection of credit reporting information about children.

In terms of the move to more comprehensive credit reporting, this is a big change, and somewhat controversial.

Generally consumer advocates lobbied against this move during the ALRC’s consultation period.  There were concerns that financial institutions would use this information inappropriately to the disadvantage  of vulnerable consumers.

For these reasons I’m sure there will be ongoing debate on the merits of this particular change.

Increased powers for the Privacy Commissioner

I’ll now give you some details about the extent of the increased powers for the Privacy Commissioner.

A significant change is that I will now have the power to conduct privacy assessments of both private sector organisations and government agencies to determine whether they are handling personal information in accordance with the new Australian Privacy Principles (APPs) or a registered privacy code.

This power also extends to certain entities’ handling of credit information, tax file number information and health information in some circumstances.

This effectively means that our office can assess the handling of all personal information by the private sector for the first time.

It’s interesting to note too that the Attorney has chosen to move from the term ‘privacy audit’ to the term ‘privacy assessment’, reflecting the educational nature of this process.

This emphasises the OAIC’s role in helping all entities to achieve good privacy practices.

Other significant changes include:

• I will now be able to accept a written undertaking from an entity that the entity will take or refrain from taking a specified action in order to comply with the Privacy Act
• In situations where I consider that an entity has breached an undertaking, I can apply to the Federal Court or Federal Magistrates Court for an order to direct the entity to comply.
• I will also be able to make a determination following an investigation conducted on the Commissioner’s own initiative

This will be a huge change to the way things stand currently.

For example, at the moment I can only make enforceable determinations in response to complaints. When conducting own motion investigations (or OMIs), the Privacy Act only allows me to make recommendations.

As a result of the reforms, I will now have the ability to make an enforceable determination following an investigation conducted on my own initiative.

And regardless of whether I have made this determination as a result of a complaint or through an OMI, I can now include a declaration that an entity must take specified steps — within a specified period — to ensure that certain conduct is not repeated or continued.

In addition, I will be able to seek civil penalties in the case of serious or repeated interferences with privacy, and in the case of a breach of certain credit reporting provisions.

In summary, these new powers increase the range of ways in which the Privacy Commissioner can address privacy breaches, even in the absence of a complaint from an individual.

OAIC response

Overall my colleagues and I at the OAIC welcome the Attorney’s announcement about these reforms that we have been expecting for some time. In our view it represents a significant step forward in privacy law reform.

In particular, the new powers will allow me to resolve major privacy investigations more effectively and ensure that privacy continues to be valued as an important human right in Australia.

They will assist me to address serious and systemic privacy violations as well as specific acts or practices of entities that breach the Privacy Act.  Additionally, the power to conduct assessments will enable our office to work closely with government agencies and the private sector to achieve good privacy practices.

The strengthening of the Privacy Commissioner’s powers also sends a strong message to the community that significant consequences can arise for entities that do not give personal information an appropriate level of protection.

Privacy Awareness Week

So to wrap up, I’ll now give you a brief update on what we have been doing to mark Privacy Awareness Week or PAW.  This annual campaign by the Asia Pacific Privacy Authority concludes today, and I must say, it has been a huge success.

This year the OAIC has been joined by 145 partners across a range of industry sectors, including Telstra; Optus; Coles; National Australia Bank; Clayton Utz Lawyers; the Department of Human Services, ATO; social networking sites and search engines like Facebook, Yahoo!, Google Australia and New Zealand; and not-for-profits such as Diabetes Australia, as well as creative events like the Sydney Writers Festival.

Our partners have increased substantially, up from 80 last year and more than three times that of the year before. This highlights the growing importance of our work in privacy.

From publishing newsletter content, to playing our animation in foyers, and displaying our posters, all partners have committed to become involved in their own way to raise privacy awareness.

EBay, Microsoft, Google, and Yahoo7 among others are featuring our banners or buttons on their websites. Facebook has been highlighting a privacy tip of the day over the week. Bendigo & Adelaide Bank have transformed staff desktops and intranet, including by publishing daily stories and quizzes. And Microsoft hosted a ‘brown bag lunch’ where staff were invited to bring their lunch to a privacy training session.

Many government agencies have also hosted events to promote privacy.
In addition to our growing partnerships, we are also increasingly more involved in social media. Our Twitter bank is up and running with regular updates. We now have more than 700 followers and we’re using Facebook to promote the campaign.

Key Messages

This year, we’ve been again reminding business and government agencies that they have responsibilities under the Privacy Act to protect the personal information that they collect and handle. We’ve also been encouraging individuals to exercise their privacy rights and take steps to make sure their personal information is handled appropriately.

Business breakfast

Some of you here this morning may have been among the 180 guests from legal, IT, banking and retail sectors at the OAIC’s business breakfast last Monday where a panel addressed the question “what do you do when faced with a privacy breach?” We also launched our updated data breach guide.

I’m pleased to report that we had a full house so there is obviously strong interest in this topic.

All panellists agreed that retaining consumer trust is a key issue for business: the importance of trust and its significance to protecting a brand’s integrity was a recurring theme.

One panellist affirmed that no business imperative is so important that it would override the need to protect customers’ personal information. Another argued that proper handling of a security breach builds trust, and that notifying customers about a breach and what you are doing to fix it is an important part of this.

All panellists agreed that leadership from the highest level is critical to promote a strong privacy culture in any organisation.

My colleague the Australian Information Commissioner Professor John McMillan used the occasion of this gathering to launch the 2012 edition of Data breach notification: A guide to handling personal information security breaches.

This guide was first issued in 2008 and seeks to encourage organisations holding personal information to voluntarily put in place reasonable measures to deal with data breaches — including notification of affected individuals and the OAIC.

It outlines 4 steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.

I urge you to visit the OAIC’s website to get a copy of the new guide.

And, if you have not yet done so, please visit the Privacy Awareness Week campaign website at www.privacyawarenessweek.org. There you will find many educational resources that we encourage you to use, as well as all kinds of suggestions about how you can protect the personal information of others, as well as your own.

Conclusion

And on that note, I’d like to congratulate iappANZ for another successful PAW event. Thank you for inviting me to be part of it and thanks for all of your ongoing efforts to promote good privacy practice.

This little kiss-and-tell was broadcast in Australia, so James really can’t sue for breach of privacy, as he could if the show had gone to air in Britain.

And that is the nub of it. And a good example why there should be a statutory right to privacy in Australia.  There is clearly a privacy issue involving Edelsten and James.  That Edelsten is prepared to cash in on the relationship does alter his expectation of privacy.  There is obviously a balancing act required, as the cases stress.  But what possible public interest in ambushing a frail Clive James leaving his apartment and filming him standing there listening to Edelsten prattle on about her concerns about them adds nothing to a non issue.

The article provides:

Clive James, 73, was ambushed in a Cambridge street by a film crew from A Current Affair last week.

It was part of a broadcast in which Leanne Edelsten, former wife of the celebrity tragic Geoffrey Edelsten, discussed her eight-year affair with James.

That they drank tea and ate Cherry Ripes and were known to each other as Mr Wolf and Miss Hood were among the touching vignettes revealed in this pointless, tawdry item.

James looked positively puzzled as Edelsten pounced when he emerged, cameras whirring, from his basement flat, to which he has been ex-nuptially rusticated.

In recent times, James has been in a different space, battling leukaemia and completing his poetry collection Nefertiti in the Flak Tower. Channel Nine, Leanne Edelsten and Cherry Ripes bearing down on him must have seemed like a bad acid trip.

This little kiss-and-tell was broadcast in Australia, so James really can’t sue for breach of privacy, as he could if the show had gone to air in Britain.

In News Limited’s Daily Telegraph yesterday, there was a page three story with the catchy headline ”Lara knew of nudes”. It pointed to the full report on page 23 where we could be nourished with the back story to Channel Nine’s broadcast on Tuesday night of a naked Bingle.

Those who missed this scoop will be keen to learn that Bingle was snapped by a lurking photographer as she stood without clothes at the window of her Bondi ”fishbowl apartment”. Apparently she was closing the curtains after stepping from the shower. All of this misfortune unfolded as the launch date looms for her reality TV show Being Lara Bingle.

Now there are allegations that Bingle’s agent knew of the nude snaps before they were published. Channel Nine’s justification was of its usual rigorous standard. A Current Affair’s Grant Williams was quoted as saying: ”My job is to expose grubs who think it is all right to take photos of naked women through bedroom windows.”

It’s as though the findings of the Finkelstein inquiry into the media, proposed statutory enforcement of journalistic standards and the agitation for an Australian law of privacy are all fantasies.

In recent experience, there have been two memorably unattractive media transgressions – until Clive and Lara were added to the cocktail.

We had the Sunday Telegraph’s publication in 2009 of the fake Pauline Hanson photos, with the bogus former One Nation siren fetchingly clad in lingerie. One News Limited hack justified this on the grounds that ”public people are public property whether they like it or not”.

Then there was the David Campbell escapade outside the men-only sauna Ken’s of Kensington. Channel Seven’s justifications for this exposé´ of the then NSW minister for transport were laughably lamentable, but they were rescued by the industry ”regulator”, who said that even though there was a breach of the privacy provisions of the industry code, there was a ”public interest” in knowing why the minister resigned before this slice of life was put to air.

Since then, Finkelstein has come out with a proposal for a government-funded, statutory news media council to set standards, handle complaints and deliver enforceable remedies, such as apologies, corrections, retractions and rights of reply.

In conformity with precedent, the news industry, including the publishers of this newspaper, reacted with alarm. Inevitably there are journalists who hold concerns about these proposals, but by no means all think they amount to the end of press freedom – the objections seem principally to be coming from management. Why would journalists not be keen to be part of an organisation that is accountable to its readers and part of a gold standard scheme of good housekeeping?

The Convergence Review, conducted for the government by a panel of worthies and released this week, says no to statutory regulation, instead proposing an industry-led regulator and complaints handler for ”content service enterprises”, who would be obliged to take part. It would be funded largely by the publishers and broadcasters themselves, but with provision for government top-ups.

Contrary to what we believed about a convergent media landscape, two regulators are proposed by this review, and the ABC and SBS would not be required to be part of the content standards body.

How media organisations would be compelled to be part of a self-regulating scheme without some sort of strong-arm legislation is not readily apparent.

There is a fascinating section in the Finkelstein report giving chapter and verse on the pitiful failure of media self-regulation. One example is Britain’s Press Complaints Commission, which has collapsed under the weight of its own blindness. This was the body that gave the News of the World and News International a clean bill of health on phone hacking.

The PCC has been the subject of at least eight inquiries and on several occasions there were proposals to add real teeth, but each time the press barons and editors persuaded the authorities to give them one more chance. Now it has cracked completely, waiting for whatever Lord Justice Leveson suggests should replace it.

Tonight the Media, Entertainment and Arts Alliance hosts the annual press freedom dinner – a worthy occasion to bring to the fore many of the threats to reporters and reporting.

What should not be forgotten is that the media here is not free of certain dark arts. Significant bits of Australian journalism have been drinking at the last-chance saloon well beyond closing time.

The self-regulated, industry-funded regime for newspapers and the partially self-regulated system for broadcasters have failed to deliver a decently accountable standard for a free media.

The announcement provides:

Australia’s privacy laws will be reformed to better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.

“It is fitting to announce major legislative reforms to the Privacy Act during Privacy Awareness Week,” Attorney-General Nicola Roxon said.

“In an increasingly digital world, both consumers and governments have a role to play to protect privacy. In introducing these changes, the Gillard Government is doing its bit to protect the privacy of Australian families.”

The Attorney explained that key changes to benefit consumers are:

·         clearer and tighter regulation of the use of personal information for direct marketing

·         extending privacy protections to unsolicited information

·         making it easier for consumers to access and correct information held about them

·         tightening the rules on sending personal information outside Australia

·         enhancing the powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance.

The Government will also modernise credit reporting arrangements. Benefits for consumers include:

·         making a clear obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings

·         making it easier for individuals to access and correct their credit reporting information

·         prohibiting the collection of credit reporting information about children

·         simplifying the complaints process by removing requirement to complain to the organisation first, complaints can be made directly to the Privacy Commissioner, and by introducing alternative dispute resolution to more efficiently deal with complaints.

“There have been big changes to the way we access finance since 1990 when the existing credit reporting provisions came into effect,” Ms Roxon said.

“Many consumers have expressed their frustration at not being able to understand their credit rating.

“These changes will provide much more power to consumers to be able to access and, if necessary, correct their credit reports.”

The Government expects the credit industry will benefit because the reforms provides a more accurate picture of an individual’s credit situation to help them make a robust assessment of credit risk, which is expected to lead to lower credit default rates.

Its most recent offering, I spy, with my big eye, is typically thoughtful and insightful review of developments with surveillance technology.

It provides:

WELCOME to China, the land of video surveillance. Guangdong province boasts over 1m cameras. In 2010 the city of Chongqing, governed by the now-disgraced Bo Xilai, ordered 500,000. Other provinces have hundreds of thousands, according to Human Rights in China, an NGO. Video surveillance constitutes over half the country’s huge security industry, and is expected to reach 500 billion yuan ($79 billion) in 2015. China will soon overtake Britain, with around 3m cameras, as the capital of video surveillance.

Yet China is far from alone. In many democracies surveillance cameras are multiplying, too. And face-recognition technology is proving a wonder tool for both governments and marketers.

A jail in Alabama uses it to check those leaving against prisoner records. Mexican prisons use it to identify visitors. Heathrow airport is installing systems to track passengers through lounges and onto the plane. Brazil has plans to equip police with camera-spectacles that can identify troublemakers at the 2014 World Cup.

As for businesses, Quividi, a French marketer, can measure the age and gender of passers-by who linger at an advert; advertisers vary their offerings based on who is looking. A service called SceneTap gives similar information on the crowd in Chicago bars. The smiles of employees at Keihin Electric Express Railway in Japan are assessed by computer. Facebook, a social network, recognises uploaded photos. The latest smartphones can spot their users.

The technology is improving fast. In 2010, in an assessment by America’s National Institute of Standards and Technology (NIST), the best program matched 92% of mugshots to one out of 1.6m pictures. Such results require high-quality still photos, stresses NIST’s Jonathon Phillips. But progress continues on fuzzier moving images. The error rate halves every two years—and not just in the West. In the 2010 NIST tests Chinese entrants lagged behind, identifying just 64% of images. But their systems are now “state of the art”, says Sharon Hom of Human Rights in China.

System performance depends on the context. Controlled environments, such as jails, are ideal. An experiment in Mainz railway station in Germany got steady shots by mounting cameras over escalators (although the recognition rate only reached 60%). Putting the lens behind an advert is a good way to get subjects who are facing it. Facebook is good at recognising people because they pick names from a limited list of friends.

More cameras and better face recognition raise tricky legal and political questions. America places little restriction on the use of face recognition, as legal precedent denies the “reasonable expectation of privacy” in public. But Harley Geiger of the Centre for Democracy & Technology, an advocacy group, says the technology goes beyond normal public scrutiny and could create a world where everyone, in effect, becomes “a public figure”.

The industry is aware of reputational risks. Eric Schmidt, Google’s chairman, has said that Google will limit its face-recognition services—to avoid “crossing the creepy line”. Last year the Digital Signage Federation, a trade group, adopted a strong set of face-recognition privacy standards.

Privacy-loving European countries are less easy-going, and usually require cameras to be matched with signs to tell people they are being watched. Facebook’s face recognition has already fallen foul of tough German privacy laws. And America’s Supreme Court is uneasy with technology that enables the persistent tracking of individuals in public.

Still, even democratic governments will want to monitor people as technology improves. But losing public anonymity could affect political life. Freedom of speech is reduced when mere physical attendance at protests goes on record. Kelly Gates, the author of a book on surveillance, sees a “chilling effect”.

Some countries welcome this. Nicholas Bequelin, a researcher for Human Rights Watch, another NGO, says authorities installed thousands of cameras in Xinjiang province, in China, after riots there in 2009. Its strategy for stability, Mr Bequelin points out, is “to nip protests in the bud”. Video surveillance seems the ideal tool.

A curious feature of CCTV is that while it is ubiquitous in the UK and fast becoming so in metropolitan Australia it is not effective at preventing crime.  Its effectiveness is in solving crime.  Or at least finding out what happened, when it happened and sometimes by whom did it happen.  What is commonly the case is that the technology may be there but the skill and even presence of the humans to use it often are not. It is commonly the case that the cameras in question are not properly monitored or maintained.  Governments or business are quite prepared to outlay the capital cost of CCTV or facial recognition technology but less enthused about paying the wages of those needed to properly monitor them or train the staff to use the equipment most effectively.

The facts here are a higher tech version of the facts the subject of the complaint by Giller against Procopets.  In that case instead of photos the images were stored in tapes which were played to family and friends of Giller.  The motive was similar and the intended impact identical.  In Giller v Procopets a claim for breach of confidence on privacy grounds was enunciated by the Court of Appeal.

The article claims that people can now be held accountable.  That is wrong.  They could have been held accountable through a civil claim since at least 2008.  Claims for breach of confidence are underutilised, particularly given the reckless behaviour of some in using private data involving others.  Just because something is placed on the internet does not dilute the right of another to take action.  Often the opposite.  The impact of any breach is so much greater when published to the world at large rather than to specific persons.

The article provides:

People can now be held accountable for their actions on social media.

A jilted boyfriend who put nude pictures of his former lover on Facebook has been sentenced to six months’ jail – the first social networking-related conviction in Australian history and one of just a handful in the world.

Ravshan ”Ronnie” Usmanov told police: ”I put the photos up because she hurt me and it was the only thing [I had] to hurt her.”

The six pictures, according to court documents, showed his ex-girlfriend ”nude in certain positions and clearly showing her breasts and genitalia”.

Shortly after posting the pictures on his Facebook page in October last year, Usmanov emailed his girlfriend with the message: ”Some of your photos are now on Facebook”. She had ended their relationship and moved out of their shared home less than three months earlier.

The woman, who The Sun-Herald has chosen not to identify, ran to Usmanov’s flat at Pyrmont, demanding he take down the pictures. When he refused, she called the police.

Privacy experts say Usmanov’s case has exposed the ”tip of the iceberg” of online offences that rarely go punished. Sentencing the 20-year-old, the Deputy-Chief Magistrate, Jane Mottley, said she was ”deterring both the offender and the community generally from committing similar crimes”. She said: ”New-age technology through Facebook gives instant access to the world. Facebook as a social networking site has limited boundaries. Incalculable damage can be done to a person’s reputation by the irresponsible posting of information through that medium. With its popularity and potential for real harm, there is a genuine need to ensure the use of this medium to commit offences of this type is deterred.

”The harm to the victim is not difficult to contemplate: embarrassment, humiliation and anxiety at not only the viewing of the images by persons who are known to her but also the prospect of viewing by those who are not. It can only be a matter for speculation as to who else may have seen the images, and whether those images have been stored in such a manner which, at a time the complainant least expects, they will again be available for viewing, circulation or distribution.”

The court could cite just one other relevant case in which a 20-year-old New Zealand man was sentenced to four months’ jail in Wellington in 2010 for posting nude pictures of his ex-girlfriend on Facebook.

Usmanov, a credit controller for a shipping company, pleaded guilty to publishing an indecent article but appealed the six-month sentence that was to be served as home detention. Justice Reg Blanch of the District Court confirmed the original sentence but quashed the home detention order in favour of a suspended sentence on February 15.

Court papers from the original sentencing reveal discussion over the gravity of Usmanov’s offence. His lawyer, Maggie Sten, argued his was not a ”serious offence”. Ms Mottley fired back: ”What could be more serious than publishing nude photographs of a woman on the internet, what could be more serious?” She added: ”It’s one thing to publish an article in print form with limited circulation. That may affect the objective seriousness of the offence but once it goes on the worldwide web via Facebook it effectively means it’s open to anyone who has some link in any way, however remotely.”

David Vaile, the executive director of the cyberspace law and policy centre at the University of NSW, said crimes of harassment when conducted online were not taken as seriously as physical offences.

”In a sense this is the tip of the iceberg,” he said. ”There are very few convictions under harassment and indecent publication. It’s not treated as the same way as, say, breaking into a bank website. There is more police support for criminal damage. In this case, he didn’t slash her tyres in an act of revenge. He slashed her reputation.”

Facebook Australia did not return calls.

The privacy expert Alec Christie a partner at law firm DLA Piper, said the federal government review of privacy stemming from the Australian Law Reform Commission report should include online measures.

”She should be able to take action for the invasion of her privacy but she can’t at the moment. In the online world it is not a Polaroid shared with people at the pub; it’s a Polaroid shared with a billion people or more.”

When approached by The Sun-Herald last week, Usmanov declined to comment. In mitigation, Ms Sten said: ”He was upset so he put the photos up on Facebook. He did this to hurt her. He’s sorry he did that. It was a spur-of-the-moment thing. It’s just not something he would normally do.”

The article provides:

In an interesting piece in Salon, Surveillance State evils, the article focuses on the development of surveillance by government agencies in the US.  It provides:

“Th[e National Security Agency's] capability at any time could be turned around on the American people, and no American would have any privacy left, such is the capability to monitor everything: telephone conversations, telegrams, it doesn’t matter. There would be no place to hide. [If a dictator ever took over, the N.S.A.] could enable it to impose total tyranny, and there would be no way to fight back.“

_____________

That dramatic warning comes not from an individual who is typically held up as a symbol of anti-government paranoia. Rather, it was issued by one of the most admired and influential politicians among American liberals in the last several decades: Frank Church of Idaho, the 4-term U.S. Senator who served from 1957 to 1981. He was, among other things, one of the Senate’s earliest opponents of the Vietnam War, a former Chairman of the Senate Foreign Relations Committee, and the Chairman of the Committee (bearing his name) that in the mid-1970s investigated the widespread surveillance abuses committed under every President since FDR (that was the investigation that led to the enactment of FISA, the criminal law prohibiting the Executive Branch from intercepting the communications of American citizens without first obtaining a warrant from a court: the law which the Bush administration got caught violating and which, in response, was gutted by the Democratic-led Congress in 2008, with the support of then-Senator Obama; the abuses uncovered by the Church Committee also led to the enactment of further criminal prohibitions on the cooperation by America’s telecoms in any such illegal government spying, prohibitions that were waived away when the same 2008 Congress retroactively immunized America’s telecom giants from having done so).

At the time of the Church Committee, it was the FBI that conducted most domestic surveillance. Since its inception, the NSA was strictly barred from spying on American citizens or on American soil. That prohibition was centrally ingrained in the mindset of the agency. Church issued that above-quoted warning out of fear that, one day, the NSA’s massive, unparalleled surveillance capabilities would be directed inward, at the American people. Until the Church Committee’s investigation, most Americans, including its highest elected officials, knew almost nothing about the NSA (it was referred to as No Such Agency by its employees). As James Bamford wrote about Church’s reaction to his own findings about the NSA’s capabilities, “he came away stunned.” At the time, Church also said: “I don’t want to see this country ever go across the bridge. I know the capacity that is there to make tyranny total in America, and we must see to it that this agency and all agencies that possess this technology operate within the law and under proper supervision, so that we never cross over that abyss. That is the abyss from which there is no return.”

Of course, that bridge has long ago been crossed, without even much discussion, let alone controversy. In the immediate aftermath of 9/11, George Bush ordered the NSA to spy on the communications of Americans on American soil, and they’ve been doing it ever since, with increasing aggression and fewer and fewer constraints. That development is but one arm in the creation of an American Surveillance State that is, literally, ubiquitous — one that makes it close to impossible for American citizens to communicate or act without detection from the U.S. Government — a state of affairs Americans have long been taught since childhood is a hallmark of tyranny. Such are the times — in both America generally and the Democratic Party in particular — that those who now echo the warnings issued 35 years ago by Sen. Church (when surveillance was much more restrained, legally and technologically) are scorned by all Serious People as radical hysterics.

Yesterday, Democracy Now had an extraordinary program devoted to America’s Surveillance State. The show had three guests, each of whose treatment by the U.S. Government reflects how invasive, dangerous and out-of-control America’s Surveillance State has become:

William Binney: he worked at the NSA for almost 40 years, and resigned in October, 2001, in protest of the NSA’s turn to domestic spying. Binney immediately went to the House Intelligence Committee to warn them of the illegal spying the NSA was doing, and that resulted in nothing. In July, 2007 — while then-Attorney General Alberto Gonzales was testifying before the Senate about Bush’s warrantless NSA spying program — Binney’s home was invaded by a dozen FBI agents, who pointed guns at him, in an obvious effort to intimidate him out of telling the Senate the falsehoods and omissions in Gonzales’ testimony about NSA domestic spying (another NSA whistleblower, Thomas Drake, had his home searched several months later, and was subsequently prosecuted by the Obama DOJ — unsuccessfully — for his whistleblowing).

Jacob Appelbaum: an Internet security expert and hacker, he is currently at the University of Washington and engaged in some of the world’s most important work in the fight for Internet freedom. He’s a key member of the Tor Project, which is devoted to enabling people around the world to use the Internet with complete anonymity: so as to thwart government surveillance and to prevent nation-based Internet censorship. In 2010, he was also identified as a spokesman for WikiLeaks. Rolling Stone dubbed him “The Most Dangerous Man in Cyberspace,” writing: “In a sense, he’s a bizarro version of Mark Zuckerberg: If Facebook’s ambition is to ‘make the world more open and connected,’ Appelbaum has dedicated his life to fighting for anonymity and privacy. . . . ’I don’t want to live in a world where everyone is watched all the time,’ he says. ‘I want to be left alone as much as possible. I don’t want a data trail to tell a story that isn’t true’.”

For the last two years, Appelbaum has been repeatedly detained and harassed at American airports upon his return to the country, including having his laptops and cellphone seized — all without a search warrant, of course — and never returned. The U.S. Government has issued secret orders to Internet providers demanding they provide information about his email communications and social networking activities. He’s never been charged with, let alone convicted of, any crime.

Laura Poitras: she is the filmmaker about whom I wrote two weeks ago. After producing an Oscar-nominated film on the American occupation of Iraq, followed by a documentary about U.S. treatment of Islamic radicals in Yemen, she has been detained, searched, and interrogated every time she has returned to the U.S. She, too, has had her laptop and cell phone seized without a search warrant, and her reporters’ notes repeatedly copied. This harassment has intensified as she works on her latest film about America’s Surveillance State and the war on whistleblowers, which includes — among other things — interviews with NSA whistleblowers such as Binney and Drake.

So just look at what happens to people in the U.S. if they challenge government actions in any meaningful way — if they engage in any meaningful dissent. We love to tell ourselves that there are robust political freedoms and a thriving free political press in the U.S. because you’re allowed to have an MSNBC show or blog in order to proclaim every day how awesome and magnanimous the President of the United States is and how terrible his GOP political adversaries are — how brave, cutting and edgy! — or to go on Fox News and do the opposite. But people who are engaged in actual dissent, outside the tiny and narrow permissible boundaries of pom-pom waving for one of the two political parties — those who are focused on the truly significant acts which the government and its owners are doing in secret — are subjected to this type of intimidation, threats, surveillance, and climate of fear, all without a whiff of illegal conduct (as even The New York Times‘ most celebrated investigative reporter, James Risen, will tell you).

Whether a country is actually free is determined not by how well-rewarded its convention-affirming media elites are and how ignored its passive citizens are but by how it treats its dissidents, those posing authentic challenges to what the government does. The stories of the three Democracy Now guests — and so many others — provide that answer loudly and clearly.

Beyond the stories of these guests, I want to highlight two particularly significant exchanges from yesterday’s show (and I really urge you to find the time this weekend to watch the whole thing; it’s embedded below or, alternatively, can be viewed here). First is this:

JUAN GONZALEZ: And the differences in the [Bush and Obama] administrations?

WILLIAM BINNEY: Actually, I think the surveillance has increased. In fact, I would suggest that they’ve assembled on the order of 20 trillion transactions about U.S. citizens with other U.S. citizens.

AMY GOODMAN: How many?

WILLIAM BINNEY: Twenty trillion.

AMY GOODMAN: And you’re saying that this surveillance has increased? Not only the—

WILLIAM BINNEY: Yes.

AMY GOODMAN: —targeting of whistleblowers, like your colleagues, like people like Tom Drake, who are actually indicted under the Obama administration—

WILLIAM BINNEY: Right.

AMY GOODMAN: —more times—the number of people who have been indicted are more than all presidents combined in the past.

WILLIAM BINNEY: Right. And I think it’s to silence what’s going on. But the point is, the data that’s being assembled is about everybody. And from that data, then they can target anyone they want . . . That, by the way, estimate only was involving phone calls and emails. It didn’t involve any queries on the net or any assembles—other—any financial transactions or credit card stuff, if they’re assembling that. I do not know that, OK.

That sounds like a number so large as to be fantastical, but it’s entirely consistent with what The Washington Post, in its 2010 “Top Secret America” series, reported: “Every day, collection systems at the National Security Agency intercept and store 1.7 billion e-mails, phone calls and other types of communications.” Read that sentence again and I defy anyone to deny that the U.S. has become the type of full-fledged, limitless Surveillance State about which Sen. Church warned.

Note, too, how this weapon has been not just maintained, but — as Binney said — aggressively expanded under President Obama. Obama’s unprecedented war on whistleblowing has been, in large part, designed to shield from the American public any knowledge of just how invasive this Surveillance State has become. Two Obama-loyal Democratic Senators — Ron Wyden of Oregon and Mark Udall of Colorado — have spent two full years warning that the Obama administration is “interpreting” its spying powers under the Patriot Act in ways so “twisted” and broad that it would shock the American public if it learned of what was being done, and have even been accusing the DOJ and Attorney General Holder of actively misleading the public in material ways about its spying powers (unlike brave whistleblowers who have risked their own interests to bring corruption and illegality to the public’s attention — Binney, Drake, Bradley Manning, etc — Wyden and Udall have failed to tell the public about this illegal spying (even though they could do so on the Senate floor and be immune from prosecution) because they apparently fear losing their precious seat on the Intelligence Committee, but what’s the point of having a seat on the Intelligence Committee if you render yourself completely impotent even when you learn of systematic surveillance lawbreaking?).

None of this should be surprising: Obama — in direct violation of his primary campaign pledge — infamously voted for the FISA Amendments Act of 2008 that not only immunized lawbreaking telecoms, but also legalized much of the NSA domestic spying program Bush had ordered in the aftermath of 9/11. At the time, he and his acolytes insisted that Obama was doing so only so that he could win the election and then use his power to fix these spying abuses, yet another Obama-glorifying claim that has turned out to be laughable in its unreliability. The Obama administration also advocated for full-scale renewal of the Patriot Act last year, and it was Harry Reid who attacked Rand Paul for urging reforms to that law by accusing him of helping the Terrorists with his interference.

But whereas massive Surveillance State abuses were once a feigned concern of progressives, they now no longer are. Just last week, The New York Times began an editorial about the proposed massive expansion of Internet spying powers in Britain with this sentence: “The George W. Bush team must be consumed with envy” — because, of course, Barack Obama has no interest in such things.

Similarly, Hilary Bok is a Philosophy Professor at Johns Hopkins who blogged about civil liberties and executive power abuses during the Bush years under the name “Hilzoy.” I have a lot of respect for her; she gave valuable insight into the draft of my first book on Bush’s surveillance abuses. But barely five months into the Obama presidency, she announced that she would no longer blog because she started blogging to combat the “insanity” that prevailed in the U.S. but now, in the wake of Obama’s election, “it seems to me that the madness is over” — even as the out-of-control Surveillance State she spent so much time protesting continues to explode. Along the same lines, let me know if MSNBC ever mentions, let alone denounces, any of these trends or stories of oppression of the type experienced by Binney, Appelbaum and Poitras. That is one major reason why it continues unabated: because the political faction with a history of opposing these abuses — American liberalism, which spearheaded the Church Committee reforms — has largely decided that the Democratic President whom they elected can be trusted with these vast and unaccountable powers or, worse, they just pretend that this isn’t happening.

Then there’s this: Appelbaum describing the various government efforts to intrude into his private discussions and Internet activities, all without a warrant:

JACOB APPELBAUM: But in the period of time since they’ve started detaining me [at airports], around a dozen-plus times. I’ve been detained a number of times. The first time I was actually detained by the Immigration and Customs Enforcement, I was put into a special room, where they frisked me, put me up against the wall. One guy cupped me in a particularly uncomfortable way. Another one held my wrists. They took my cell phones. I’m not really actually able to talk about what happened to those next.

AMY GOODMAN: Why?

JACOB APPELBAUM: Because we don’t live in a free country. And if I did, I guess I could tell you about it, right?And they took my laptop, but they gave it back. They were a little surprised it didn’t have a hard drive. I guess that threw them for a loop. And, you know, then they interrogated me, denied me access to a lawyer. And when they did the interrogation, they has a member of the U.S. Army, on American soil. And they refused to let me go. They tried—you know, they tried their usual scare tactics. So they sort of implied that if I didn’t make a deal with them, that I’d be sexually assaulted in prison, you know, which is the thing that they do these days as a method of punitive punishment, and they of course suggested that would happen.

AMY GOODMAN: How did they imply this?

JACOB APPELBAUM: Well, you know, they say, “You know, computer hackers like to think they’re all tough. But really, when it comes down to it, you don’t look like you’re going to do so good in prison.” You know, that kind of stuff.

JUAN GONZALEZ: And what was the main thrust of the questions they were asking you?

JACOB APPELBAUM:Well, they wanted to know about my political views. They wanted to know about my work in any capacity as a journalist, actually, the notion that I could be in some way associated with Julian. They wanted, basically, to know any—

AMY GOODMAN: Julian Assange.

JACOB APPELBAUM: Julian Assange, the one and only. And they wanted—they wanted, essentially, to ask me questions about the Iraq war, the Afghan war, what I thought politically. They didn’t ask me anything about terrorism. They didn’t ask me anything about smuggling or drugs or any of the customs things that you would expect customs to be doing. They didn’t ask me if I had anything to declare about taxes, for example, or about importing things. They did it purely for political reasons and to intimidate me, denied me a lawyer. They gave me water, but refused me a bathroom, to give you an idea about what they were doing.

AMY GOODMAN: What happened to your Twitter account?

JACOB APPELBAUM: Well, the U.S. government, as I learned while I was in Iceland, actually, sent what’s called an administrative subpoena, or a 2703(d) order. And this is, essentially, less than a search warrant, and it asserts that you can get just the metadata and that the third party really doesn’t have a standing to challenge it, although in our case we were very lucky, in that we got to have—Twitter actually did challenge it, which was really wonderful. And we have been fighting this in court.

And without going into too much detail about the current court proceedings, we lost a stay recently, which says that Twitter has to give the data to the government. Twitter did, as I understand it, produce that data, I was told. And that metadata actually paints—you know, metadata and aggregate is content, and it paints a picture. So that’s all the IP addresses I logged in from. It’s all of the, you know, communications that are about my communications, which is Bill’s specialty, and he can, I’m sure, talk about how dangerous that metadata is.

What Appelbaum is referring to is the fact that the Patriot Act has decreed then when the U.S. Government demands information about an individual — all without a search warrant — the party who receives the demand is criminally prohibited from discussing that demand. That’s why Appelbaum can be targeted with such intimidating, constant and chilling invasions without any allegation of wrongdoing: because the powers of the Surveillance State are exercised almost entirely in the dark. That’s what makes it so significant that two Democratic Senators have been warning for two years now that these powers are being exercised far beyond what the statute permits, far beyond what the public can even imagine, and that the Obama DOJ is lying about it.

The domestic NSA-led Surveillance State which Frank Church so stridently warned about has obviously come to fruition. The way to avoid its grip is simply to acquiesce to the nation’s most powerful factions, to obediently remain within the permitted boundaries of political discourse and activism. Accepting that bargain enables one to maintain the delusion of freedom — “he who does not move does not notice his chains,” observed Rosa Luxemburg — but the true measure of political liberty is whether one is free to make a different choice.

Business Structures Pty Ltd v D’Amico (t/a D’Amico Steel Works)

Facts

The sum in the demand comprised a judgment plus interest on the judgment.  The demand was not accompanied by an affidavit verifying it pursuant to section 459E(3) of the Corporations Act 2001.  A VCAT order, filed in the Magistrates’ Court pursuant to section 121 of the Victorian Civil and Administrative Tribunal Act 1998, is enforceable as a monetary order.  There was  no genuine dispute that the sum the subject of the demand is due and payable [5].

The demand claimed interest from the day after VCAT made the order until the day that the statutory demand was issued.

Decision

Had the demand been for a sum equivalent to that of the order, and that amount alone, there would have been no need to verify it by an accompanying affidavit.

Because the demand claimed additional interest, and therefore made a demand for amounts in excess of the judgment, the absence of an affidavit made the demand fatally defective. The court referred to Anderson Formrite Pty Ltd v CASC Hire Pty Ltd where Siopis J held a statutory demand to be invalid on the basis that the exemption from the requirement to accompany a statutory demand with a verifying affidavit was limited to circumstances where the statutory demand made an identical demand to the amount of the judgment debt [9].

In the circumstances the Court set aside the demand, at [11], stating:

The statutory demand here clearly makes a demand for a sum in excess of the judgment filed in the Magistrates’ Court and it was not verified by an affidavit as required by s 459E(3). In such circumstances, I consider that the statutory demand ….should be set aside.

Issue

The requirement of a verifying affidavit is almost ubiquitous with statutory demands. In this circumstance the fact that the demand was partly composed of a sum of interest, a small sum compared to the judgment sum, made the need for a verifying affidavit mandatory.

Alda Constructions Pty Ltd v Car Parking Solutions Pty Ltd

Facts

Car Parking Solutions Pty Ltd (“Car Parking”) served a statutory demand for $49,720 pursuant to a contract for the supply and installation of a car stacker system [2].  Alda Constructions Pty Ltd (“Alda”) is a builder involved in the development of apartments [11].  The developer, Bay Road Pty Ltd (the “developer”), is under administration. Alda brought the application under section 459G claiming there was a genuine dispute between the parties in respect of the debt the subject of the demand [3]

Alda argued that the developer negotiated and was party to the contractual arrangements for the supply of the equipment and that Car Parking was aware that Alda was not involved in ordering equipment [13]. The overall purchase price was $248,600, payable in three instalments [14]. The demand related to the payment of the final instalment, $49,720.  Alda alleged that it became the subject of the demand only when the developer began to have financial difficulties. It claimed to have signed the order for the equipment at the request of the developer [15]. The other key document, a funding agreement, was executed by an officer of Alda and included as an attachment a copy of a letter of offer signed by an Alda director. Alda claimed that the Car Parking was aware that the developer was and would be responsible for the costs associated with the order.  It also claimed that payment of the second instalment was made directly to Car Parking without Alda’s involvement and that the Car Parking had undertaken all negotiations with the developer regarding the third instalment [21].

Alda sought to rely on an affidavit by the developer to the effect that it was liable for the debt. No reason for such a acceptance was given and there was no financial records exhibited to the affidavit. Car Parking alleged that the developer advised that the nominated builder was Alda and it subsequently received all of the invoices [24].

Decision

Hs Honour undertook a review of the legal principles ( at [6] – [20]) including:

• a genuine disputes connotes a plausible contention requiring investigation involving much the same considerations as the “serious question to be tried” but not accepting uncritically every statement however equivocal, lacking a position, or inherently improbable [6].
• for a genuine dispute to exist there must be bona fide and truly existing facts supporting the grounds for alleging its existence and it must not be spurious, hypothetical or misconceived [8]
• the plaintiff bears the onus of establishing a genuine dispute or offsetting claim [7]
• the task of the court is to decide whether there was a dispute or offsetting claim such as would warrant subsequent adjudication [9] but not to express an opinion which may embarrass any other court subsequently considering the matter [10]

The court was critical of Alda relying upon an affidavit by the developer which did not provide a report as to the statement of affairs in the administration [22]. That document would have revealed either that the developer considered itself indebted to Car Parking or that it was indebted to Alda.  That would have been cogent evidence, certainly more useful than a mere assertion that the developer regarded itself liable for the debt. The court rejected the submissions that these issues should be considered at trial [25].

Gardiner AsJ considered funding agreement in detail (see [16] – [20], [25] and [32] – [33]) and the order form/building agreement ([27]).  On their face the documents identified Alda as the party to whom Car Parking was contracting.  Alda had the onus of establishing a genuine dispute, [29], but did not provide evidence to support a claim that Car Parking was aware that the principal contracting party was the developer and that the court should look beyond the documentation. The affidavit material in support of the application did not go beyond assertion when claiming that the developer was the party responsible for the debt.  That was not sufficient to establish a genuine dispute.  The court found, at [35]:

…Alda, which bears the onus of establishing the existence of a genuine dispute, has not, on the evidence, established that there is a plausible contention requiring further investigation such as to warrant the demand being set aside. My view in that regard is influenced by the contemporaneous documentation, in particular the Letter of Offer signed by Mr Webberley and the tax invoices generated pursuant to it without complaint. It is also supported by the recitals and the terms of the deed which are referred to above.

The court criticised Alda in failing to explain, in responding affidavit, how it was that it received invoices for the work done by Car Parking without demur. The fact that the first two payments under the letter of offer were funded by the developer was not relevant in identifying  the contracting parties and who was ultimately liable to make payments [34].

Issue

This decision is significant is showing that it is not sufficient to assert that the relationship evidenced in key documents did not represent the legal relationship or the obligations of the debtor.  The court found that the documents clearly identified the debtor as the contracting party and the terms of the documents established the liability.  The applicant’s affidavit assertion that the documents did not reflect the correct position without providing substantive evidence to support that contention failed to meet the relatively low threshold for establishing a genuine dispute.  The developer’s affidavit may have been decisive if its financial records had revealed a liability for the sum in question.  That record would have been prepared by an administrator who had no interest in the proceedings.  In those circumstances the weight accorded to such a document may have been significant.  His Honour certainly made it clear that it would have had strong probative value.