Significant privacy breach at Strathmore secondary college … including access to health and medication data

August 23, 2018

Yesterday there was a very significant privacy breach at a Victorian school, Strathmore Secondary College, involving the release of health information of students including mental health conditions, medications and learning and behavioural difficulties.  It is reported in the Guardian and SBS, among others.  The exposure of 300 school student’s records on the school’s intranet was likely the result of human error.  That bespeaks a very ordinary privacy training and controls.  Which is not uncommon.

These events provide a useful application of how the privacy legislation in Victoria may work for those who are affected by the breach.  Under the Privacy and Data Protection Act 2014 those affected by Read the rest of this entry »

Enhancing Online Safety (Non-consensual Sharing of Intimate Images) Bill 2018 passed into law

August 22, 2018

The Government has amended the Broadcasting and Enhancing Online Safety Act 2015 by giving the eSafety Commissioner with powers to seek civil and criminal penalties to deal with image based abuse, mainly revenge porn in practical terms.  The civil penalties apply for failing to remove images and criminal penalties for transmitting private sexual material or a if there has been 3 civil penalty orders made against a person.

In principle the laws are welcome.  In practice it really depends on the vigour of the eSafety Commissioner.  Australia has a poor reputation in regulating privacy infringing behaviour.  The amendments themselves highlight a very process laden means of achieving a legislative end. It

What is more than passing strange is that for all of these amendments the Government has not provided individuals with the power to take enforceable action relating to an interference with their privacy, either under the Enhancing Online Safety or the Broadcasting Acts.  Everything must be channeled through the eSafety Commissioner.  That might work for some or many people but others may wish to take steps themselves, such as obtaining compensation as well as taking down the images.  It is a somewhat patronising omission. It is also the triumph of bureaucracy over freedom of the individual to take action in their own right.

A statutory cause of action for interference with privacy is the simple and straightforward way of giving individuals a right to take action.   This has been suggested for many years but most formally by the Australian Law Reform Commission in 2008 and again in 2011.  It has been emphatically rejected by the current government and ignored by the previous government.  In short there has been a bipartisan policy failure in this area. Read the rest of this entry »

Amendments to the My Health (Strengthening Privacy) Bill 2018 introduced and read for a first time

The Federal Government introduced the My Health Records Amendment (Strengthening Privacy) Bill 2018 today.

It is very much a patch like amendment to the Act, inserting a Read the rest of this entry »

Australian Government appoints Information and Privacy Commissioner

August 19, 2018

The work of the Information and Privacy Commissioner continues to not go on.  But the Government has appointed a permanent successor to the previous Commissioner, Timothy Pilgrim.  The Interim Information Commissioner and Privacy Commissioner, Angelene Falk, has been appointed Read the rest of this entry »

The UK Information Commissioner fines data broking company 140,000 pounds for selling personal information to a marketing company affiliated to UK Labour

August 12, 2018

The UK Information Commissioner has taken strong action in the form of a Monetary Penalty Notice of £140,000 for on selling personal information of one million people, from Emma’s Diary, which provides advice on pregnancy and childcare, to Experian Marketing Services, which is used by the Labour Party.  That information was used as a database which was used to profile new mums for use during the 2017 General Election.  The key with data for political parties is to allow them to micro target voters with carefully structured messages.

Under both UK and Australian privacy legislation personal information collected for one purpose can not be disclosed to a third party for another purpose unless one of the exceptions applies.

The actions by Emma’s Diary was particularly cynical given Read the rest of this entry »

Privacy breach in New South Wales resulting in 1,000 medical records involving 400 patients of Aged Care Facility

August 5, 2018

A problem which predates the My Health Records Act is the poor state of data security in the Health Sector.  It is a chronic problem.  The extent of the problem is highlighted in the discovery of 1,000 medical records relating to 400 patients of an Aged Care centre found in a building in South Sydney and 7,000 patient records exposed on line at South Australia’s Women and Children’s hospital.

The Hong Kong Department of Health was recently hit with a ransomware attack.   And in Nova Scotia the Privacy Commissioner has investigated a privacy breach by a pharmacist employed by a large pharmacy chain who viewed the private medical records of 46 people who were not that person’s patients, including a child who was a friend of her child, that child’s parents, friends and Read the rest of this entry »

The Government agrees to amend My Health Records Act and provide greater privacy protections. It would be better to ditch the legislation entirely.

July 31, 2018

The My Health Records Act 2012 is a dreadful piece of legislation.  Privacy professionals have known this for some time.  They have been saying it for some time.  While the system involved voluntary placement of records onto the systems the Government could avoid grumblings from various groups.  The Privacy Commissioner was on an extended tea break on the issue.  Nothing new there. So the legislation was untouched and the agency responsible for its management, the ADHA, filled forms, ignored complaints and generally kept a low profile.

Then the opt out provisions came into effect and various commentators “discovered” the privacy invasive aspects of the system. Janet Albrechtson took up the cudgels as did Peter Van Onsolen at News Ltd.  Similar negative treatment came from Read the rest of this entry »

The Office of Information Commissioner releases the Notifiable Data Breaches Quarterly Report for 1 April – 30 June 2018

The Australian Information Commissioner has released another quarterly report of notified data breaches.  It has grown into a 33 page document from its humbler beginnings of a single page.  At the outset it is relevant to note that these figures are not the last word on actual data breaches.  There is a balancing act organisations go through before deciding to notify.  That is a weakness in the legislation.  There is also likely to be some non compliance with the legislation.  Finally many organisations are not subject to the operation of the Privacy Act and therefore will not notify because they do not have to.  That said it is a valuable report.

Putting the issue of data breaches in its broader context itgovernance has calculated that there were data breaches and cyber attacks in July 2018 which resulted in unauthorised access to 139,731,894 records.  And health records were a significant percentage of the records affected.

In the quarter there was 242 notifications, compared to 63 in the previous quarter, which were Read the rest of this entry »

UK Information Commissioner hits Independent inquiry into child sexual abuse with a 200,000 pound for major data breach

July 30, 2018

As if the victims hadn’t suffered enough.  The Independent Inquiry into Child Sexual Abuse suffered a major data breach.  Of the all too common own goal variety.  A staff member sent an open email to 90 victims of sexual abuse, thereby allowing each person to identify the emails of others.  More than the majority of the email addresses listed the full name of the recipients.  Given the nature of the inquiry and the sensitivity of at least some of the recipients it was a dreadful and entirely avoidable error.  The Inquiry released personal information without consent.

Under the Monetary Penalty Notice the contravention was Read the rest of this entry »

Facebook privacy woes continue with the UK information Commissioner

July 11, 2018

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »