Government releases exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020

May 5, 2020

The Commonwealth Attorney General’s Department has released an exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020.

The Attorney General’s media release provides:

The COVIDSafe app is a critical tool in helping our nation fight the COVID-19 pandemic.

With more than 4 million COVIDSafe registrations many Australian’s are already doing their part to help protect and save lives.

Attorney-General, Christian Porter, today released draft legislation which will codify the existing protections for individuals’ data collected by the COVIDSafe app that have been established in the Health Minister’s Biosecurity Act Determination.

The Privacy Amendment (Public Health Contact Information) Bill 2020, will reinforce the protections set out in the Determination made by the Minister for Health under the Biosecurity Act 2015on 25 April 2020, placing the protections into primary legislation through amendments to the Privacy Act 1988. Read the rest of this entry »

Proposal by Restaurant and Catering Australia to require those who don’t have the COVIDSafe tracking app to provide their personal details to staff at restaurants and cafes is silly, oppressive and down right dangerous.

May 4, 2020

In the 7 or so weeks of lock downs of varying degrees of intensity there has sprung up a strain of virtue signalling where intrepid souls have come up with more and more intrusive and frankly ridiculous ways of demonstrating how they are doing the right thing to beat the demon virus. That has commonly meant tormenting fellow Australians with petty displays of colonel blimpery. In its milder forms it is hyper compliance with social distancing. A particularly frantic employee at Haighs in Hawthorn nipping in between customers ensuring they do not move from x’s on the floor, scolding them when they took a foot wrong, and doing quick 1.5 m checks with out stretched arms is a favourite memory. It is a good time for those who harbour a petty beaurocrat in their soul.  In its more extreme forms it involves making up legislative prescriptions that just don’t exist.

But some proposals which try to be seen to do the right thing are not just petty and irritating they are down right dangerous and oppressive.  The proposal spruiked by Restaurant and Catering Australia CEO Wes Lambert to require Australian’s who don’t down load the COVIDSafe tracking app and who want to use a restaurant or cafe to give their personal information to the staff fits that description to a tee.  It may not constitute a technical breach of clause 8 of the Biosecurity (Human Biosecurity Emergency)(Human Coronavirus with Pandemix Potential) (Emergency Requirements – Public Health Contact Information Determination 2020 which prohibits coercising the use of COVIDSafe App but it is in breach of the spirit of that law. 

One can only hope that Wes Lambert was suffering temporary relevance deprivation syndrome which prompted him to advocate this breath takingly stupid, utterly unAustralian and pernicious proposal. 

The proposal is reported in the Australian article Coronavirus Australia: No app? Leave your name and number which Read the rest of this entry »

Victoria police suspends officer over leak of photographs of Laidley taken in police station. The response highlights the uneven and generally inadequate state of privacy protections even if the results head in the right direction.

It appears that occasionally the Victoria Police can respond quickly and appropriately to privacy breaches. The ABC reports that a senior constable who took the photographs of Dean Laidley while in custody and being processed has been suspended and is likely to be charged with an offence under the Victoria Police Act 2013.  Deputy Commissioner Patton did not identify what provision of the Act the senior constable might be charged under but it may be under one of section 226227 or 228.     

The ABC Report provides:

Victoria Police has suspended an officer over an “appalling” privacy breach after he allegedly shared unauthorised images of former AFL coach Dean Laidley in custody inside a police station. Read the rest of this entry »

Police photographs of Dean Laidley and photographs taken inside police station a significant data breach and invasion of his privacy.

The arrest and charging of Dean Laidley for what has been described as stalking is a matter of public record.  He appeared before the Melbourne Magistrates Court and was remanded.  As no suppression or pseudonomysation orders  were made those details can be reported. 

However photographs police take of those charged are not public documents.  They are taken for the purpose of properly recording the processing of a person into custody.  Their purpose does not extend to providing colour to a story.  Further, other photographs taken in a police station of a suspect or a person charged are not for public consumption. Frankly there is no good reason for taking other still photographs. 

It is then appalling to see that the Herald Sun has Read the rest of this entry »

Home affairs data breach exposes data of 700,000

Another depressingly familiar data breach involving the Federal Government’s handling of personal information.  This time the Guardian reports the breach involving access to personal details of 774,000 migrants and applicants.  In this case the breach involved the inadvertent display through the SkillsSelect platform of those who expressed an interest in migrating to Australia.  The defect in the platform’s operation permits someone accessing details of a persons age, qualifications and marital status as well as other information. 

What is interesting is that the information dates back to 2014.  According to the Guardian story expressions of interest are stored for 2 years.  Yet the database includes information stretching back 6 years.  That in itself is a concern. 

It will be interesting to see if Read the rest of this entry »

Group complaint lodged with the Information Commissioner against Optus for data breach involving 50,000 customers in October 2019

April 27, 2020

Lawyers weekly has just reported that Maurice Blackburn has made a representative complaint against  arising out of a data breach in October 2019. It is the first representative complaint made under the Privacy Act 1988.  It seems 2020 is proving to be an active year for use of the Privacy Act with the Commissioner commencing civil penalty proceedings, for the first time, and now this representative complaint.

Maurie Blackburn describes the complaint as Read the rest of this entry »

Australian Information Commission v Facebook Inc [2020] FCA 531 (22 April 2020): application for service outside of Australia, the Commissioner’s prima facie case. The opening round in the first civil proceeding for breach of the Privacy Act by the Commissioner

April 26, 2020

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely Read the rest of this entry »

Another email bungle, privacy breach involving names, addresses and birthdates

April 23, 2020

The Guardian reports on another email bungle resulting in a significant privacy breach, this time by the Australian Traffic Network.   In an email an operator at the Australian Traffic Network sent out a document containing personal information of more than a 100 current and former staff as part of an internal email to existing staff.  An email was originally sent on Monday to staff asking about eligibility for the jobkeeper payment.  A follow up the next day was the data breach as it contained a table of staff names with their addresses and dates of birth.  It provoked concern within the organisation, little wonder given Read the rest of this entry »

Santin v Sfameni [2020] VSC 26 (7 February 2020); application to restrain solicitor, whether solicitor material witness, misuse of confidential information

April 5, 2020

The latest decision at the superior court level in Victoria dealing with restraint application is Santin v Sfameni [2020] VSC 26.  That judgement considers a case in which I appeared for the, unsuccessful, applicant, Pinnacle Living Pty Ltd v Elusive Image Pty Ltd [2006] VSC 202


The dramatis personae are:

  • Emilio Santin (“Emilio”), who died on 2 March 2017 [1].
  • Rosanna Sfameni (“Rosanna”), Emilio’s daughter and executor of his estate [1].
  • Carlo Santin (“Carlo”) and Bruno Santin (“Bruno”), Emilio’s sons and residuary beneficiaries under his last will dated 23 September 2011 [1].
  • Carlo and Bruno are represented by a solicitor, John Whelan (“Whelan”) [3].
  • Whelan acted for Emilio between about September 2015 and January 2017 [3].

Carlo and Bruno commenced proceedings seeking order that Rosanna be removed as executor and trustee of their father’s estate [2].

Rosanna  applied to restrain Whelan from continuing to act for Carlo and Bruno on the bases that:

  • Whelan formerly acted for the deceased; and
  • is likely to be a material witness in relation to contested issues [3].

The loan

Rosanna and her husband, Salvatore (Sam) Sfameni lent Emilio $473,385. They were the mortgagees of a mortgage registered by Rosanna on 29 September 2011 as security for that loan [7].  The loan was used to Read the rest of this entry »

Significant data breach at the Federal Court of Australia revealing names of protection visa applicants

March 31, 2020

It was serendipitous that last Wednesday I presented a paper, via Zoom, at a Legalwise Seminar on Data Breaches: How to Respond, Notify and Remedy  given today’s report that there has been a significant data breach by the Federal Court, an agency for the purposes of the Privacy Act 1988.  The, to use the Federal Court’s spokesman’s description, “major systemic failure” involved the searchable database permitting the identity of 400 asylum seekers being disclosable. 

This breach would fall within Part IIIC of the Privacy Act 1988, the mandatory data breach notification regime. Going through the process would require an assessment of the breach, a determination as to whether the breach is likely to cause serious harm and, if so, the means of notifying the affected individuals.  Based on the ABC report of the breach there would be legal and practical issues to address with each step.  As to the assessment process it is concerning that Read the rest of this entry »