August 9, 2013
The Information Commissioner’s Office has served the Bank of Scotland with a monetary penalty for wrongly and repeatedly faxing personal information, to unintended recipients.
The penalty notice relevantly provides (found here):
Bank of Scotland pic is the data controller, as defined in section 1(1) of the Data Protection Act 1998 (the “Act”), in respect of the processing of personal data carried on by Bank of Scotland pie and is referred to in this notice as the “data controller”. Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is the data controller.
The Act came into force on 1 March 2000 and repealed the Data Protection Act 1984 (the “1984 Act”). By virtue of section 6(1) of the Act, the office of the Data Protection Registrar originally established by section 3(1) (a) of the 1984 Act became known as the Data Protection Commissioner. From 30 January 2001, by virtue of section 18(1) of the Freedom of Information Act 2000 the Data Protection Commissioner became known instead as the Information Commissioner (the “Commissioner”).
Posted in General, Privacy, UK case law
|
Post a comment »
Background Checks has listed the best apps to protect one’s mobile device. The post is found Read the rest of this entry »
Posted in General
|
Post a comment »
August 8, 2013
Last week, on 1 August, the Office of the Information Commissioner commenced the consulation process of Guidelines for recognising external dispute resolution schemes under section 35A of the Privacy Act 1988. The Privacy Commissioner’s post on line is found here. The consultation process closes on 30 August 2013.
The draft guidelines relevantly provides as follows:
Key messages
- In developing these guidelines, the Information Commissioner acknowledges the expertise and experience of existing industry external dispute resolution (EDR) schemes, and the important role these schemes play alongside the Office of the Australian Information Commissioner (OAIC) in relation to privacy complaint handling.
- The Information Commissioner also acknowledges that there are a range of existing recognition mechanisms for those schemes, and the importance of not unduly burdening existing schemes where their existing recognition mechanism generally covers the same matters required by the Privacy Act 1988 (the Privacy Act) for recognition.
- Recognition of an EDR scheme is undertaken by the Information Commissioner under s 35A of the Privacy Act. EDR schemes must demonstrate their accessibility, independence, fairness, accountability, efficiency and effectiveness to be recognised by the Information Commissioner. The recognition requirements, as set out in s35A, are based on the Benchmarks for Industry Based Customer Dispute Resolution Schemes developed in 1997 by the then Australian Government Department of Industry, Science and Tourism. Most existing EDR schemes are required to, or do, design their operations in accordance with these benchmarks.
- To be recognised under the Privacy Act, EDR schemes should also meet additional requirements in relation to privacy-related complaints. In most cases existing schemes handling privacy complaints will already be meeting most of these additional requirements.
- Additional requirements for recognition of an EDR scheme under the Privacy Act involve accountability, reporting and regular reviews. Again, most existing schemes will already be subject to similar requirements from their existing recognition mechanism. Wherever possible these existing requirements can be utilised by existing schemes in relation to the requirements under these guidelines. Some additional supplementary requirements may be required for ongoing Privacy Act recognition.
- The detail in these guidelines should generally assist a proposed new EDR scheme which is not already recognised under another recognition scheme, and/or does not have a statutory basis for their operation, in seeking recognition under the Privacy Act to understand the full extent of what is required for initial and ongoing recognition.
Part 1 – Purpose and objectives of the guidelines
The purpose of these guidelines
1.1 The Office of the Australian Information Commissioner (OAIC) developed these guidelines to assist external dispute resolution (EDR) schemes to understand:
Posted in Privacy
|
Post a comment »
August 6, 2013
Today 3 journalists, Royce Millar, Nick McKenzie and Ben Schneiders, have penned a letter of apology on page 2 of the Age. It is found here. The Herald Sun reported (no doubt very reluctantly) on the three having their cases diverted and therefore they are released without conviction and a good behaviour bond of 12 months.
The apology provides:
In November 2010, while researching a story for The Age newspaper, we the undersigned journalists accessed the ALP’s Electrac database without authorisation.
The focus of the story, published on 23 November 2010, was upon databases maintained by political parties, which contain private information concerning voters, and how that information is used for election campaigning. The Electrac database is such a database. Other political parties have similar databases.
We were able to access Electrac through the use of passwords provided to one of the undersigned. We accept that we did not have authorisation Read the rest of this entry »
Posted in Practical issues, Privacy
|
Post a comment »
August 2, 2013
The Federal Trade Commission in Federal Trade Commission, Plaintiff v. Asset & Capital Management Group & ors obtained a restraining order against defendants using illegal practices against consumers, including interfering with their privacy. The orders are found here.
The Federal Trade Commission’s press release, At FTC’s Request, Court Orders Halt to Debt Collector’s Illegal Practices, Freezes Assets, relevantly provides:
At the request of the Federal Trade Commission, a U.S. district court has halted a debt collection operation that allegedly extorted payments from consumers by using false threats of lawsuits and calculated campaigns to embarrass consumers by unlawfully communicating with family members, friends, and coworkers. The court order stops the illegal conduct, freezes the operation’s assets, and appoints a temporary receiver to take over the defendants’ business while the FTC moves forward with the case.
The lawsuit Read the rest of this entry »
Posted in Privacy
|
Post a comment »