The Australian Privacy Commissioner has released its draft guidelines regarding APPs 6 – 11 for consultation.  Consultation is open until 21 October 2013.  They are found here.

I have extracted the draft guidelines below, absent indexes and footnotes.

Australian Privacy Principle 6 – use or disclosure of personal information

 Key points

• APP 6 outlines when an APP entity may use or disclose personal information.
• An APP entity can only use or disclose personal information for the particular purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
• The exceptions include where:
  • the individual has consented to a secondary use or disclosure
  • the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose
  • the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
  • a permitted general situation exists in relation to the secondary use or disclosure
  • the APP entity is an organisation and a permitted health situation exists in relation to the secondary use or disclosure
  • the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or
  • the APP entity is an agency (other than an enforcement body) and discloses biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3.

What does APP 6 say?

6.1              APP 6 outlines when an APP entity may use or disclose personal information. The intent Read the rest of this entry »

The Fairfax press and the ABC have reported on the disturbing practice of doctors and nurses using cameras to take photos of their handiwork without getting consent of their patients or properly protecting the photos.

The ABC report provides:

ELIZABETH JACKSON: For years doctors have taken photos of their patients’ ailments for their records, but now doctors are being warned against the use of smart phones for this purpose.

New Australian research has found doctors and nurses are increasingly using smart phones to take photos, but those digital photos are at risk of ending up in the wrong hands.

Samantha Donovan reports.

SAMANTHA DONOVAN: Most of us like to be looking our best in photos.

But doctors and nurses capture images of patients at their worst, mainly to keep on file or for teaching purposes.

The patient is often in surgery under anaesthetic.

Researchers at RMIT (Royal Melbourne Institute of Technology) University and the Menzies School of Health Research has just published a paper examining medical photography practices in 13 wards of one hospital.

The chief executive of the Australian Health Care and Hospitals Association, Alison Verhoeven, says hospitals are taking the emerging issue seriously.

ALISON VERHOEVEN: What they’ve found is that whereas in the past, a medical photographer might have been engaged to take clinical photos, now doctors and other clinicians are taking photos themselves, and they’re using their own mobile phones or digital cameras to do that.

SAMANTHA DONOVAN: The researchers found 48 per cent of medical staff took photos of their patient’s conditions when they thought it would be useful.

Most of them used hospital-owned cameras, Read the rest of this entry »

Verizon has been producing a data breach report for the last 6 years.  It gives a good snapshot of the changing nature of breaches to data security and Read the rest of this entry »

It news reports in Vodafone Germany suffers server breach that a hacker has stolen personal data of about 2 million Vodafone customers.

It provides:

A hacker has stolen the names, addresses and bank account numbers of about 2 million Vodafone Germany customers who should beware that criminals may now try to elicit other information such as Read the rest of this entry »

The regulation and enforcement of privacy protection in Australia under the Privacy Act 1988 operates on a gatekeeper system.  But for applications for injunctive relief under section 98 the Privacy Commissioner controls all aspects of complaints to do with interferences with privacy, including whether he will consider a complaint.  An individual can not bring an action under the Privacy Act or any other legislation alleging an interference with his or her personal information or breach of privacy.  That is a severe faililng in the system.  But that is the system.  Given the system as it stands it is therefore incumbent upon either or both the Government to properly resource the Privacy Commissioner so that he may fulfill his statutory functions and the Act can have force or the Privacy Commissioner to become more efficient.  The Sydney Morning Herald in Long delays before privacy complaints assessed reports on the delay in dealing with complaints.

What is clear is that Read the rest of this entry »

The Canberra Times reports in Pharmacy sorry after records found at recycling centre on the dumping of hundreds of private medical records at a recycling centre in the Australian Capital Territory. Just on the known and admitted facts it is an eggregiuos interference with individuals’s privacy.

The article provides:

Monday’s Four Corners is not the first to highlight the impact to individuals privacy with the widespread use of tracking device and data mining.  But it is an excellent introduction to the problem  using real people doing ordinary activities.  It is worth a view here.

The transcript of the program provides:

KERRY O’BRIEN, PRESENTER: Digital age, welcome to Four Corners.

It’s hardly news in this era of information rich technology that privacy is gradually being eroded, or that our digital profiles are being Read the rest of this entry »

Privacy practitioners, legal or otherwise, know that the impact of the amendments to the Privacy Act 1988 when they  take effect on 12 March 2014 will be significant for many organisations.  From that date the Privacy Commissioner will have considerable powers regarding breaches of the Privacy Act including civil penalty proceedings in the Federal Court for serious interference with personal information.  There has been some reportage of the impending changes but my observation is that many organisations have not properly understood their significance , the work required for many of them to become compliant and the consequences of not being compliant with the Act.  In today’s Australian Business Spectator there is a very good article, A rude privacy shock on the horizon,  on the impending change to the privacy regulatory regime and the lack of preparedness by many in the business community.  It is found here.  The Business Spectator is not given to wild speculation.

The article provides:

Australia’s about to get tougher new privacy laws. Businesses were given a year’s notice, but with half that time already gone, many haven’t even started thinking about it. They could be in for a rude shock — including fines of up to $1.7 million if they get it wrong.

Privacy experts have always said Read the rest of this entry »

Australian Privacy Principle 11 requires an organisation or agency to “..take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and from unauthorised access, modification or disclosure. Encryption has been one of the key means of protecting data, both in situ and, especially, in transit to another location.

In the Privacy Commissioner’s guidelines to data security he defines encryption as

Last week the 7.30 program did a piece on Google and privacy.  Or the lack of it with Google.  Google has had a long and inglorious tradition or prefering data harvesting over privacy considerations.  This story was caught Read the rest of this entry »