There is a red faced court reporter in Ohio at the moment.  The hapless person lost a laptop computer and usb stick from an office inside the Summit County Courthouse as is reported in Laptop with sensitive information stolen from Summit County Courthouse.

 Losing computers and flash drives is a moment of annoyance and possibly a hit to the wallet. It gets more serious when the devices contain sensitive information about ongoing court cases.  Then it is a serious privacy breach.

Portable devices are notorious weak points in data security and Read the rest of this entry »

Anonymous communication is an important feature of the internet.  It finds little favour with older users and organisations.  But APP 8 of the Privacy Act makes it clear that except where the exceptions apply (and they can be broad ranging in some areas) an individual should have the right to communicate anonymously or pseudonymously.

Apps are notoriously dangerous from a privacy perspective.  The security architecture is often weak, the means by which they transfer data insecure with poor privacy policies let alone protocols, programs and training to deal with privacy breaches.

It is then curious that a company called Secret has developed an app to let users post messages anonymously, even on Facebook as reported in Secret, an app for posting anonymously lets users tap into Facebook.  Of course, as with many apps. the price for using the product for free is Read the rest of this entry »

A constant problem in the digital age is deleting data stored on digital devices. Computers, photocopiers, scanners, printers and smart phones have, to a greater and lesser extent, storage capacity.  They are devices that are readily turned over, sometimes for resale.  Personal information stored on those devices is as much the responsibility of an organisation if it is covered by the Privacy Act or state legislation.  Documents are Read the rest of this entry »

The current edition of the Economist has a special report on cybersecurity.  For those practising in privacy law it should be mandatory reading.  It gives a brilliant synopsis (as the Economist can do so well) of the key issues and future developments. For those just interested in cyber security it should also be mandatory reading.

In the series of articles:

• Defending the digital frontier
• Hackers Inc
• Zero-day game Read the rest of this entry »

The Privacy Commissioner has conducted an own motion investigation into Pound Road Medical Centre. The investigation applied to the Privacy Act prior to the amendments taking effect on 12 March 2014.  

FACTS

On 23 November 2013, a shed located at 16 Amberley Park Drive, Narre Warren South was broken into.  There were boxes of medical records located in a locked shed.  During the break in the boxes, and therefore the documents, were compromised.  The medical records were created when PRMC operated as a medical centre at the site.  PRMC ceased operating the medical practice at the site from 6 April 2011, and since this date has conducted its practice from new premises.

In about October 2012, the records were transferred from a locked room inside the site to the shed so that renovations for sale of the site could occur. The  shed door was locked with three padlocks. PRMC believed that all the paper-based health records stored at the site were transferred to a locked store at its new premises.

A representative from PRMC initially visited the site two to three times a week and later once a week for purposes of maintenance, repairs and renovations to prepare the site for sale.

The Office of the Australian Information Commissioner (OAIC) was notified that there were boxes of unsecured medical records at the site on 25 November 2013.

The personal information compromised in the data breach consisted of:

1. patients’ ‘identifying particulars’, Read the rest of this entry »

House of Representatives Standing Committee on Social Policy and Legal Affairs has handed down the report Eyes in the Sky, based on its inquiry into drone technology.  It is a comprehensive report which hands down some very useful and sensible recommendations.  Including Recommendation 3 which recommends legislation which provides protection against privacy invasive technologies. It goes further and recommends creating a tort of serious invasion of privacy.  It is the latest in a long line of committees and Commissions to come to the conclusion, the inevitable logical conclusion, that there is a serious gap in Australia’s legal protections and a tort of privacy is required to fill that gap.  Governments of both persuasions have been avoided, ignored or just plain danced on the spot on the issue and abrogated their responsibilities.  But the technology develops at a pace and the issue looms large as a practical problem for more than academics.

The Committee’s press release provides:

New privacy laws might be needed Read the rest of this entry »

On the human side of data security maintaining strong passwords is a continuous challenge.  As Wired reports on How to Teach Humans to Remember Really Complex Passwords the use of “password” is depressingly common.  As is “qwerty.”  A recipe for disaster.  The Wired article reports on an experiment that will be held to teach people to remember complicated passwords and passphrases.  That is one key way of minimising the chance of hacking.  Long string almost randomised passwords cost hackers Read the rest of this entry »

In 2 pieces in New Zealand paper Business Day  Vodafone privacy breach ‘serious’  and Vodafone alerts privacy watchdog  reports on a serious privacy breach on the Vodafone network, this time by use of a master password to access private customer information.  Curiously a customer identified the breach and notified Vodafone when he found he could access other private customer information.  A structural issue in the password system and data storage.  Very embarrassing and highlights the need to have comprehensive and reviewable password system.

The Vodafone privacy breach article provides:

Vodafone is experiencing a serious privacy breach – people with a master password are able to access private customer information, including credit card details.

The loophole was discovered Read the rest of this entry »

The New South Wales Police Commissioner recently raised the hoary old chestnut that we face a a stark and of course immutable dichotomy – privacy or security.  That is captured in the Sydney Morning Herald Article Time to trade privacy for safety, says NSW Police Commissioner. The context is the police and security services demands, if not obsession with expanded data retention laws.  The starting point is that it is not logical.  There can be both privacy and security.  It is not one or the other.  It would be wrong to only critisise the police for this utterly wrong headed nonsensical simplifying of what is a far more complex and Read the rest of this entry »

Apps are notorious for having minimal privacy protections, lousy to non existent privacy policies but an excellent source of data leakage for hackers. Privacy regulators have been focusing on privacy issues with apps in the recent past.  Breach of data security or loss of data through an app is just as much a breach of the Privacy Act at the Commonwealth level or the Victorian Information Privacy Act as if it was lost on the street or via a hacking attack on line.  Apps are becoming a necessary feature of service delivery for government agencies and organisations.

The findings, found here, provide:

Twenty-seven participating data protection authorities from around the world undertook a coordinated exercise to examine privacy protections and related issues raised by apps. Some of the issues considered were: whether consumers are clearly informed about the types of personal information an app collects and uses; why that data is needed; and how many apps collect information way beyond what is actually needed for an app’s functionality.

Privacy Victoria examined 64 mobile apps developed by Victorian public sector organisations. Each organisation has now been Read the rest of this entry »