Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

Universities are prime targets for cyber attack as well as just poor data handling.  In the former category the Australian National University suffered a massive and prolonged data breach over 2018/2019 caused by overseas actors, probably Chinese (my post here) while more recently the University of Tasmania had a significant data breach involving over 19,000 names through incompetent data protection (my post here).

Today the Victorian Privacy and Data Protection Deputy Commissioner commences an examination of how Victorian universities protect personal information.  The press release Read the rest of this entry »

New Zealand has come even later to mandatory data breach reporting.  Its legislation comes into effect on 1 December 2020. The New Zealand Privacy Act 2020 is, like Australia’s, far from the gold standard. But New Zealand does have a tort of interference with privacy which puts it well ahead of Australia.

Determining whether a data breach is notifiable can be a difficult weighing exercise under both the Australian and New Zealand legislation. Both Acts use serious harm as a threshold but provide no definition of what that is.  In the New Zealand Act the process involves consider quite general factors in section 113 which provides:

Assessment of likelihood of serious harm being caused by privacy breach

Mandatory data breach notification is a complicated process . The Privacy Commissioner has Read the rest of this entry »

The US National Security Agency prefers staying in the shadows. It is therefore notable that it has issued a very public cybersecurity advisory highlighting vulnerabilities Chinese hackers are using as part of their cyber attacks.

The advisory Read the rest of this entry »

The weaknesses of the internet of things to hacking has long been known.  That doesn’t mean it has been dealt with adequately.  The common problem is access to those devices through inadequate security or weak passwords from third parties.  A recent BBC article How smart devices are exploited for domestic abuse demonstrates how the internet of things can be used track and terrorise.

A machine or application is in and of itself neither evil or good.  It has no value.  It provides a service or performs a function.  As the article makes clear features designed to assist, such as a doorbell camera, can be used by partners or ex partners to surveil.  Family apps, which I find creepy, are designed to monitor children’s safety.  But the data can be relayed to Read the rest of this entry »

In Yuanda Vic Pty Ltd v Facade Designs International Pty Ltd [2020] VSCA 269 the Court of Appeal granted a stay of payment pending hearing of an appeal.  It is an interesting and valuable decision because it is a comprehensive analysis of the principles associated with making a stay application.  It is also notable because the application was successful, a difficult result to achieve normally. 

FACTS

Under a supply and installation agreement dated 13 April 2018 (‘the Contract’), the respondent, (“Facade Designs”) agreed to  instal  façade elements manufactured and supplied by the applicant (“Yuanda”) as part of the construction of commercial and residential towers at 447 Collins Street known as ‘the Arch on Collins’ (‘the Project’) for the price of $14.5 million [5]. Facade Designs provided works from September 2018 until November 2019 when the Contract was terminated [6]. 

On 30 September 2019, Facade Designs provided a payment claim under s 14 of the Building and Construction Industry Security of Payment Act 2002 (‘the Act’) for $4,584,820.68 (inclusive of GST) (‘the Payment Claim’) [7].  Yuanda paid Facade Designs paid  $1,115,455 (inclusive of GST) on 2 October 2019, reducing the amount claimed to $3,469,365.58 [8].

Yuanda failed to provide a payment schedule to the respondent within 10 business days of receiving the Payment Claim, as contemplated by s 15 of the Act [9]. Pursuant to s 15(4) Yuanda became liable to pay Facade Designs the amount claimed on 30 October 2019  [10].  The applicant failed to pay the amount claimed [11]. Facade Designs conceded some reductions and  sought judgment pursuant to s 16(2)(a) of the Act [12].

The Court rejected Yuanda’s  contention that:

(a) the Payment Claim was invalid because it did not sufficiently identify the construction work or related goods and services to which the progress payments related within the meaning of s 14(2)(c) of the Act and as a consequence it was not liable to pay the amount under s 15(4) of the Act (‘the Adequacy of the Payment Claim’); and

(b) the Payment Claim included excluded amounts within the meaning of s 14(3)(b) and pursuant to s 16(4)(a)(ii) of the Act .

In relation to the excluded amounts issue the court held that, in determining Read the rest of this entry »

The UK Information Commissioner’s Office (“ICO”)has fine British Airways (BA) £20 million for a data breach in 2018.  I did a post on it in September 2018. The ICO initially intended to fine BA nearly £184 million and made a statement in July 2019 to that effect in response to BA’s statement to the London Stock Exchange.  The Commissioner decided to reduce the sum in light of the impact COVID 19 has had on BA’s business and finances.

As often happens the investigation into the cyber attack by the regulator turned up multiple failings by BA in both protecting its network but also failing to detect the attack. And that attack was both wide and deep in its penetration. Through the attack addresses of 244,000 customers were accessed, the credit card details with CVV numbers of 77,000 customers and credit card numbers Read the rest of this entry »

The cynical saying “don’t waste a good crisis” has found plenty of examples of unimpeded and inadequately scrutinised change by governments and businesses.  Here there has been  a solid level of support in governments doing the right thing.  And generally less fractious argument between workers and employers.  The feeling is, we are all in this right so the presumption is that commonweal trumps all, including individual rights.  A dangerous mindset and one that leads to abuse which can be difficult to undo when the crisis passes as the technology is embeded into the work place structure with little to no push back.

The phenomana of employee monitoring is not a unique by product of the COVID 19 lockdown and remote working.  It has been a growing trend for some time.  In 2018 Garnter produced a report, The Future of Employee Monitoring, where it found that in 2018 50% of companies surveyed used some form of non traditional monitoring techniques.  The figure was 30% in 2015.  Gartner predicted that number to be 80% this year. That prediction was done without factoring in the change in workplace arrangements with COVID 19.  There has been a discernible effort by employers to use the technology available to monitor their workers output while working remotely coupled.  A growing list of increasingly sophisticated surveillance tools has lead to an ineffectively regulated and comprehensive means to surveil employees in their home.  This is well described Read the rest of this entry »

When the history of the COVID 19 pandemic is written the chapter on how governments and organisations respected individuals privacy will be grim reading.  The way in which data was collected by businesses at venues was at best sloppy and often times almost criminally negligent. I gave up counting how many scraps of paper or, for some reason, children’s exercise books were left lying around with details of patrons in plain view.  Some of the information sought went beyond names and contact details. Governments went overboard on tracking, to the point where Israel halted police phone tracking because of the privacy intrusion was so great.  The contact tracing app in Australia was oversold as an aid and seriously under performed.  It rarely features in any discussions by, well pretty much anyone.

The Times reports in Contact-tracing data harvested from pubs and restaurants being sold on that data collected to assist contact tracing has been sold on by the establishments that collected that data.  That is a blatant breach of Read the rest of this entry »

Governments love data. All governments and for as long as there have been governments.  The Assyrian empire as long ago as 2025BC developed a buerocracy and kept records about their subjects. The Romans took it to a new level with the census.  And with every new age and development the collection has become more sophisticated.  But there were always costs and inefficiencies in collecting, managing and using data. The East German authorities essentially drowned under the flood of information from informants and the obsessive surveillance of the Stasi.  In the digital age collection, aggregation and use of masses of data has been simplified.  And data can be used more effectively with enhanced computer power and algorithms. And the temptation to interfere with privacy while using data is a constant one for government agencies, especially those chasing revenue. As can be seen in the report  The IRS Is Being Investigated for Using Location Data Without a Warrant which reports Read the rest of this entry »