Peter A Clarke

The lesson from overseas is that the data breach is only the beginning of the problems for the affected organisation.  As the organisation and, significantly, the regulator review the carnage the investigation goes well beyond the cause of the breach and what security measures were in place and goes to issues of general data collection and handling.  Organisations with poor data security commonly have a poor understanding of data collection.  All too often organisations collect too much personal information, information that is not relevant to their operations and keep what they collect for too long, often not culling irrelevant information at all. Investigations then expand and often enough penalties accrue.  Sometimes an organisation receives a greater penalty for breaches of the data protection laws not directly related to the data breach itself. These investigations increase the time it takes to put the data breach behind the organisation, increases the cost and further harms an organisation’s reputation.  Almost invariably these other deficiencies were easily avoided with proper advice, policies, protocols and training.

The Australian Reports in Data at risk just asking for Medibank quote that Medibank that non customers of Medibank who provided personal information to Medibank in their inquiries about policies had that personal information compromised by the Medibank hack. That information includes, names gender, date of birth, email and phone details. As with many organisations there was a commercial benefit in collecting that information even if the individuals did not purchase a policy.  The information can be used for marketing and modelling.  That said, that ccollection and retention is in breach of the Privacy Act and contrary to principle of data minimisation.

Maurice Blackburn, Banister Law and Centennial Lawyers have joined together in a representative action involving as many as 9.7 million affected by the Medibank Data Breach.

The Australian article Read the rest of this entry »

Artificial intelligence (better known as AI( has been around for awhile.  AI algorithims are a key part of Google’s success, in discerning our interests and needs and ordering goods and services as part of the search engine’s operation.  Facebook and Amazzon also rely on AI in making their money, with Facebook selling ads and Amazon putting items within tantalising reach.  AI has moved to centre stage in public policy discussion because it’s use threatens to be ubiquitous.  AI, and quantum computing, will be transformative in how business is done, services are provided and decisions are made.  That is likely to be for the good but there are legitimate concerns about its untrammeled use without regulatory oversight.  It will also impact employment with the most recent example being Microsoft laying off 10,000 staff to cut costs as it focuses on AI.

In the United States there are concerns that the use of ChatGPT has the potential of breaching privacy laws. In the UK the Information Commissioner’s Office is sufficiently concerned about the use of AI that it published an article on its website titled Addressing concerns on the use of AI by local authorities,

Chat GPT is an algorithm that is vexing educational institutions as it creates realistic text which may be difficult to distinguish from human created prose. It may defy anti plaigarism software. This is well summarised by the ABC with What is ChatGPT and why are schools and universities so worried about it?   It Read the rest of this entry »

In the United States it is not uncommon for significant changes to originate at the state level, only later becoming part of the national legal framework.  In 2023 comprehensive consumer privacy laws take take effect in California, Colorado, Connecticut, Utah and Virginia.  California’s data privacy law is particularly strong, some say only slightly weaker than the GDPR in overall effect.

Sometime in early 2023 the Australian Commonwealth Government will release its proposed amendments to the Privacy Act.  The Government has indicated, and stronger, a significant overhaul of the Act and how privacy will be regulated.  Amendments to date have been limited and the regulation has been weak.

Reuters has an excellent piece U.S. data privacy laws to enter new era in 2023 which Read the rest of this entry »

As is the way with modern law reform the Government of the day salts the media with stories of what may be in the yet to be released package of amendments or new laws.  So it is with the mooted reforms to the Privacy Act.  The Guardian has run a detailed story titled Australia to consider European-style right to be forgotten privacy laws. The article roams widely over some of the privacy reform proposals including a statutory right to sue for breach of privacy.  It also ventures into other areas of law reform including a Judicial Commission.

The right to be forgotten is now quite a mature part Read the rest of this entry »