Peter A Clarke

Agencies release corporate plans. They are of variable quality and often drafted in vague enough terms to avoid criticism. The good plans say something even if there is a enough plausible deniability buried into its dense prose. The Information Commissioners’ media release keeps with this approach.

It provides:

As the accountable authority, I am pleased to present the 2024–25 Office of the Australian Information Commissioner (OAIC) corporate plan for the 2024–25 to 2027–28 reporting periods, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office regulates privacy and freedom of information (FOI) under the Commonwealth Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act) and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance. Read the rest of this entry »

The Parliament of Victoria tabled a special report by Victoria’s Independent Broad Based Anti Corruption Commission (“IBAC”) titled Operation Turton. It is a report about repeated instances where employees
inappropriately accessed and misused sensitive information at the Metropolitan Fire Brigade (MFB). It has been reported in the Australian and the Age. The investigation concluded in 2021.  

The Report clearly goes to the behaviour of individuals and the misuse of private information for improper purposes. But for privacy practitioners it is a useful report to show the need for proper data security practices and training.  Fire Rescue Victoria had clear vulnerabilities in its data security which allowed for the breaches that occurred. 

In the analog age there was misuse of information contained in documents.  Reports and correspondence were copied and leaked.  The challenges of controlling information flow grew with the digitisation of documents, the use of emails and means of leaking material.  Under privacy legislation in every jurisdiction governments or organisations must maintain adequate data security.  That includes password protections and requiring proper authorisation to access certain documents.  But every system has vulnerabilities, the prime one being a failure to properly maintain data security standards and check for weaknesses. 

The Report:

• identified five separate incidents where MFB information was accessed or disclosed without authorisation, with three incidents involving public servants from MFB’s Information and Communications Services business area.
• found individuals shared sensitive MFB information directly with the United Firefighters Union (UFU) without permission.
• Mr Marshall sought assistance from employees to inappropriately gather sensitive information on internal investigations related to him, executive contracts and another confidential organisational matter.
• identified MFB was operating with significant information security vulnerabilities and under a restrictive agreement with the UFU that impaired MFB’s ability to address issues.

The recommendations include:

Recommendation 1
Fire Rescue Victoria develops clear policies and  procedures regarding the matters that may be the
subject of consultation with employees and their representatives at the Consultation Committee,
and in what circumstances Fire Rescue Victoria information may be disclosed to employees and
their representatives to inform that consultation.

Recommendation 2
Fire Rescue Victoria addresses the information and communication technology security vulnerabilities  and risks identified in Operation Turton by:
(a) actioning the consolidated findings of the audit and reviews conducted in this area since 2018 Read the rest of this entry »

Total Tools announced that it suffered a data breach which involved the loss of personal information . Total Tools statement is long and comprehensive.  It is overlong but that is a small criticism compared to the usual vague brief minimalist commentary that many Australian companies prefer publishing.  It is still quite vague as to the cause of the breach, when it happened and for how long.  That information is often provided in statements provided by American companies because often that information comes out. It has been reported that the breach involved the personal information of 38,000.

A media release should be part of a comprehensive data breach notification program. It is better than many Australian statements.  It  provides:

Overview:

Total Tools has experienced a cyber incident on its website that resulted in the compromise of some customers’ personal information. The data that may have been compromised includes customer name, email address, Total Tools password, mobile number, shipping address, and certain credit card information belonging to customers who shopped or registered on our website recently.

What Happened?

We were made aware of an issue with our website, and upon further investigation, we identified evidence of suspicious activity occurring. Our team, along with third-party forensic and cyber security experts took expedited steps to investigate the incident and assist with our response.

What Are We Doing?

• • We are confident that the issue which caused the incident has been removed from our website.
  • We are continuing to monitor our network, and undertaking additional processes to maximise our security.
  • We have informed the relevant authorities, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
  • We have set out below several precautions we recommend that impacted customers consider taking to lower the risk of their information being potentially misused.

Read the rest of this entry »

The Office of the Information Commissioner has released its data breach report for first 6 months of 2024. It is a useful if imperfect indication of the number of notifiable data breaches in Australia.  The latest report shows an increased number of reportable breaches, reaching the highest number in three and a half years.  It should be a given that the figures set out in these reports are very much a indication of trends.  The actual number of data breaches is significantly higher.  Some industries are more assiduous than others in reporting.  The legislation allows for considerable interpretation of what is a reportable data breach.  The culture of reporting remains poor because the consequences of non compliance with the legislation

The Commissioner provided a forward to the Report where she foreshadowed a more muscular approach to enforcement.  Finally.  The forward provides:

Since the launch of the Notifiable Data Breaches (NDB) scheme in 2018, the Office of the Australian Information Commissioner (OAIC) has published statistical information about data breach notifications we have received. Our goal in doing so has been to help entities and the public understand privacy risks identified through the scheme, highlight areas that require attention and provide clarity around our regulatory approach.

Six years on, the NDB scheme is now mature, and we are moving into a new era in which our expectations of entities are higher, seen in our recent commencement of civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited. This enforcement action should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities. Read the rest of this entry »

The Australian Financial Review reports in ASIC pursues board directors over cyber breaches that it is investigating how directors deal with cyber attacks, both before and after they happen.  The ASIC Chair’s speech Effective compliance: Perspectives from the regulator highlights this increased focus. 

ASIC has been quite active in taking action against companies who have suffered damage as a result of data breaches, most notably its civil penalty proceeding against RI Advice.

The speech by the ASIC chair Read the rest of this entry »

Yesterday the Government, via the Attorney General, introduced the Privacy and Other Legislation Amendment Bill 2024. If passed before Parliament is prorogued prior to next years Federal election (which must be held by 17 May 2025 for there to be a concurrent House of Representatives and half Senate election) it will constitute a significant but modest reform of the quite inadequate Privacy Act. 

The most significant change is the introduction of a Statutory Tort for Serious Invasions of Privacy.  It will be found at Schedule 2.  I have reproduced the entire Bill below.  

I will post on this proposal in more detail later but the highlights are:

• the cause of action is confined to intrusion upon seclusion and/or misuse of information (clause 7) where a person had a reasonable expectation of privacy (clause 7(b)), the act(s) was/were intentional or reckless (clause 7(c)) and it was serious (clause 7(d)).
• it is actionable per se.
• a defence may rely on a public interest defence (clause 7(3) which matters of public interest are listed at clause 7(4)
• reasonable expectation of privacy is defined using a non exclusive list of matters for the Court to consider (clause 7(5)
• seriousness is defined using factors to be weighed (clause 7(6)
• there are other specific defences set out at clause 8
• general damages are capped at the greater or $478,550 (clause 11(5)(c)) or the maximum awarded under defamation law.  Aggravated damages cannot be awarded but exemplary damages may be awarded.
• the court can order an account of profits, issue an injunction, or an apology, a correction order and a declaration.
• the limitations period (clause 14) is:
  • for a plaintiff under the age of when the invasion of privacy occurred, before that person’s 21st birthday
  • for all other plaintiffs the earlier of:
    • the day that is 1 year after the day on which the plaintiff became aware of the invasion of privacy
    • the day that is 3 years after the invasion of privacy occurred.
• there are immunity from suit, described as exemptions (at Part 3) for:
  • journalists
  • enforcement bodies
  • intelligence agencies
  • persons under the age of 18
• Federal Circuit and Family Court of Australia (Division 2) has jurisdiction.

Other notable provisions are:

• Part 3 — Emergency declarations
• Part 4 — Children’s privacy; the development of a Children’s Online Privacy Code
• Part 8 — Penalties for interference with privacy
• Part 9 — Federal court orders; expanded scope of orders that can be made
• Part 15 — Automated decisions and privacy policies
• Schedule 3- creation of doxxing offences, to be section 474.17C of the Criminal Code.

Given the significant recommendations that have not be acted upon in the 2008 and 2014 ALRC reports and even the Attorney General’s Report the word “modest” is the best description for the proposed amendments. It could have been a whole lot more and led to a much better Privacy Act and by extension must better privacy protections for Australians. 

The Conversation’s Long-overdue Australian privacy law reform is here – and it’s still not fit for the digital era  aptly summarises the disappointing the scope of the reform.  It provides:

Almost four years since the Privacy Act review commenced, the Australian government has introduced a reform bill that fails to make most of the fundamental changes needed to modernise our privacy laws.

Attorney-General Mark Dreyfus said in May that the government would introduce legislation to reform a privacy regime that’s “woefully outdated and unfit for the digital age”. Read the rest of this entry »

With amendments to the Privacy Act about to be introduced into the House of Representatives, or at least that is the expectation, it is worth listing the known significant data breaches in Australia in August>

Bloom Hearing

• Bloom Hearing Specialists, which operates hundreds of clinics around Australia, confirmed that a “threat actor” had stolen data from the audiologist’s network.  The data includes medical and financial records of current, past and prospective patients as well as current and former employees and contractors.  Bloom released a statement, Bloom Hearing confirms that the data includes medical and financial records of current, past and prospective patients as well as current and former employees and contractors.

Regent Caravans – August 2024

• Regent Caravans was hit by RansomHub, losing 30 gigabytes of data included a large amount of CAD files for the company’s caravans, ordering details, and a folder full of ID card photos of the company’s employees.

NIST has released a  an update on Digital Identity Guidelines.   The that involves an update of the draft Digital Identity Guidelines (NIST Special Publication [SP] 800-63 Revision 4 and its companion publications SPs 800-63A, 800-63B and 800-63C). While the focus of these guidelines are US practice and laws the issues they deal with are universal when it comes to data management, privacy and security.

“Today’s draft revision from NIST highlights the Biden-Harris administration’s commitment to strengthening anti-fraud controls while ensuring broad and equitable access to digital services,” said Jason Miller, deputy director for management at the Office of Management and Budget. “By incorporating feedback from private industry, federal agencies, privacy and civil rights advocacy groups, and members of the public, NIST has developed strong and fair draft guidelines that, when finalized, will help federal agencies better defend against evolving threats while providing critical benefits and services to the American people, particularly those that need them most.”

“Everyone should be able to lawfully access government services, regardless of their chosen methods of identification,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “These improved guidelines are intended to help organizations of all kinds manage risk and prevent fraud while ensuring that digital services are lawfully accessible to all.”   Read the rest of this entry »

Regulators are now publishing guidelines on AI at a rapid rate while legislatures are grappling with legislation. On September 5, 2024, the Council of Europe (CoE) announced that the Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (the Convention) was open for signature. The latest is the New South Wales Information Commissioner’s guide on Public Impact Assessments on AIs. It released the Guide on Friday. The guide also supports agencies in undertaking privacy-related assessments under the NSW AI Assessment Framework (AIAF) and the National framework for the assurance of AI in government.

• determining when a PIA is necessary;
• determining the likely scope and scale of a PIA;
• PIA considerations when assessing AI systems and projects; and
• common AI privacy risks and mitigations.

The Information and Privacy Commission (IPC) has released its new Guide to undertaking Privacy Impact Assessments on AI systems and projects for consultation and feedback.

The Guide has been developed to support agencies in understanding, assessing and mitigating privacy risks in relation to the use of AI systems and projects when undertaking Privacy Impact Assessments (PIAs). It also supports agencies in undertaking privacy related assessments under the NSW AI Assessment Framework (AIAF) and the National framework for the assurance of artificial intelligence in government.

The new Guide builds on and is complementary to the Guide to Privacy Impact Assessments in NSW, to provide more specific guidance on AI-related privacy risks.

The IPC values the input of privacy practitioners in NSW and is seeking feedback on this updated guidance. In particular, feedback would be appreciated for the following focus questions: Read the rest of this entry »

On September 5, 2024, the UK Ministry of Justice (MoJ) announced that the UK had signed the first legally binding treaty governing the safe use of artificial intelligence (AI). The new framework, agreed by the Council of Europe, commits parties to collective action to manage AI products and protect the public from potential misuse.

The  treaty has three over-arching safeguards, namely:

• protecting human rights, including ensuring people’s data is used appropriately, their privacy is respected, and AI does not discriminate against them;
• protecting democracy by ensuring countries take steps to prevent public institutions and processes from being undermined; and
• protecting the rule of law by putting the onus on signatory countries to regulate AI-specific risks, protect its citizens from potential harm, and ensure it is used safely.

The treaty requries countries to monitor AI development and ensure any technology is managed within strict parameters and includes provisions to protect the public and their data, human rights, democracy, and the rule of law.

Countries must also act against activities that fall outside of these parameters to tackle the misuse of AI models which pose a risk to public services and the wider public.

Meanwhile in Australia, again on September 5, 2024, the Department of Industry, Science, and Resources (DISR) announced a public consultation on a 69 page proposal paper to introduce mandatory guardrails for the safe and responsible use of artificial intelligence (AI) in high-risk settings.

The proposed mandatory guardrails Read the rest of this entry »