Peter A Clarke

Tanya O’Carroll commenced proceedings against Meta seeking orders that Facebook stop using her personal data to create targeted ads on subjects that it believed she would be interested in. She argued that Facebook’s campaign was direct marketing under the UK legislation. Meta has settled the claim agreeing to stop sending targeting advertisements using her personal information. The Information Commissioner’s Office is very happy. So happy that it issued a statement. The ICO has always regarded targeted advertising as being direct marketing under the legislation.it intervened in the case with an amicus curiae brief.

Under the Australian Privacy Act 1988 Australian Privacy Principle 7 addresses direct marketing directly, with the key issues being:

• APP 7 provides that an organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies. APP 7 may also apply to an agency in the circumstances set out in s 7A.
• Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
• Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:
  • allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and
  • comply with that request.
• An organisation must, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

There has been no similar case in Australia to O’Carroll v Meta.  There is a basis for making the same argument here given the content of APP 7.

The ICO statement provides:

A BBC article Read the rest of this entry »

Today the Privacy Commissioner announced that she has entered into an enforceable undertaking with Oxfam Australia arising from a large data breach on 20 January 2021. What is clear from the undertaking and the Commissioner’s blog is that Oxfam had poor data handling practices and held data for long after they were needed.  This is a common problem and aggravates the damage associated with a data breach.

The term of the undertaking is 2 years. The key obligations are found at paragraph 6 setting out obligations within 3 months to set up a coherent system of using shared credentials, password controls and multi factor authentication and within 6 months to destroy personal information held by Oxfam for more than 7 years or in other specific categories.  Oxfam must undertake a review of the all current uses of personal information within 3 months.  And expert will review compliance in 12 months time and implement any recommendations.  It will also engage in “a a program of public engagement” with the Commissioner and provide to her documents or information she requests from time to time to determine compliance with Undertaking.  

It is a reasonably stringent Undertaking by Australian standards. It is quite lax compared to actions the UK Information Commissioner takes and very easy going compared to the Federal Trade Commission’s enforceable undertakings which often involve swingeing fines and a period of 10 – 20 years of compliance with regular reporting. 

The media release provides:

Privacy Commissioner Carly Kind has accepted an enforceable undertaking (EU) offered by Oxfam Australia (Oxfam).

A data breach was experienced by the not-for-profit in January 2021, and reported to the OAIC in February 2021, following which, the Commissioner initiated an investigation. The data breach resulted in the loss of up to 1.7 million Oxfam records.

The Commissioner’s acceptance of the EU is not a finding that Oxfam has breached the Privacy Act nor the Australian Privacy Principles, but rather highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices.

Oxfam is undertaking a range of measures outlined in the EU, particularly in relation to not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and the use of privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.

Oxfam has been working collaboratively with the OAIC across the investigation period, and since offering the enforceable undertaking has contributed to an awareness raising campaign directed at others in the not-for-profit sector in relation to the incident and its response to the incident.

The OAIC has used insights from its investigations into Oxfam’s experience, and the separate data breach which affected the telemarketing firm Pareto, to update its privacy guidance for not-for-profits. The guidance, updated in October 2024 (media release), includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

Timeline

• • On 20 January 2021 an unknown user gained access to an Oxfam Australia (Oxfam) database.
  • The data breach resulted in the loss of up to 1.7 million Oxfam records.
  • Oxfam was alerted to the incident on 27 January 2021.
  • Oxfam notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the incident on 26 February 2021.
  • Oxfam Australia alerted its supporters of the potential risk on 4 February 2021.
  • On 1 March 2021 Oxfam began notifying their supporters about steps that they could take to protect personal information and provided access to IDCARE.
  • On 10 September 2021 the Australian Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.
  • Privacy Commissioner Carly Kind concluded the investigation in late 2024.
  • Following the conclusion of the investigation, Oxfam presented Privacy Commissioner Carly Kind with their enforceable undertaking on 18 December 2024.
  • Privacy Commissioner Carly Kind accepted the Oxfam enforceable undertaking on 20 December 2024.

Key privacy points for NFPs

• • NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
  • Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
  • It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
  • Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
  • Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
  • When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.
  • Refer to our privacy guidance for not-for-profits for advice on security of information, and steps your NFP should put in place to ensure compliance with retention and destruction obligations. The guidance also covers what to consider when engaging third-party providers, such as for fundraising, or software vendors.

Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.

The Enforceable Undertaking Read the rest of this entry »

Genea is a large IVF provider has suffered a cyber attack. Today publicly announced that it has been the subject of a cyber attack. The statement, 19 February 2025: Important update about a cyber incident, is a model of saying precious little.

It provides:

Are Genea clinics still open and treatments being provided?

What should I do?We will communicate with relevant individuals if our investigation identifies any evidence that their personal information has been impacted.

Need to get in touch?

The statement is more about appearing to provide information while not doing any such thing.  There are no details of when the attack occurred, when it was detected, what data was accessed. The ABC’s sleuthing partially filled in those gaps.  The ABC suggests the attack occurred sometime on the weekend when Genea’s phone line went down (which it announced on 14 February – last Saturday) and its app was unusable and patients started posting on Genea’s Instagram account. It claims to be investigating the extent to which personal information has been accessed.  That is improbable.  If it is accurate then the resources it is deploying to determine whether personal information accessed is inadequate.  So Genea’s vague say not much media release is less than helpful.  IVF patients have a very strong interest in using the digital resources of Genea, are very proactive and many are quite sophisticated.  So throwing a digital blanket over a serious breach is a poor way of managing a crisis.  The reluctance by Genea to be more open may expose it to more media coverage. 

Given the nature of the treatment provided and the likelihood that very sensitive personal information was stored in Genea’s records it is almost certainly a notifiable data breach. 

The story has been reported in Read the rest of this entry »

The Guardian’s report Revealed: gambling firms secretly sharing users’ data with Facebook without permission is unfortunately hardly surprising. On this occasion the personal information is going from gambling companies to Meta for it to profile its users and place advertisements.

It is that time of year. Christmas. I wish you all a happy and holy Christmas and that in 2025 all your hopes and dreams come true. As per my tradition I republish one of the great journalistic pieces on Christmas, Yes Virginia there is a Santa Claus. It struck me when I first read it as an 18 year old and I still marvel at the beautiful prose. It is what all good writing should be; clear, spare and lively. This piece also has a touch of literary fairy dust. To write like this is a noble aim.

Here it is:

Dear Editor,
I am 8 years old. Some of my little friends say that there is no Santa Claus. Papa says “If you see it in the Sun, it is so.” Please tell me the truth, is there a Santa Claus?

Virginia,
Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds.

All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, Virginia, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy.

Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove?

Nobody sees Santa Claus, but that is no sign that there is no Santa Claus The most real things in the world are those that neither children nor men can see.

Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.

Is it all real? Ah, Virginia, in all this world there is nothing else as real and abiding.

No Santa Claus? Thank God he lives and he lives forever. A thousand years from now, maybe 10 times 10,000 years from now, he will continue to make glad the hearts of children.

Written by Francis P. Church in 1897

In the digital age the common belief is that data breaches involve a cyber attack, disclosure of information on a web site or by an errant email. As the ABC reports in Documents containing personal information of NT residents found dumped in bushland in Darwin rural area data breaches can, and often does, occur through documents being left in public. There have been many instances of records being left in filing cabinets that are then offered for sale, medical records being stored and forgotten or documents being left in public.

In the most recent example the documents left in the bush contained personal information including medical and bank records and phone numbers.  This may constitute a breach of the Privacy Act 1988 by the entity that collected then didn’t dispose of the documents properly.  In this case it involved records created by the Northern Territory Government.

Document management, either in hard or soft copy form, is critically important and quite straightforward if there is decent training and a workable system.  Businesses often do not regularly review what documents they have and ask themselves why they still have personal information that they don’t need.  Medical practices are notorious for holding records of long since deceased patients or individuals who have moved to other doctors or left the Read the rest of this entry »

As if any more proof were required that privacy and data security is not an ideological issue the Attorney General of Texas has announced an initiative to protect “Tex­ans’ Sen­si­tive Data from Ille­gal Exploita­tion by Tech, AI, and Oth­er Companies.”

The press release Read the rest of this entry »

The UK National Cyber Security Centre has published a guidance on dealing with attacks on business emails. known as a business email compromise (“BEC”).

BEC involves criminal access to a work email account in order to trick someone into transferring money or stealing valuable or sensitive data. The usual method of entry is by using targeted phishing emails to an individual within an organization.  Standard email spam filters generally do not detect them, especially if they come from a legitimate email account that has already been hacked.

The guidance recommends organizations take steps to make them less prone to BEC attacks including:

• reducing the digital footprint of senior staff and executives;
• help staff and users to identify and detect phishing emails;
• implementing two-step verification for accounts; and
• applying the principle of least privilege.

These are quite standard issues for privacy professionals but quiet often unknown to organisations.

The press release provides:

Business email compromise (BEC) occurs when a criminal accesses a work email account in order to trick someone into transferring money, or to steal valuable (or sensitive) data. For this reason, BEC attacks are often directed at senior staff, or those that can authorise financial transactions.

Unfortunately, BEC attacks (which are a type of phishing attack) are on the increase. A recent government report on cyber attacks revealed that in 2023, 84% of businesses and 83% of charities have experienced a phishing attack in the past 12 months.

The goods news is that the NCSC has recently published new guidance on BEC that includes practical steps that will reduce the likelihood of your organisation suffering from a BEC attack. It is specifically aimed at smaller organisations who might not have the resources (or expertise) to implement the NCSC’s existing guidance on phishing attacks in full. Read the rest of this entry »

The Medibank breach was a seminal moment in Australian privacy and data security history. Together with the Optus breach it affected almost half the country’s population. It also highlighted the lax state of cyber security of large companies; minimal data security overall, a focus on perimeter defences over in depth defences, dreadful storage and security of data policies and retaining data long after they are required. But it is the knock on effect of . Itnews reports in Australian police link “over 11,000 cybercrime incidents” to Medibank breach . The knock on effect.  It is that consequential damage that regulators need to be constantly aware of when deciding how to enforce the legislation. Unfortunately in Australia a light touch enforcement has meant that the culture about data security at the board room level is still woefully lax, despite protestations to the contrary.  As a result data breaches are quite regular and escalating in frequency.

The article Read the rest of this entry »

The Federal Trade Commission has taken action action against Blackbaud and required it to delete personal data that it does not need. The genesis of this outcome was the poor security practices that let a hacker access a trove of sensitive personal information in 2020, much of it which should not have been kept.  The FTC set out the multiple Blackbaud transgressions; failing to segment data, failing to have multi factor authentication and not notifying customers of the breach.  In this case, as in many others, a data breach doesn’t reveal one flaw but usually a system wide failure. 

The media release provides:

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. Read the rest of this entry »