Peter A Clarke

Artificial Intelligence is the runaway train of administration, the law and most areas which use it. Its capabilities are rarely fully understood, its dangers are not considered and most users have no idea of how it works. If the use of AI causes or contributes to the misuse of personal information the aforementioned ignorance is no excuse for failing to comply with privacy legislation. The New South Wales Reconstruction Authority (the “Authority”) today announced that it has been the subject of a data breach. The data breach occurred from 12 – 15 March 2025 with names, addresses, email addresses, phone numbers and “some personal and health information.”  Names and addresses are personal information.  While the Authority stresses the contractor did not use authorised AI that does not change its liability.  Third party providers are a chronic weak link in any data security network.  They are often used because they are cost effective.  That may mean they are less invested in data security and proper training.  Organisations should include proper cyber security requirements in contracts but also insist on a right to inspect the effectiveness of cyber security.

This episode highlights the need to determine whether the AI used is properly integrated and compatiable with existing systems and whether there are appropriate security measures and there is a proper assessment of risk.

Some of the factors organisations needs to consider are:

• Security – In this regard an organisation needs to consider the model type.   The starting prefrence shoudl be a “Closed Model”. This is different to an “Open Model” such as standard ChatGPT.   “Closed Models” generally do not allow prompts and results to train the underlying model, and do not retain any data. This deals with unapproved disclosure of confidential or personal information. Such as in this case.  Any AI system should comply with local and international data sovereignty laws. That would mean data remaining within Australian borders. It is critical to know the frequency, and how, the underlying Large Language Model (LLM) is trained and updated. It is critical to ensure that these underlying updates are secure and trustworthy, or otherwise subject to sufficient controls.

• Quality of data and training – In addition to quality in, quality out for data it is important to have quality training. It is necessary to look at models that have invested in industry-specific pre-training to achieve optimal results. .

• Quality Assurance – If an organisation uses AI to make decisions it is critical to have quality assurance. That involves using statistical methods, such as precision and recall.  There should be Regular testing and validation.

• Tracking  – It is important to trace work products and decisions.  That should involve having methods to monitor and document where AI has been involved in the development of work products. That could involve logs of AI interactions or tagging outputs generated by AI systems.

Clearly the Authority will have to review how its third party providers use their AI.  There was a failure to properly monitor and proscribe practices involving the personal information collected by the Authority and used by third parties.

The data breach has been reported by the ABC with Read the rest of this entry »

Regulators are increasing their focus on the proper use of biometrics. Advances in technology has made the collection and mandatory use of biometrics more prevalent. Even common in some industries. That has meant more attention by the regulators as compliance is an issue when it comes to collection, storage, use and disposal of this sort of personal information. On 11 August 2025 the Privacy Commissioner of Canada issued its guidance on the use of biometrics. This follows the New Zealand Privacy Commissioner publishing rules on the use of biometrics earlier this month. The UK Information Commissioner has probably issued the most comprehensive biometric data guidance. While it is referable to UK legislation it’s general advice is very good. The Australian Information Commissioner has not published guidelines on biometrics however has advised that biometric information is sensitive information for the purpose of the Privacy Act 1988.

The key issues from the Canadian guidelines are:

1. Collection, use and dislosure.  Appropriate use
   • At the outset the organisation must have  lawful authority for the collection, use and disclosure of biometric information. The issue is slightly different between sectors:
     • Public sector: In establishing whether Federal institutions have lawful authority to collect biometric information the information must directly relate to a government program or activity.
     • Private sector: organisations must identify a legitimate need for using biometrics.  The collection and use must be effective, minimally intrusive and proportionate to its purpose.
2. Consent
   • As with all privacy legislation consent is important.  As the guidance states it must be valid, informed and meaningful. That includes advising people what biometric information will be collected, why it is needed, who it may be shared with and any risks of harm.
   • Biometrics is not the first and only option.  Where biometrics are not integral to the service, alternatives must be offered.
3.  Privacy Impacts; Necessity and ProportionalityAs is good practice generally prior to implementing a biometrics program there should be a privacy impact assessment. That means showing that biometrics are:
   • Necessary for a specific, legitimate and defensible objective;
   • Effective and reliable in achieving that purpose;
   • Minimally intrusive, with no less invasive alternatives available; and
   • Proportional, ensuring that privacy impacts are commensurate to the benefits gained.
4. Limiting Collection, Use and Retention

   Organisations must only collect and use the biometric characteristics strictly necessary for the stated purpose. The process involves:

   • Favouring verification (one-to-one) systems over identification (one-to-many), where feasible;
   • Avoiding large, centralised biometric databases;
   • Avoiding the extraction of secondary information t;
   • Limiting disclosure; and
   • Retaining biometric information only as long as necessary and destroying it once no longer required.
5. Security/Safeguards

   This encompases having measures to protect personal information against loss, theft or unauthorised access. Biometric information must be secured with physical, administrative and technical measures proportionate to its sensitivity. Best practices involves:

   • Encryption during storage and transmission;
   • Regular penetration testing and vulnerability assessments;
   • Control of employee access; and
   • Breach reporting.
6. Accuracy

   It is important to have accurate information.  The consequences can be even greater with  biometric recognition.  Erroneous information can lead to wrongful denial of services or misidentification. Best practice includes:

   • adopting technologies with appropriate accuracy rates;
   • Testing systems in real-world conditions and across demographic groups to minimise bias and discrimination;
   • Monitoring accuracy on an ongoing basis, as system updates can affect performance; and
   • Developing procedures for false positives and negatives, ensuring timely resolution and human review where decisions have significant consequences.
7. Accountability

   While holding biometric information organisations remain responsible for that biometric information even when using third-party service providers. In that respect organisations obligations include:

   • due diligence on service providers’ practices;
   • having contracts and information-sharing agreements that embed privacy protections;
   • establishing clear governance structures, audit rights and breach response plans; and
   • ensuring there is adequate employee training and oversight.
8. Openness and Transparency

Read the rest of this entry »

The cyber attack of Trumpets of Patriots and the United Australia Party highlights two issues with privacy. The first is that political parties harvest huge amounts of personal information. Some of it relates to membership. Some is obtained through enquiries, surveys and data provided from other political sources, such as parliamentarians. Political parties operate on data. It is a critical part of messaging and lobbying. This cyber attack highlights a flaw in the Privacy Act 1988. Registered political parties are exempt  under section 7C from the operations of the Privacy Act 1988. The Privacy Commissioner has no power to investigate the breach. The question then is whether either or both the United Australia Party and the Trumpets of Patriots are “registered political parties.”  According to the Australian Electoral Commission the Trumpet of Patriots is a registered political party. The United Australia Party is not.  It has been deregistered and despite its best efforts in Babet v Commonwealth of Australia; Palmer v Commonwealth of Australia [2025] HCA 21 could not be re registered.  Interestingly the Trumpets of Patriots notified the Privacy Commissioner of the data breach.

That does not mean Trumpets of Patriots is immune from suit even if it is exempt under the Privacy Act.  

The story is covered in Read the rest of this entry »

It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application.  It is also covered by 9 News and Reuters.  If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.

Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”.  Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.  

The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.

HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.

There is quite a bit of supposition in that assessment.  It is not possible to know whether the injunction performed that role.  There has been no reported contempt of court proceedings for breaching the injunction.  It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced.  How to monitor on line rubber necking is another issue.  If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult.  That said injunctive relief is now part of the response in large scale data breaches.  

It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition.  There is reference to exemptions.  That is an important issue when seeking such orders.  It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court.  Clearly not an intended consequence.

The Australian story Read the rest of this entry »

After 5 years the Australian Competition and Consumer Commission (“ACCC”) has released it’s 10th and final report of the Digital Platform Services Inquiry.

The ACCC’s media release provides:

Without sufficient laws in place, Australian consumers and businesses continue to encounter a significant number of harmful practices across a range of digital platform services, the ACCC’s tenth and final report of the ACCC’s Digital Platform Services Inquiry has found.

“Digital platform services are critically important to Australian consumers and businesses and are major drivers of productivity growth in our economy,” ACCC Chair Gina Cass-Gottlieb said.

“While these services have brought many benefits, they have also created harms that our current competition and consumer laws cannot adequately address. This is why we continue to recommend that targeted regulation of digital platform services is needed to increase competition and innovation, and protect consumers in digital markets.”

The report, which concludes the ACCC’s five year inquiry, has reiterated support for measures including an economy wide unfair trading practices prohibition, an external dispute resolution body for digital platform services, and a new digital competition regime.

Continued risk of widespread harms to Australian consumers and small businesses

The ACCC’s final report found that there continues to be significant risk of consumer and competition harms on digital platforms.

Consumers continue to face unfair trading practices in digital markets including manipulative design practices, such as user interfaces that direct consumers to more expensive subscriptions or purchase options. Read the rest of this entry »

The Australian with Zero dollars showing on some accounts but AustralianSuper says no need to panic reports that AustralianSuper. The haul, $500,000. What is interesting about the cyber attacks is that they were co ordinated and the targets were all in Super Industry bodies. The means of entry, stolen passwords, known as credential stuffing.  They were possibly obtained from the dark web, which suggests they were acquired from a previous cyber attack.  The theft didn’t involve attacking the cyber defences themselves, but rather As usual in Australia the funds were keen to maintain silence about the breaches.  The Australian Retirement Trust denied this by saying that it notified regulators just not the public.  The spokesman was even more crafty with terminology by claiming the affected customers were notified but not all customers.  This lack of candour is not present in the USA when dealing with cyber attacks.  That is a much more mature approach.

The story is covered by the Guardian, the Australian Financial Review and Nine amongst others.

The Australian article provides:

AustralianSuper

AusSuper chief member officer Rose Kerlin said cyber criminals may have used stolen passwords to log into the accounts belonging to 600 of its members “in attempts to commit fraud”.

Four AustralianSuper customers have lost $500,000 in the cyber raids, although the fund moved to assure customers who were seeing a “$0 balance” on their profiles that they had secure accounts.

Rest Super

Rest Super chief executive Vicki Doyle said 8000 member accounts were affected.

It’s understood criminals attempted to use stolen passwords gathered from other hacks — and possibly shared on the dark web — to break into the accounts.

“Over the weekend of March 29-30, 2025, Rest became aware of some unauthorised activity on our online Member Access portal,” she said.

“No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”

Hundreds of Australian Retirement Trust members first had their accounts breached by cyber criminals about a month ago.

Australian Retirement Trust

Despite a spike of suspicious login attempts on March 8 affecting a few hundred Australian Retirement Trust customers, news about the attack – a co-ordinated hack carried out by cyber criminals on multiple funds – only emerged on Friday.

A spokesman for the fund, which manages more than $300bn in superannuation savings, told The Australian the customers were notified at the time.

He said regulatory agencies were notified soon after, and he denied the company kept news about the widespread cyber attack silent.

About another hundred customers were affected by the continued cyber attacks in the same way to that reported by AustralianSuper and Rest – referred to as “credential stuffing”. No ART account money was stolen.

Credential stuffing uses stolen passwords to gain unauthorised access to data.

Insignia Financial

Insignia Financial said it detected suspicious activity on 100 Expand Wrap Platform customers’ accounts early on Monday.

“At this stage there has been no financial impact to customers,” MLC Expand CEO Liz McCarthy said.

“Our Cyber Security team are actively working to apply additional monitoring and mitigations to protect customer accounts. As a precaution we have taken steps to restrict some activities on the Expand Platform.

“Some customers will receive communications prompting them to reset their passwords when they next login to their accounts.

Hostplus

Hostplus chief executive David Elia said the fund was investigating how its members were affected, but said “we can confirm that no Hostplus member losses have occurred”.

“We had seen various attempts to hack into members accounts but none have succeeded to date,” he said.

“We are of course continuing to monitor the situation and are remaining vigilant.”

Political response

Prime Minister Anthony Albanese sought to downplay the major cyber attack, saying they occur every six minutes.

Opposition home affairs spokesman James Paterson accused Mr Albanese of failing to take the superannuation account breaches seriously.

“The Prime Minister clearly doesn’t understand how serious this is when he described it as just ‘a regular issue’,” Senator Paterson said.

National cyber security

National Cyber Security Co-ordinator Lieutenant General Michelle McGuinness said she was aware “cyber criminals are targeting individual account holders of a number of superannuation funds”.

“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice,” she said.

“If you have been impacted or are concerned you may have been impacted, follow the advice provided by your super fund.”

A task force has this week been examining the breach, Home Affairs’ National Cyber Security chief is co-ordinating involvement of government agencies, including the Australian Securities and Investments Commission and Prudential Regulation Authority, plus major super funds.

The agencies are sharing information to investigate the incident.

Cyber CX chief strategy officer Alastair MacGibbon said there was a “very low chance” of catching the culprits behind the cyber raids.

He said the raids on superannuation accounts appeared to be fraud rather than a cyber intrusion, and should be a wake-up call for financial institutions to implement robust multi-factor authentication.

He said it looked like a case of “credential stuffing”, which involves using stolen usernames and passwords that are already circulating on the dark web.

“While it looks big, it’s not a cyber incident, per se. It’s fraud,” Mr MacGibbon said.

“No one has hacked anything. It’s putting usernames and passwords in, which is different from compromising some common thread between all of the superannuation companies.”

He said superannuation companies, like other financial institutions, needed to secure customers’ accounts with third-party multi-factor authentication systems.

Many super funds, including AustralianSuper and Australian Retirement Trust, have opt-in multi-factor authentication systems in place.

Mr MacGibbon said systems that used SMS messages were not sufficient, because phone SIM numbers could be transferred by fraudsters.

Association of Superannuation Funds of Australia said in a statement it was “aware that last weekend hackers attempted to get through the cyber-defences of a number of superannuation funds”.

“While the majority of the attempts were repelled, unfortunately a number of members were affected. Funds are contacting all affected members to let them know and are helping any whose data has been compromised,” the statement says.

Tanya O’Carroll commenced proceedings against Meta seeking orders that Facebook stop using her personal data to create targeted ads on subjects that it believed she would be interested in. She argued that Facebook’s campaign was direct marketing under the UK legislation. Meta has settled the claim agreeing to stop sending targeting advertisements using her personal information. The Information Commissioner’s Office is very happy. So happy that it issued a statement. The ICO has always regarded targeted advertising as being direct marketing under the legislation.it intervened in the case with an amicus curiae brief.

Under the Australian Privacy Act 1988 Australian Privacy Principle 7 addresses direct marketing directly, with the key issues being:

• APP 7 provides that an organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies. APP 7 may also apply to an agency in the circumstances set out in s 7A.
• Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
• Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:
  • allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and
  • comply with that request.
• An organisation must, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

There has been no similar case in Australia to O’Carroll v Meta.  There is a basis for making the same argument here given the content of APP 7.

The ICO statement provides:

A BBC article Read the rest of this entry »

Today the Privacy Commissioner announced that she has entered into an enforceable undertaking with Oxfam Australia arising from a large data breach on 20 January 2021. What is clear from the undertaking and the Commissioner’s blog is that Oxfam had poor data handling practices and held data for long after they were needed.  This is a common problem and aggravates the damage associated with a data breach.

The term of the undertaking is 2 years. The key obligations are found at paragraph 6 setting out obligations within 3 months to set up a coherent system of using shared credentials, password controls and multi factor authentication and within 6 months to destroy personal information held by Oxfam for more than 7 years or in other specific categories.  Oxfam must undertake a review of the all current uses of personal information within 3 months.  And expert will review compliance in 12 months time and implement any recommendations.  It will also engage in “a a program of public engagement” with the Commissioner and provide to her documents or information she requests from time to time to determine compliance with Undertaking.  

It is a reasonably stringent Undertaking by Australian standards. It is quite lax compared to actions the UK Information Commissioner takes and very easy going compared to the Federal Trade Commission’s enforceable undertakings which often involve swingeing fines and a period of 10 – 20 years of compliance with regular reporting. 

The media release provides:

Privacy Commissioner Carly Kind has accepted an enforceable undertaking (EU) offered by Oxfam Australia (Oxfam).

A data breach was experienced by the not-for-profit in January 2021, and reported to the OAIC in February 2021, following which, the Commissioner initiated an investigation. The data breach resulted in the loss of up to 1.7 million Oxfam records.

The Commissioner’s acceptance of the EU is not a finding that Oxfam has breached the Privacy Act nor the Australian Privacy Principles, but rather highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices.

Oxfam is undertaking a range of measures outlined in the EU, particularly in relation to not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and the use of privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.

Oxfam has been working collaboratively with the OAIC across the investigation period, and since offering the enforceable undertaking has contributed to an awareness raising campaign directed at others in the not-for-profit sector in relation to the incident and its response to the incident.

The OAIC has used insights from its investigations into Oxfam’s experience, and the separate data breach which affected the telemarketing firm Pareto, to update its privacy guidance for not-for-profits. The guidance, updated in October 2024 (media release), includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

Timeline

• • On 20 January 2021 an unknown user gained access to an Oxfam Australia (Oxfam) database.
  • The data breach resulted in the loss of up to 1.7 million Oxfam records.
  • Oxfam was alerted to the incident on 27 January 2021.
  • Oxfam notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the incident on 26 February 2021.
  • Oxfam Australia alerted its supporters of the potential risk on 4 February 2021.
  • On 1 March 2021 Oxfam began notifying their supporters about steps that they could take to protect personal information and provided access to IDCARE.
  • On 10 September 2021 the Australian Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.
  • Privacy Commissioner Carly Kind concluded the investigation in late 2024.
  • Following the conclusion of the investigation, Oxfam presented Privacy Commissioner Carly Kind with their enforceable undertaking on 18 December 2024.
  • Privacy Commissioner Carly Kind accepted the Oxfam enforceable undertaking on 20 December 2024.

Key privacy points for NFPs

• • NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
  • Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
  • It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
  • Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
  • Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
  • When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.
  • Refer to our privacy guidance for not-for-profits for advice on security of information, and steps your NFP should put in place to ensure compliance with retention and destruction obligations. The guidance also covers what to consider when engaging third-party providers, such as for fundraising, or software vendors.

Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.

The Enforceable Undertaking Read the rest of this entry »

Genea is a large IVF provider has suffered a cyber attack. Today publicly announced that it has been the subject of a cyber attack. The statement, 19 February 2025: Important update about a cyber incident, is a model of saying precious little.

It provides:

Are Genea clinics still open and treatments being provided?

What should I do?We will communicate with relevant individuals if our investigation identifies any evidence that their personal information has been impacted.

Need to get in touch?

The statement is more about appearing to provide information while not doing any such thing.  There are no details of when the attack occurred, when it was detected, what data was accessed. The ABC’s sleuthing partially filled in those gaps.  The ABC suggests the attack occurred sometime on the weekend when Genea’s phone line went down (which it announced on 14 February – last Saturday) and its app was unusable and patients started posting on Genea’s Instagram account. It claims to be investigating the extent to which personal information has been accessed.  That is improbable.  If it is accurate then the resources it is deploying to determine whether personal information accessed is inadequate.  So Genea’s vague say not much media release is less than helpful.  IVF patients have a very strong interest in using the digital resources of Genea, are very proactive and many are quite sophisticated.  So throwing a digital blanket over a serious breach is a poor way of managing a crisis.  The reluctance by Genea to be more open may expose it to more media coverage. 

Given the nature of the treatment provided and the likelihood that very sensitive personal information was stored in Genea’s records it is almost certainly a notifiable data breach. 

The story has been reported in Read the rest of this entry »

The Guardian’s report Revealed: gambling firms secretly sharing users’ data with Facebook without permission is unfortunately hardly surprising. On this occasion the personal information is going from gambling companies to Meta for it to profile its users and place advertisements.