The Office of the Australian Information Commissioner has published its most recent statistics relating to the last quarter.  They are found here.  The media release is found here.

Regarding privacy related work the OAIC made the following comments:

• Phone enquiries: handled 16,486 phone enquiries (18,238 in 2012–13) — a 9% increase in privacy phone enquiries, which are 71% of the total
• Written enquiries: answered 3742 written enquiries (3165 in 2012–13) — a 26% increase in privacy written enquiries, which are 64% of the total
• Privacy complaints: received 4243 complaints (184% increase), and completed 2616 (74% increase). The average closure rate was 7.2 privacy complaints per day (90% increase), and the average completion time was 86.7 days (44% decrease)
• Privacy audits: conducted 8 audits (60% increase)
• Data breach notifications (DBNs): handled 73 DBNs (55% increase)
• Privacy investigations: conducted 13 Commissioner-initiated investigations (32% decrease), and published 4 reports
• Advice, guidance and submissions: published 20 guideline items, conducted 22 consultations, provided 133 written policy advices, and made 17 submissions
• Website visits: received 1.51 million website visits (10% increase)

Read the rest of this entry »

The Privacy Commissioner has conducted an own motion investigation into Pound Road Medical Centre. The investigation applied to the Privacy Act prior to the amendments taking effect on 12 March 2014.  

FACTS

On 23 November 2013, a shed located at 16 Amberley Park Drive, Narre Warren South was broken into.  There were boxes of medical records located in a locked shed.  During the break in the boxes, and therefore the documents, were compromised.  The medical records were created when PRMC operated as a medical centre at the site.  PRMC ceased operating the medical practice at the site from 6 April 2011, and since this date has conducted its practice from new premises.

In about October 2012, the records were transferred from a locked room inside the site to the shed so that renovations for sale of the site could occur. The  shed door was locked with three padlocks. PRMC believed that all the paper-based health records stored at the site were transferred to a locked store at its new premises.

A representative from PRMC initially visited the site two to three times a week and later once a week for purposes of maintenance, repairs and renovations to prepare the site for sale.

The Office of the Australian Information Commissioner (OAIC) was notified that there were boxes of unsecured medical records at the site on 25 November 2013.

The personal information compromised in the data breach consisted of:

1. patients’ ‘identifying particulars’, Read the rest of this entry »

Senate estimates are both a valuable part of the democratic process, holding governmnents accountable and reviewing expenditure, and good media fodder.  It can also be tedious.

The Legal and Constitutional Affairs Committee quizzed the Information Commisioner and the Privacy Commissioner on 29 May 2014.  It is found here.  Noteworthy comments were:

Data Breach notification.

Senator SINGH: Professor McMillan, I want to ask about privacy alerts and whether you support the introduction of mandatory notification requirements for serious breaches of data.

CHAIR: Senator Singh, this might have to be your last question because I have four other senators and 15 minutes left. So could you make this your last question?

Prof. McMillan : Legislation was introduced into the parliament under the previous government for mandatory notifications.

Senator SINGH: Yes, I have now introduced a private member’s bill.

Prof. McMillan : It was called the privacy alerts bill. At the time the Office of the Australian Information Commissioner put out a statement saying that it supported the passage of that legislation. We have made no subsequent statement on the issue.

Senator SINGH: You obviously stand by that previous statement. Are you aware of what significant data breaches have occurred in the last few years?

Prof. McMillan : I will transfer that question to the Privacy Commissioner.

Mr Pilgram : Yes, we are aware, obviously, of a number of major data breaches that have occurred over the last few years. Just to give you an idea, they will vary in severity and the number of people that have been impacted. For example, in the current year, 2013-14, we have become aware of Read the rest of this entry »

Last night’s budget held an unwelcome development for the Information Commissioner’s office.  As in there will be no Information Commissioner come 1 January 2015.  The Privacy Commissioner, a statutory office, will move to the Human Rights Commission and work out of Sydney.

The OAIC were well and truly quick off the mark in the legacy exercise with a statement (found here) which provides:

We acknowledge the Australian Government’s Budget decision on Tuesday 13 May 2014 to disband the Office of the Australian Information Commissioner (OAIC) by 1 January 2015.

During Privacy Week the Privacy Commissioner gave, or least published on the oaic website, 3 speeches: Mapping data breach notification, Privacy matters and Defining the sensor society.

They relevantly provide:

Defining the sensor society

It’s a pleasure to be here to speak to you today for Privacy Awareness Week, especially with so much going on in the privacy sphere lately.

Defining the sensor society is an ambitious and important topic for a two day conference. As Australia’s Privacy Commissioner, you will not be surprised to learn that, in my view, any discussion of this topic should have privacy and the protection of personal information at its core. And so I am encouraged to see that is the case in a number of the presentations that you will hear over the next two days.

Privacy is rarely out of the news these days. The media continues to report on exciting new technologies as well as on activities that raise privacy questions and Read the rest of this entry »

As part of Privacy Awareness Week the Privacy Commissioner has released a guide to developing an APP privacy policy.  The Privacy Policy, if drafted properly, should be the cornerstone to a compliance structure under the Privacy Act.  To prepare a privacy policy which actually fulfills the requirements of APP 1 an APP entity will need to understand the nature of the data it collects, uses and discloses, the data flows and how it properly manages that data, including the programs, protocols and training in place.  A privacy policy is not a pro forma where an organisation fills in a gap here and completes a sentence there.  Organisations handle information in different ways, depending on the type of business/activity and the way it has developed over time.  That said some organisations have had professionals offer them a package involving a privacy policy which could only be done in the most general terms.  That misses the point, doesn’t comply with the guide, doesn’t come close to comply with the APPs and has no relationship to the privacy by design concept. The guide makes it clear that more is expected of privacy policies than is commonly the case.  The real impact of the guide is the proactive steps the Privacy Commissioner takes to have organisations meet the minimum standards.  With greater enforcement powers as of March 2014 he will Read the rest of this entry »

On 31 March 2014 the Australian Retail Credit Association (the “ARCA”) has applied to vary the Credit Reporting Code to extend from 5 days to 14 day grace period for repayment history to be classified as a missed payment.

The Privacy Commissioner is considering the application. It is unlikely that he will reject it.  It is a pro consumer amendment being sought by the ARCA.

The CR Code is found here

The amendments to the Privacy Act are one day old but the changes are already becoming apparent.  At least in terms of disclosure of where data sent offshore is going.  That is an obligation under the Australian Privacy Principles (the APPs), in particulars APP 1 and 8.

Itnews in Aussie blue-chips reveal extent of data offshoring has done a quick review based on disclosures to date.  It is an excellent article.  The United States leads the pack in terms of destination of data followed by United Kingdom, India and Phillipines (no doubt call centre and support service oriented). New Zealan , Singapore and Chine.  The piece also shows how companies are interpreting the requirements set out in the APPs regarding disclosure with Coles being on the open side while Westfield and Holden being more opaque.  Clearly this is a matter requiring consideration by the Privacy Commissioner in the short to medium term.  If organisations and agencies feel Read the rest of this entry »

For those following this site the existence of amendments to the Privacy Act 1988 is trite and the fact that they will take effect tomorrow is obvious and well known.  The Privacy Commissioner has put out a media release to that effect with Privacy laws change tomorrow.  Not Byronesque but clear and to the point as headings go. What more can you expect from a heading.

It relevantly provides:

Today the Privacy Commissioner found that Telstra breached the National Privacy Principles 4.1, 4.2 and 2.1 arising out of the leak of personal information of 15,775 customers.  The Privacy Commissioner’s finding is found here.  The ACMI also found Telstra breached the Telecommunications Consumer Protections Code. It’s finding is found here.

The reportage has been long and loud.  The Age report is found here at Telstra breaches privacy of thousands of customers, the ABC with Telstra fined after breaching privacy of 15,775 customers and itnews with Telstra breached Privacy Act by exposing user data with the Australian’s Telstra leak breached privacy law: reports.

The Privacy Commissioner’s decision, absent footnotes, provides:

Overview

On 24 May 2013, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into Telstra Corporation Limited (Telstra). This was in response to media allegations that personal information of Telstra customers was accessible online, which Telstra confirmed.

The Commissioner’s investigation focused Read the rest of this entry »