The Privacy Commissioner registered the Credit Reporting Code today, 22 January 2014.  The relevant OAIC page is found here. The PDF of the 47 page CR Code (with some scrambling on the first page) is found here.

In Know your privacy rights the Privacy Commissioner has posted a reminder of the upcoming changes to the Privacy Read the rest of this entry »

Mobile Apps are privacy invasive time bombs.  That unfortunately go off way too often.  This issue is now on the radar of information commissioner’s around the world.  And not before time.

The Privacy Commissioner has issued a guide on Mobile apps (found here)  and a check list (found here). The Warsaw declaration at the 35th international conference of data protection and privacy commissioners on the appification of society stated:

For those interested in gauging the approach of the Privacy Commissioner to his use of soon to be newly acquired enforcement powers his Read the rest of this entry »

Today the Privacy Commissioner released draft guidelines on APPs 12 and 13.  Consultations will be open until 16 December 2013 (with a special note that no extensions will be granted after that date….. A bit of a disappointment for those wanting to type away on 24 December 2013.  Bah Humbug!).  The Draft Guidelines are found here.

The Commissioner included a note to the Guidelines for APP 12 and 13, being:

Note 2: In developing Chapter 12, the OAIC has made some textual changes to the discussion of ‘unlawful’ from that in draft Chapter C (Permitted general situations). Also, in developing Chapter 13, the OAIC has made some textual changes to the discussion of ‘accurate’, ‘up-to-date’, ‘complete’ and ‘relevant’ from that outlined in draft Chapter 10 (Quality of personal information). Neither of these changes reflect a consideration of the submissions received on draft Chapter C or draft Chapter 10, which will be considered in due course.

 The guidelines to APP 12 provides, absent summary and footnotes:

What does APP 12 say?                                                   

12.1          An APP entity that holds personal information about an individual must Read the rest of this entry »

The Office of the Australian Information Commissioner has released its annual report today.  It is found here.

It is a voluminous document, which is normal for an agency.  Chapter 7 deals with privacy compliance.  It provides:

The Privacy Commissioner has issued a media release announcing a privacy breach by AAPT.  The breaches involved failing to adequately protect data from unauthorised access, a hacking attack.  As it transpires AAPT failed to destroy or de identify old data it held.

The media release (found here) provides:

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

‘While I Read the rest of this entry »

On 27 September 2013 the Privacy Commissioner issued Guidelines for recognising external dispute resolution schemes under section 35A of the Privacy Act 1988.  It is part of the Privacy Commissioner’s roll out of guidelines, codes and policies in anticipation of the amendments to the Privacy Act coming into effect on 12 March 2014. It is very commendable and entirely appropriate.  The real test is the approach the Privacy Commissioner takes once he is armed Read the rest of this entry »

Last Friday the Privacy Commissioner issued guidelines under Part IIIB of the Privacy Act.  The document is Guidelines for developing codes.

It provides, absent introduction and annotations:

Key terms

The following terms used in these Guidelines are defined in s 6(1) of the Privacy Act 1988 (Privacy Act):

Agency; APP code developer; APP entity; credit provider; credit reporting body; credit reporting complaint; CR code developer; entity; personal information

The following terms used in these Guidelines are also defined in the Privacy Act (other than in s 6(1)):

APP code has the meaning given in s 26C of the Privacy Act

Australian Privacy Principles is defined Read the rest of this entry »

The Australian Privacy Commissioner has released its draft guidelines regarding APPs 6 – 11 for consultation.  Consultation is open until 21 October 2013.  They are found here.

I have extracted the draft guidelines below, absent indexes and footnotes.

Australian Privacy Principle 6 – use or disclosure of personal information

 Key points

• APP 6 outlines when an APP entity may use or disclose personal information.
• An APP entity can only use or disclose personal information for the particular purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
• The exceptions include where:
  • the individual has consented to a secondary use or disclosure
  • the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose
  • the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
  • a permitted general situation exists in relation to the secondary use or disclosure
  • the APP entity is an organisation and a permitted health situation exists in relation to the secondary use or disclosure
  • the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or
  • the APP entity is an agency (other than an enforcement body) and discloses biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3.

What does APP 6 say?

6.1              APP 6 outlines when an APP entity may use or disclose personal information. The intent Read the rest of this entry »