The Privacy Commissioner has released draft chapters of the guidelines as part of the consultation process.  Comments close on 20 September 2013. They can be found here.

The Guidelines (absent index)provides:

Chapter A — Introductory matters
Purpose
A.1    The Australian Information Commissioner issues these Australian Privacy Principles Guidelines (APP guidelines) under s 28(1) of the Privacy Act 1988.  These guidelines are not a legislative instrument (s 28(4)).
A.2    The APP guidelines outline how the Information Commissioner interprets and applies the APPs when exercising functions and powers under the Privacy Act relating to the APPs.
Australian Privacy Principles (APPs)
A.3    The APPs are the cornerstone of the privacy protection framework in the Privacy Act. The APPs set out standards, rights and obligations in relation to Read the rest of this entry »

The Privacy Commissioner has issued a media release, Privacy Commissioner: Website privacy policies are too long and complex, announcing the release of what he calls as “privacy sweep” of websites used by most Australians.  He found nearly 50% of website policies were difficult to read.  In my professional experience it is usually more than that and sometimes difficult merges into completely incoherent.

The summary of the sweep is:

the OAIC examined Read the rest of this entry »

The Senate Standing Committees on Legal and Constitutional Affairs has reported on the Privacy Amendment (Privacy Alerts) Bill 2013.  The Committee endorsed the Bill.

The report relevantly provides (absent footnotes, introduction and appendices)

RECOMMENDATION
Recommendation 1
2.30 The committee recommends that the Senate pass the Bill.

CHAPTER 1
INTRODUCTION
1.1 On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) was introduced into the House of Representatives by the Attorney-General, the Hon. Mark Dreyfus QC MP.1 On 17 June 2013, the Bill was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee (committee) for inquiry and report by 24 June 2013.
Background to the Bill
1.2 In his second reading speech, the Attorney-General Read the rest of this entry »

The Parliamentary Library has prepared a Bills Digest on the Privacy Amendment (Privacy Alerts) Bill 2013.  It is found here.

As usual it is an excellent resource. It provides:

Structure of the Bill

The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 4 which inserts a new Part IIIC, titled ‘Data breach notification’, into the Privacy Act following existing Part IIIB. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.

The new Part IIIC is divided into three Divisions. Broadly, the first Division sets out when a ‘serious data breach’ will have occurred, the second Division contains obligations for entities to notify of that serious data breach, subject to certain exceptions. The third Division concerns general matters including relevant definitions specific to Part IIIC and application provisions.

Background

Data breach notifications

As the Explanatory Memorandum notes, mandatory data breach notification commonly refers to:

… a legal requirement to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons. Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information (e.g. a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.

Data breach notification is Read the rest of this entry »

The Committee has received 20 submissions to the Bill.  That is impressive given there was effectively 2 days from referral to cut off period to lodge submissions.

The submissions are:

Fundraising Institute Australia.

Opposed. It says, in part:

.. the Fundraising Institute Australia believes that insufficient consideration has been given to the effect which mandatory data breach notification would have on charities and not-for-profit organisations. Government decision­ makers seem unaware that fundraisers use extensive donor databases in the same way as business organisations do.

………

The additional burden and cost of Read the rest of this entry »

In this post I have undertaken a general review of the Privacy Amendment (Privacy Alerts) Bill 2013 and each of its provisions.  The Bill’s homepage is found here.

SECOND READING SPEECH

In any review it is useful to set out the second reading speech of the Minister responsible for the legislation.  In this case that is the Attorney General, Mark Dreyfuss.

It provides:

The introduction of the Privacy Amendment (Privacy Alerts) Bill 2013 is the next key step in the government’s major reform of Australia’s privacy laws.

It is a long overdue measure that was recommended by the Australian Law Reform Commission in 2008.

It will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices.

In its 2008 privacy report, the Australian Law Reform Commission found that, as government agencies and large companies collected more and more personal information online, there was an increasing risk that this could become subject to data breaches. There were studies to show that the frequency of data breaches was increasing and their consequences were becoming more severe.

This trend has continued Read the rest of this entry »

The Attorney General held a press conference and issued a press release announcing the introduction into the Parliament of legislation requiring mandatory notification of data breaches which affect privacy.

The press release states:

PRIVACY ALERTS TO NOTIFY AUSTRALIANS OF DATA BREACHES

New laws to be introduced in Parliament tomorrow will require businesses and government agencies to notify people when a data breach affecting their privacy occurs.

“With businesses and government agencies holding more information about Australians than ever before, it is essential Read the rest of this entry »

Today the Privacy Commissioner issued a press release regarding cyber security in line with National Cyber Security Awareness week, commencing today.

It states, in part:

Australian Privacy Commissioner, Timothy Pilgrim today encouraged all Australians to take steps to protect their personal information during National Cyber Security Awareness Week (20 to 24 May 2013). The aim of the Awareness Week is to help people understand the simple steps they can take to protect their personal and financial information when online.

‘The web has Read the rest of this entry »

The Privacy Commissioner has published the speech he gave last week. It can be found here.

Below is a slightly edited transcript.  It relevantly provides:

On 3 April 2013 ARCA released its draft of the new CR Code, an integral part of the regulatory framework of those governed by the Credit Reporting provisions of the Privacy Act.

The public consultation closes on 5 May 2013.

The Information Commissioner’s media release of yesterday’s date is found here.

The draft CR Code and details for lodging a submission can be found here.

Part of the ARCA submission Read the rest of this entry »