The Office of the Australian Information Commissioner has released its annual report today.  It is found here.

It is a voluminous document, which is normal for an agency.  Chapter 7 deals with privacy compliance.  It provides:

The Privacy Commissioner has issued a media release announcing a privacy breach by AAPT.  The breaches involved failing to adequately protect data from unauthorised access, a hacking attack.  As it transpires AAPT failed to destroy or de identify old data it held.

The media release (found here) provides:

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

‘While I Read the rest of this entry »

On 27 September 2013 the Privacy Commissioner issued Guidelines for recognising external dispute resolution schemes under section 35A of the Privacy Act 1988.  It is part of the Privacy Commissioner’s roll out of guidelines, codes and policies in anticipation of the amendments to the Privacy Act coming into effect on 12 March 2014. It is very commendable and entirely appropriate.  The real test is the approach the Privacy Commissioner takes once he is armed Read the rest of this entry »

Last Friday the Privacy Commissioner issued guidelines under Part IIIB of the Privacy Act.  The document is Guidelines for developing codes.

It provides, absent introduction and annotations:

Key terms

The following terms used in these Guidelines are defined in s 6(1) of the Privacy Act 1988 (Privacy Act):

Agency; APP code developer; APP entity; credit provider; credit reporting body; credit reporting complaint; CR code developer; entity; personal information

The following terms used in these Guidelines are also defined in the Privacy Act (other than in s 6(1)):

APP code has the meaning given in s 26C of the Privacy Act

Australian Privacy Principles is defined Read the rest of this entry »

The Australian Privacy Commissioner has released its draft guidelines regarding APPs 6 – 11 for consultation.  Consultation is open until 21 October 2013.  They are found here.

I have extracted the draft guidelines below, absent indexes and footnotes.

Australian Privacy Principle 6 – use or disclosure of personal information

 Key points

• APP 6 outlines when an APP entity may use or disclose personal information.
• An APP entity can only use or disclose personal information for the particular purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
• The exceptions include where:
  • the individual has consented to a secondary use or disclosure
  • the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose
  • the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
  • a permitted general situation exists in relation to the secondary use or disclosure
  • the APP entity is an organisation and a permitted health situation exists in relation to the secondary use or disclosure
  • the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or
  • the APP entity is an agency (other than an enforcement body) and discloses biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3.

What does APP 6 say?

6.1              APP 6 outlines when an APP entity may use or disclose personal information. The intent Read the rest of this entry »

The Privacy Commissioner has released draft chapters of the guidelines as part of the consultation process.  Comments close on 20 September 2013. They can be found here.

The Guidelines (absent index)provides:

Chapter A — Introductory matters
Purpose
A.1    The Australian Information Commissioner issues these Australian Privacy Principles Guidelines (APP guidelines) under s 28(1) of the Privacy Act 1988.  These guidelines are not a legislative instrument (s 28(4)).
A.2    The APP guidelines outline how the Information Commissioner interprets and applies the APPs when exercising functions and powers under the Privacy Act relating to the APPs.
Australian Privacy Principles (APPs)
A.3    The APPs are the cornerstone of the privacy protection framework in the Privacy Act. The APPs set out standards, rights and obligations in relation to Read the rest of this entry »

The Privacy Commissioner has issued a media release, Privacy Commissioner: Website privacy policies are too long and complex, announcing the release of what he calls as “privacy sweep” of websites used by most Australians.  He found nearly 50% of website policies were difficult to read.  In my professional experience it is usually more than that and sometimes difficult merges into completely incoherent.

The summary of the sweep is:

the OAIC examined Read the rest of this entry »

The Senate Standing Committees on Legal and Constitutional Affairs has reported on the Privacy Amendment (Privacy Alerts) Bill 2013.  The Committee endorsed the Bill.

The report relevantly provides (absent footnotes, introduction and appendices)

RECOMMENDATION
Recommendation 1
2.30 The committee recommends that the Senate pass the Bill.

CHAPTER 1
INTRODUCTION
1.1 On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) was introduced into the House of Representatives by the Attorney-General, the Hon. Mark Dreyfus QC MP.1 On 17 June 2013, the Bill was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee (committee) for inquiry and report by 24 June 2013.
Background to the Bill
1.2 In his second reading speech, the Attorney-General Read the rest of this entry »

The Parliamentary Library has prepared a Bills Digest on the Privacy Amendment (Privacy Alerts) Bill 2013.  It is found here.

As usual it is an excellent resource. It provides:

Structure of the Bill

The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 4 which inserts a new Part IIIC, titled ‘Data breach notification’, into the Privacy Act following existing Part IIIB. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.

The new Part IIIC is divided into three Divisions. Broadly, the first Division sets out when a ‘serious data breach’ will have occurred, the second Division contains obligations for entities to notify of that serious data breach, subject to certain exceptions. The third Division concerns general matters including relevant definitions specific to Part IIIC and application provisions.

Background

Data breach notifications

As the Explanatory Memorandum notes, mandatory data breach notification commonly refers to:

… a legal requirement to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons. Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information (e.g. a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.

Data breach notification is Read the rest of this entry »

The Committee has received 20 submissions to the Bill.  That is impressive given there was effectively 2 days from referral to cut off period to lodge submissions.

The submissions are:

Fundraising Institute Australia.

Opposed. It says, in part:

.. the Fundraising Institute Australia believes that insufficient consideration has been given to the effect which mandatory data breach notification would have on charities and not-for-profit organisations. Government decision­ makers seem unaware that fundraisers use extensive donor databases in the same way as business organisations do.

………

The additional burden and cost of Read the rest of this entry »