Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • The Information Commissioner releases its regulatory action priorities for 2025 – 26

    July 29, 2025

    Today the OAIC released its regulatory action priorities for 2025 – 26. In the privacy sphere the Commissioner states that it is:

    Rebalancing power and information asymmetries

    The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

      • the rental and property, credit reporting and data brokerage, sectors
      • advertising technology (Ad tech) such as pixel tracking
      • practices that erode information access and privacy rights in the application of artificial intelligence
      • excessive collection and retention of personal information
      • systemic failures to enable timely access to government information

    Rights preservation in new and emerging technologies

    The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

      • facial recognition technology and forms of biometric scanning
      • new surveillance technologies such as location data tracking in apps, cars and other devices
      • the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

    It is interesting to note that the Commissioner has previously flagged a focus on data collection by cars.  The Commissioner has already taken action in relation to facial recognition technology.  

    The media release Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    A representative complaint under the Privacy Act 1988 made against Qantas

    July 18, 2025

    The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

    There should be no surprise in Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Bunnings CEO now wants the Government to pass laws to make facial recognition legal after Bunnings was found to have breached the Privacy Act when using facial recognition

    July 17, 2025

    In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious.  To call for a change to the law while appealing a decision involving the extant law is not illegal.  But it is quite arrogant.  Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act. 

    Meanwhile in CBA using facial recognition logins to verify disputed payment the CBA is showing itself to be an enthusiastic user of facial recognition.  

    The AFR article Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Qantas data breach follows a familiar pattern in Australia of the company saying too little too late. Soon the legal problems will appear

    July 4, 2025

    There are three distinct issues that confront a company dealing with a data breach. The first is the legal issue, who to notify and when and what steps need to be taken to mitigate any loss. The second is the practical and technical issues; find out how the breach occurred, the extent of the damage and what repairs need to be undertaken. The final is the public engagement; notifying the public, media, advising what when wrong and what is being done to fix the problem. Australian companies are a long way back in their sophistication than their contemporaries in the United States and Europe. Given the more effective regulation overseas companies are quicker to notify regulators. In the United States there is a culture of more transparent and effective communication with the public. Not always but commonly. Australian companies tend to be dreadful at advising the public. Many put together bland boilerplate statements which mean nothing, which is their intent. That can lead to escalating problems and great mistrust. And rather than containing the fallout it increases it as more information leaks about about the data breach, much of it inconsistent with the blandly reassuring statements in the media releases.

    It is good practice to have a data breach response plan which deals with each issue.  In Australia even the companies that have such a plan rarely conduct practices and simulations.  Many of their lawyers take a very rigid approach to the problem.  As a result many responses are stilted, inflexible, incredibly defensive and often counterproductive.

    The ABC piece Qantas executives slow to be seen after data breach affecting up to 6 million customers summarises the problem with tardy and inadequate responses.  And so for Qantas handling has been at best mediocre. About on a par with most large Australian companies hit by a cyber attack.  The Australian also covers the response in How Qantas is managing the fallout of a cyber attack targeting the personal details of 6 million people. The article quotes a class action lawyer from Maurice Blackburn on the inadequacy of the privacy laws.  She claims that the data breaches in other parts of the world are “..not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security.” That is partly correct but mostly not.  Australian privacy legislation lags the UK and Europe and even parts of the United States of America, such as California’s Consumer Privacy Act.  It is not fit for purpose in digital age where the collection of data is easy to do and can be done at a rapid pace with an enormous volume.  But the real problem in Australia has been very lax regulation and enforcement.  That has led to a culture of complacency.  For Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Privacy Awareness week starts and runs to 22 June 2025

    June 16, 2025

    Today kicks off Privacy Awareness Week for 2025. The Privacy Commissioner has published rights under the Privacy Act 1988 which includes material on Australian Privacy Principles and Privacy guidances. The Victorian Information Commissioner has published a page on Privacy Awareness Week.

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Australian Information Commissioner releases latest report on data breaches. Last year, 2024, was a record year for data breaches.

    May 19, 2025

    The Information Commissioner releases a report of data breaches semi annually. Those statistics are data breaches reported to the Commissioner under the Notifiable Data Breaches Scheme or because the organisation or agency chooses to report out of an abundance of caution or because the data breach has been reported in the media. There is not an automatic requirement to notify the Commissioner of a data breach. And there are entities that are exempt from coverage of the Privacy Act 1988, notably Small Businesses. And there are organisations that do their best to keep data breaches quiet. According to the report for the period July to December 2024 the Commissioner was notified of 595 data breaches. That makes for a total of 1,113 notifications in the year. That is over 200 more notifications than 2023 which had 893 notifications.

    What needs to be understood is that these figures are only reflective of a trend in data breaches.  The number of actual data breaches suffered by Australian entitities is far larger that those reported to the regulator.

    Some interesting statistics regarding Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Victorian Ambulance suffers a data breach with personal data of 3,000 employees hacked

    March 29, 2025

    The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.

    Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place.  Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity.  It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration.  It is also important to have a data breach response plan, involving roles for members of the organisation.  There also needs to be a plan to take court action if necessary.  It is common to seek injunctive relief against ex staff or consultants who make off with data.  That is not as an alternative to contacting police but complementing such action.

    One question the regulators will no doubt ask is Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy, Victorian law | Post a comment »

    Metropolitan police in UK install first permanent facial recognition cameras in London

    March 25, 2025

    The Times reports that the first permanent facial recognition cameras have been installed in London.  It is a being touted as a pilot project but it may be precursor to the scheme being extended across London.  The Information Commissioner’s Office has released guidance on the use of the facial recognition, described as Biometric recognition.  It has also issued specific guidance for Live Facial Recognition Technology for police. There has been significant cases of misuse of facial recognition technology and its privacy implications. The misuse of facial recognition by police is well documented.  And it is misused by the private sector. In February 2024 the ICO ordered Serco Leisure to stop using facial recognition to monitor employee attendance.   The use of CCTV technology and facial recognition technology is more extensive in the United Kingdom than in Australia.  That said, the regulator is quite active in reviewing its operation and the legislation is more rigorous than in Australia. 

    It is likely that the use of the facial recognition technology will quickly become more widespread, especially with the use of AI.  Doing so without propely adhering to the provision of the Privacy Act 1988 may attract the attention of the regulator.  On 19 November the Privacy Commissioner published a determination finding Bunnings use of facial recognition breached the Privacy Act.  On the same day the Privacy Commissioner published a guidance on the use of facial recognition technology. It is critical that organisations contemplating using this technology understand their obligations under the Privacy Act 1988.

    The Times article provides:

    Facial recognition cameras that scan for wanted criminals are being installed permanently on UK high streets for the first time.

    The Metropolitan Police will permanently put up live facial recognition (LFR) cameras in Croydon, south London, as part of a pilot project that may see the scheme extended across the capital. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy, UK Information Commissioner's Office | Post a comment »

    China publishes security measures on the use of facial recognition technology

    March 23, 2025

    In one of those “one for the books” events the Chinese agencies of Cyberspace Administration of China, in collaboration with the Ministry of Public Security have published security measures for the use of facial recognition technology. The measures will take effect on 1 June 2025. Given how intrusive Chinese authorities have been in the past with surveillance and the use of facial recognition technology it will be interesting to see how much of a real change will result.

    The measures apply to activities using facial recognition technology, which is individual biometric recognition technology that uses facial information to identify an individual’s identity, to process facial information within China.

    Interestingly the do not cover the processing of facial information from their scope for research and development or algorithm training purposes.

    Under the measures, facial recognition activities must comply with applicable laws and regulations and, inter alia:

    • have a specific purpose;
    • be necessary;
    • minimizes the impact on personal rights and interests; and
    • implement strict protection measures.

    Personal information handlers must, inter alia:

    • before processing, inform individuals in a prominent manner and clear and understandable language of certain information, such as contact information and purposes and method of processing;
    • inform individuals of any changes to the information provided to them;
    • when the processing is based on consent, obtain voluntary and explicit consent, including providing the right to withdraw consent;
    • when processing minor’s information, obtain the consent of a parent or other guardians;
    • stored information on facial recognition devices and not transmit it through the internet;
    • conduct a Personal Information Protection Impact Assessment (PIPIA) and include the contents outlined in the measures; and
    • if processing data of more than 100,000 individuals, notify the provincial-level or higher cybersecurity and informatization department within 30 working days, and provide the information outlined in the measures.

    The measures require personal information handlers to Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Office of the Information Commissioner attend Estimates

    March 1, 2025


    Senate Estimates is an annual event. For Governments it is a mandatory evil. For oppositions it promises to reveal a cornucopia of a information to embarrass the government and burnish its credentials. For the agencies, in particular the public servants who front the various Estimates Committees, it is a burden to be carried as part of the job. This year the Information Commissioner’s attendance before the Legal and Constitutional Affairs Legislation Committee proved to be no different. The Commissioner’s opening statement was the usual anodyne, nothing to see here, statement providing.

    With the chair’s leave I take this opportunity to acknowledge the committee’s role and in doing so provide a brief opening statement outlining the important work of the Office of the Australian Information Commissioner (OAIC).

    I appear today with the assistance of the FOI Commissioner Ms Toni Pirani and with the chair’s leave the Privacy Commissioner Ms Carly Kind appearing via link and Executive General Manager, Information Rights Ms Ashleigh McDonald.

    Supported by our new organisational structure we are better positioned to operate as a contemporary and proactive regulator. Some of our recent initiatives and outcomes demonstrate our future direction. We have:

      • commenced preliminary inquiries into the privacy impacts of connected vehicles
      • commenced the development of a Children’s Online Privacy Code
      • developed a public facing dashboard to ensure that agency freedom of information (FOI) data is reported and presented more effectively
      • We will shortly deliver a report examining the use of messaging apps by Australian government agencies
      • We are building our strategic intelligence capabilities.

    To deliver a proactive and contemporary regulatory approach to benefit the Australian community, agencies and industry alike, we will also focus on building staffing capabilities through an investment in new ways of working and professional development. Within our budgetary parameters, our technology and systems will also be a focus to support our new direction.

    However, we are also mindful to deal with our core case management responsibilities and reduce our backlog in both FOI and privacy cases. Our resources are challenged by a 25% increase in FOI Information Commissioner review (IC review) applications compared to the same period last year. This is against a backdrop of an increase in FOI IC review applications over the last 5 years that is estimated to double the number of FOI IC review applications received in 2019–20. We also face an overall growth in privacy case work and increasing complexity in our case work arising from digital services and emerging technologies. This has a particular impact on our privacy case work.

    Our enforcement capabilities have been assisted by an increase of funding in recognition of the complexities of enforcement. Similarly designated funding has been provided to the OAIC to develop the Children’s Online Privacy Code and guidance regarding the social media age limit.

    Our appearance and preparatory papers are informed by data as at 15 January 2025.  However, to assist the committee, as at 23 February 2025 the OAIC 2024–25 case statistics are as follows:

      • 1,279 FOI review applications were received and 1,494 finalised.
      • 196 FOI complaints were received and 216 finalised.
      • 1,966 privacy complaints were received and 1,687 finalised.

    During this period, we also finalised a number of complex privacy matters that have delivered a strong enforcement message and importantly established our expectations of the regulated community. In doing so, we are upholding the rights of privacy and information access enshrined in statute by the Australian Parliament and better serving the values and expectations of the Australian community.

    I wish to acknowledge the significant work and expertise of the OAIC leadership in taking forward this major change program and recognise with gratitude OAIC staff for their dedication and commitment as we secure the fundamental human rights of privacy and information access in an increasingly complex environment.

    The hearing before the Estimates Committee focused on the reduction in staffing in the office from 200 to 138 staff in the Office.  A 23% reduction in staff.  Also of interest is the Privacy Commissioner’s admission that the the findings of the Property Lovers determination is not being complied with.  In short, the behaviour complained of is continuing.  The Privacy Commissioner is investigating what to do next.  

    An understaffed office is bad news for effective regulation.  That has been a chronic problem for this office.  Fortunately there will be a statutory tort as of June 2025 so in many cases individuals will not need to rely on the Commissioner taking up an investigation from a member of the public.

    The Transcript provides:

    CHAIR: With 20 minutes to go in our hearing, we’re going to politely and apologetically, dismiss the Australian Human Rights Commission. We won’t get to them this evening. We thank them for their time and for travelling. We do have questions for them, but we won’t have time to put them. We thank them for their ongoing work, particularly in the current environment. I know they’re working very hard. So thank you very much.

    Welcome, commissioners. Do you have an opening statement you’d like to table?

    Ms Tydd : I do have a very brief opening statement and I’m happy to table that.

    CHAIR: Thank you very much. That will be circulated to senator so they can read from that when they have it in front of them. In the meantime, I’ll pass the call to Senator Scarr.

      Senator SCARR: Commissioner, how many staff have left the OAIC since August last year?

    Ms Tydd : I don’t think I could speak with authority from the date of August, but I can give you the very high-level numbers of staffing pre and post our organisational redesign.

      Senator SCARR: Can you give me the dates for the organisational redesign, so I can calibrate that with my August date.

    Ms Tydd : Yes. That was finalised in mid-November, about 17 November. The organisational redesign responded to our significant budgetary situation, in which we would be operating at a deficit. Action was taken around that. At the time, in July, we had an FTE of just over 200. Our organisational redesign that allowed us to operate within our budgetary parameters—

      Senator SCARR: Sorry; it’s late. I’ve got to get these numbers right. In July your FTE was just over 200?

    Ms Tydd : Correct. And our ASL cap came down to 173. We knew that within our budgetary parameters we’d need to operate at around 165. We didn’t purely look at staffing levels in relation to meeting our budgetary parameters; we looked at a range of measures. They included external supply costs. Legal costs were something that we focused on as well. So, yes, we were required to reduce staffing in response to our revised budgetary parameters, and that process was completed around mid-November.

      Senator SCARR: Okay. What were the FTE numbers as at mid-November, when you completed that process?

    Ms Tydd : There probably was still some lag. I’d say it would be about 175. I’ll see if I have any dates that will help you further. I can tell you that as at 18 December, as we were still working through that process, our staffing level was 175.

      Senator SCARR: Do you have the data as at today or the most recent data as at the end of the month? Do you have any most recent data?

    Ms Tydd : As at 29 January, it was 138.4.

      Senator SCARR: So you went from 175 as at 18 December—that was the figure you gave?—

    Ms Tydd : Correct.

      Senator SCARR: to 138.4 as at 29 January?

    Ms Tydd : That’s correct, with a headcount of 156.

      Senator SCARR: Okay, so you’ve got part-time—

      Senator SHOEBRIDGE: So as we don’t have to traverse across this, do you mind if I ask: you’ve been talking FTE all the time through, so these have all been the same dataset of FTE, full-time equivalents?

    Ms Tydd : Yes.

      Senator SCARR: So you went from—we’ll try and use the common terminology—FTE as at 18 December of 175 to FTE as at 29 January, which is only a month later, of 156. Is that correct?

    Ms Tydd : The figure I have is 138.4.

      Senator SCARR: 175 to 138.4?

    Ms Tydd : Yes. They’re the figures I have before me. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner | Post a comment »

    « Previous Entries
    Next Entries »