Peter A Clarke

The Office of the Information Commissioner announced today that it was “making inquiries into Medibank.” The ostensible reason was to ensure that it complied with the Notifiable Data Breaches Scheme.  Given the circumstances it had ample power to do an own motion investigation in any event.  Given Medibank’s spluttering initial response to the data breach it is not surprising that this is the basis chosen.

The OIAC media release provides:

The Office of the Australian Information Commissioner (OAIC) is making preliminary inquiries with Medibank following its cyber incident, to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme.

As information is gathered and assessed, the number one priority is ensuring that Medibank customers have information and resources available to take steps to protect themselves from any risk arising as a result of their personal information being compromised.

“This matter is understandably of great concern, given the sensitive information that may be involved,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. Read the rest of this entry »

The Australian mandatory data breach notification regime while 4 years old has not attracted the overt public profile as other regimes overseas and has not resulted in high profile notifications until the Optus Data Breach.  In some American states notifications must be made to authorities who publish broad details of the data breach and how many residents of the state have been affected.  As such there is a better understanding of the frequency of data breaches and Read the rest of this entry »

The Australian Information Commissioner (the “Commissioner”) has released a brief but quite specific and detailed guidance on the retention and deletion of personal information. It is entirely reasonable to release a guidance now given restrictions throughout the country have largely been removed and there is no longer a requirement to collect masses of personal information. 

But now organisations and agencies have an enormous amount of personal information which was collected for the purpose of complying with various Public Health Orders and which was to be used for specific, narrow and defined purposes, such as contact tracing and vaccine status.  As the guidance makes clear there is now an obligation on organisations to delete much of that personal information.  With the orders no longer in place there is a real question of whether Read the rest of this entry »

The Australian Information Commissioner has made submissions to the Department of Prime Minister and Cabinet’s Australian Data Strategy.  

It is a more assertive submission than usually produced by the Information Commissioner. That may be because of the increased muscularity of other regulators who have an interest in data security and privacy, such as the ACCC.  Possibly also because there is a review of the Privacy Act 1988 with a government that has stated a greater interest in significant reform in the handling of data than its predecessor. 

It provides, absent footnotes:

Introduction

1. 1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Department of Prime Minister and Cabinet’s (the Department) Australian Data Strategy (the Strategy).
   2. The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).
   3. We welcome the Strategy’s focus on aligning with the range of existing legislation, strategies, policies, and reviews which regulate the use of data and the protection of personal information. The Strategy broadly intersects with the OAIC’s existing regulatory role and responsibilities under several laws and whole-of-government initiatives, including the Privacy Act (and its ongoing review), the FOI Act, the Consumer Data Right, the Data Availability and Transparency Act 2022, the Australian Cyber Security Strategy, the National Data Security Action Plan, and the Digital Identity scheme.
   4. Promoting and upholding privacy, information access rights and supporting the proactive release of government-held information are key strategic priorities for the OAIC. This recognises that data held by the Australian Government is a national resource which can yield significant benefits of the Australian people when handled appropriately, and in the public interest.
   5. The Strategy sets out a vision for the creation of a national ecosystem of data that is accessible, reliable, relevant and easily used to power Australia’s national endeavour towards a modern data-driven society.[2] The Strategy focuses on three key themes: maximising the value of data, trust and protection, and enabling data use.
   6. The Strategy acknowledges the importance of keeping data safe and secure and using and managing it in appropriate ways to earn and maintain public trust. This is particularly important in relation to data containing personal information, which is subject to specific statutory protection. Privacy issues that are not properly addressed can impact the community’s trust in an entity and undermine the success of new data initiatives. When people have confidence in how their data is handled, they are more likely to support the use of that information to provide the services and value promised by innovative data initiatives.
   7. The Privacy Act provides a well-established framework to minimise the privacy risks associated with personal-information handling activities and facilitate community trust and confidence in new data initiatives. It contains 13 Australian Privacy Principles (APPs), which are technology-neutral and applicable to changing and emerging technologies and data practices. This submission focusses on the role that privacy will play in achieving the Strategy’s vision and objectives, and our views on measures that can further support the Strategy’s ambitions by strengthening the existing privacy framework through the ongoing Privacy Act Review. It is also important to acknowledge the important role the FOI Act will play as part of a comprehensive Australian Data Strategy.

Read the rest of this entry »

In light of the finding of a breach of the Privacy Act 1988 by Clearview AI regarding its use of facial recognition technology in Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 there was always a reasonable chance that the Information Commissioner would respond to the comprehensive complaint made by Choice against Bunnings, Kmart and the Good Guys regarding their use of facial recognition technology.  

Today the Commissioner announced that her office had opened an investigation into Bunnings and Kmart.

The statement provides:

The Office of the Australian Information Commissioner (OAIC) has opened investigations into the personal information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology.

The investigations follow a report from consumer advocacy group CHOICE about the retailers’ use of facial recognition technology. Read the rest of this entry »

One of the most significant amendments to the Privacy Act 1988 in 2014 relating to credit reporting.  A key element of those amendments was the establishment of Credit Reporting Codes. On 7 June 2022, the Australian Information Commissioner approved a replacement to the Privacy (Credit Reporting) Code 2014 (Version 2.2) by introducing the Privacy (Credit Reporting) Code 2014 (Version 2.3) (Code). Version 2.3 of the Credit Reporting Code registered on 1 July 2022. It took effect on 1 July 2022.

For anyone involved practising in privacy law, particularly with a connection to banking and finance, it is worth reviewing the updated code carefully.

The release Read the rest of this entry »

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance Read the rest of this entry »

The Information Commissioner has released the latest report on notifiable data breaches for the second half of 2021.  There were 464 data breaches from July to December 2021.  A total of 464 data breaches throughout all of Australia for a 6 month period. According to itgovernance there were 5.1 million records breached worldwide in February 2022 alone. Why there is such a ridiculously low number reported to the Commissioner is ample evidence of how flawed the data breach regime remains. 

There are a number or reasons for this failure in public policy.  A starting point is =the limited coverage of the Privacy Act.  The small business exemption as well as the journalist and political party exemption leaves a large part of the economy which collects, holds and uses data outside of the coverage.  The Data Breach Notification Scheme is self assessment using a long list of factors to determine whether there has been serious harm.  For some organisations Read the rest of this entry »

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

It governance has provided its list of data breaches and cyber attacks in February 2021, estimating that 2.3 billion records were breached. The cyber attacks range from the relatively modest in number, with 208 records of the Watermark Retirement Communities residents across 10 states being affected, to the catastrophically large attack, involving millions of user records of Raychat being destroyed and the records of 102 million consumers of two mobile operators in Brazil.  There were also other significant data breaches, including 400 million records of a delivery company, Bykea, being leaked in Pakistan and Australia’s Oxfam discovered that its database of 1.7 million records were being offered for sale on a hacker forum. The humiliating Oxfam data breach required it to issue the now all too familiar sort of candid post of where matters are at on 1 March 2021 which Read the rest of this entry »