Peter A Clarke

The Information Commissioner’s Office (“ICO”) has published a review into the gathering of children’s data from services supplying them with current accounts, savings accounts, trust accounts, ISAs and prepaid cards. Given the greater concern about children’s privacy, long overdue, it is prudent to look at the review and consider what is being done in Australia.  What is clear is that failure to maintain proper standards with organisations will, if there is some data breach or other issue, result in acute embarrassment for organisations if the regulator reviews its processes and procedures.  Given the Privacy Commissioner now has powers to issue infringement notices/ compliance notices rather than going to the delay and expense of long and drawn out investigations and civil penalty proceedings this is a factor organisations should consider carefully.

Some of the findings from the review are:

• 69% of participants had policies and procedures in place to control the use of children’s data;
• only 67% of those organisations proactively monitored compliance with their policies and procedures.
• 45% of participants had limited assurance that staff are processing children’s information in line with internal or even legislative requirements.
• only 14% of participants had assigned responsibility for children’s data in policy or relevant job descriptions
• while 97% of participants provided staff with general data protection training however, only 18% of participants included content about the use of children’s personal information
• while 49% of participants say they provided children with age appropriate privacy information ess than a quarter of all participants have carried out any testing to check how easily children would understand their privacy information
• only 36% of children’s savings account products which are opened by parents but transferred to the child at 16 provided the child with privacy information during the transfer process
• When opening a child owned savings account, 83% of participants provided children with privacy information
• 5% of participants also required children to acknowledge that they have read the privacy information, usually recorded by signing the application form
• only 11% of these participants actually carried out any assessment as to whether children are competent enough to understand their notice
• 66% of participants indicated it would be the parent’s (where they are present) responsibility to ensure the child understood privacy information and no attempt would be made to confirm the child understood the privacy information
• 66% of participants reviewed the categories of information they collect on a regular basis to make sure it is limited to what is necessary
• 40% of participants collected special category data, limited to health data and will only be processed having obtained explicit consent.
• 24% of participants relied on consent obtained from the child to process their information for specific purposes. However, 42% of those participants relied on acknowledgement of information provided within privacy information or key facts documents to obtain the consent. This did not meet the requirements of the UK GDPR
• 88% of participants had no process in place to assess a child’s understanding of their data protection rights. For 34% of these participants this was because they had preset age limits which determined whether a child was able to exercise their rights or not.  n most cases this age limit was set at 13 years old although some participants had set this age as high as 16 years old.
• 20% of participants who offer products which process children’s information, but are controlled by parents, did not allow children to access their information or exercise this right at any age
• 96% of participants had an embedded process for verifying the age of children when an account is opened
• 63% of participants had a policy in place to govern communications provided to children, including marketing material. For 83% of participants the policy prohibited the provision of marketing material to children.
• 75% of participants provided communications which included general information about the service provider and also administrative account information. 29% of participants provided communications containing general organisational administrative information. 8% of participants provided marketing communications to children
• 33% of participants had a process in place to regularly update the contact information they hold
• Only 8% of participants required children to have access to their own email and/or phone to enable them to open an account, however if children did have these, then this information was recorded in the majority of cases where the child has some control over the account (current or savings accounts). 76% of participants used parents contact information such as email or phone to provide communications.
• Of the participants who do allow marketing to children, 75% of them included opt in and opt out options on the account application form.  The remaining 25% of participants sought consent from the parent only.

The Executive Summary Read the rest of this entry »

What many organisations fail to appreciate is that a data breach can result in multiple regulators investigating and taking action, not just the Privacy Commissioner. In fact the Privacy Commissioner can be the least aggressive. That is particularly the case with financial institutions where there are quite specific regulations regarding maintaining accounts and security. This is highlighted by the Australian’s article Australian super funds face steep fines after massive cyber attack. Australian Super will refund its members. And the story refuses to die as new facts emerge. And 2 days after the co ordinated attack there is a separate attack on another superfund, Cbus. Cbus says that it has been hacked. Which gives rise to feverish speculation and recollection of warnings about cyber risk being dismissed.

The exposure of Super Funds to regulatory action is significant.  There is a real problem with breaches of APP 11, the requirement to maintain proper data security.  Financial services licencees have obligations under section 912A of the Corporations Act 2001. In May 2022 the Federal Court found that R I Advice, a financial Services licensee had breached its licence obligations by failing to manage cyber security risks. In that case ASIC brought the civil proceeding. APRA also has jurisdiction.  Furthermore there is likely exposure on any representations Super Funds made about the security of their deposits and claims in equity. 

In addition to regulators investigation and bringing action the various cyber security agencies and the Federal Police become involved.  It becomes a hugely Read the rest of this entry »

The Australian reports in Griffith University subject to privacy, discrimination claims on how personal information can be casually misused as part of another process. On this occasion an academic forwarded a copy of a letter of censure addressed to a Mr Stella at his home address to third parties unconnected to the process. Worse. The letter was sent to people who complained about Stella which resulted in the letter being sent. That is a clear breach of privacy. The personal information was collected for the purpose of processing Stella’s application and administration of his attendance at the university. There was good reasons for that information being disclosed to others. The award of $10,000 is quite modest.

The article Read the rest of this entry »

As I have posted previously on 10 December 2024 the Privacy and Other Legislation Amendment Bill 2024 (Cth), received Royal Assent. Under the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act), it introduces several significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), many of which came into effect immediately upon assent. Others come into effect later.

The changes:

•  Statutory Cause of Action for Serious Invasions of Privacy: Comes into effect on a  10 June 2025.

Under the tort Individuals can take legal action against organisations or individuals for serious invasions of privacy. The two bases are intrusions into personal seclusion or misuse of personal information.  It is quite a complex tort.  The limitations period is 1 year from date the intrusion occurred or was discovered.

• Automated Decision-Making: Comes into effect on 10 December 2026
  

New transparency obligations require organisations to update their privacy policies to disclose when decisions are made using automated processes.

• Doxxing Offence: Came into effect on 11 December 2024. 

It is illegal to share someone’s personal information with the intent to harm. This offence is punishable by up to 7 years’ imprisonment.

• Children’s Online Privacy Code: Code to be developed and registered by 10 December 2026
  

The Office of the Australian Information Commissioner (OAIC) is required to develop a code addressing online privacy for children. There will be a consultation period of 60 days.

• Overseas Dataflows, Whitelist Powers: Came into effect on 11 December 2024.
  

The Minister has powers to ‘whitelist’ countries that provide substantially similar privacy protections, to assist entities disclosing personal information overseas.

•  Civil Penalty and Powers to Issue Infringement and Compliance Notices: Came into effect on 11 December 2024.

The Privacy Commissioner now has the powers to issue infringement notices and compliance notices for Read the rest of this entry »

23andMe is, or more accurately was, a personal genomics company. It collected genetic information. That is very sensitive. It suffered a data breach in October 2023 when hackers exploited an old password resutling in them gaining access to 6.9 million people. It became the subject of litigation and in June 2024 investigation by the Canadian Privacy Commissioner and the UK Information Commissioner. Early in March the ICO released a notice of intent to fine 23andMe with a 4.59 million fine. 23andMe has just filed for Chapter 11 bankruptcy protection. At minimum that means a restructure. It may continue operating after the restructure. That has raised serious security concerns about the genetic data it holds. The New York Attorney General has urged customers to contact the company to delete their data. In What users need to know about privacy and data after 23andMe’s bankruptcy filing the Conversation sets out the privacy and data management issues from this . That does not alter 23andME’s obligations to protection personal information.

The Conversation’s piece Read the rest of this entry »

T Mobile suffered a massive data breach in 2021. Ultimately T Mobile advised that personal information relating to 76 million customers had been accessed. It has been reported by MSN with T-Mobile prepares $350 million payments for data breach settlement.

The settlement highlights that data breaches can be a extremely costly experience for organisations.  The settlement sum is only one component of the costs.  There are costs associated with dealing with the regulator.  Sometimes more than one regulator.  There are usually heavy costs bringing in additional IT experts.  Hackers often leave chaos behind, particularly in ransomware attacks.  There may need to be rebuilding of the website, its programs and storage areas. In that context it remains concerning that so few mid sized companies put the necessary time and effort required to reduce the Read the rest of this entry »

The California Consumer Privacy Act 2018 (“CCPA”) has the most comprehensive privacy protections of all state based privacy legislation in the USA. It took effect on 1 January 2020. Recently the Agency brought action against Honda for breaches of the CCPA. That has resulted in a settlement and a fine of $232,500.

The CCPA grants California consumers the right to:

• know that personal information is collected, used, shared or sold;
• delete personal information held by businesses
• opt out of sale of personal information
• non discrimination in terms of price of service.

Under the CCPA businesses must, inter alia:

• provide notice to consumers before data collection;
• create procedures to respond to requests from consumers to opt out, know and delete
• respond to requests to from consumers to know, delete and opt out
• disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information

According to the final order the breaches related to:

• Excessive Personal Information. “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit.”
• Lack of Symmetrical Choices. “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
• Difficult to Appoint Authorized Agents. “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights.”
• Lack of Contracts. “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Excessive Personal Information. Honda required matching more than two data points (sometimes requiring up to eight data points) provided by the Read the rest of this entry »

The Nine papers group has suffered a data breach involving exposure of its subscribers information, some 16,000 in all (so far). That is particularly embarrassing for a news outlet that usually enjoys breathless reporting of privacy fails of businesses. Here the reporting was by News.com with ‘Juicy customer data’ belonging to thousands of Aussies leaked from Nine, the ABC with Nine newspapers subscribers have data exposed online in breach and the Australian Financial Review with Nine audits external data security after breach exposes 16,000 readers. The Australian, a competitor in the market, gleefully reports on the breach with Sydney Morning Herald, The Age and Financial Review readers exposed in data breach.

The breach was the exposure of names, postal addresses and email addresses of 16,000 subscribers.  The information was held by a third party supplier.  The cyber attack was of the that supplier.  While Nine is keen to state that there was no breach of its (excellent) cyber security structure that does not alter the fact that a third party supplier’s cyber protection was not adequate.  This is a very common situation.  Large organisations using third party contractors or suppliers is seen as efficient and cost effective.  Part of that work usually involves the contractor or suplplier holding the organisations store of personal information or having authorisation to access to the organisation’s homepage.  Hackers recognise that many third party suppliers has less effective cyber protection and vulnerable.  To avoid this form of attack organisations should do what they can to require third party contractors and suppliers to have satisfactory and complementary cyber protection and systems in place. Unfortunately that is a conversation that is not had enough.

The ABC story Read the rest of this entry »

The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.

Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place.  Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity.  It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration.  It is also important to have a data breach response plan, involving roles for members of the organisation.  There also needs to be a plan to take court action if necessary.  It is common to seek injunctive relief against ex staff or consultants who make off with data.  That is not as an alternative to contacting police but complementing such action.

One question the regulators will no doubt ask is Read the rest of this entry »

The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

The statement provides:

The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.?  Read the rest of this entry »