The Privacy Commissioner has conducted an own motion investigation into Pound Road Medical Centre. The investigation applied to the Privacy Act prior to the amendments taking effect on 12 March 2014.  

FACTS

On 23 November 2013, a shed located at 16 Amberley Park Drive, Narre Warren South was broken into.  There were boxes of medical records located in a locked shed.  During the break in the boxes, and therefore the documents, were compromised.  The medical records were created when PRMC operated as a medical centre at the site.  PRMC ceased operating the medical practice at the site from 6 April 2011, and since this date has conducted its practice from new premises.

In about October 2012, the records were transferred from a locked room inside the site to the shed so that renovations for sale of the site could occur. The  shed door was locked with three padlocks. PRMC believed that all the paper-based health records stored at the site were transferred to a locked store at its new premises.

A representative from PRMC initially visited the site two to three times a week and later once a week for purposes of maintenance, repairs and renovations to prepare the site for sale.

The Office of the Australian Information Commissioner (OAIC) was notified that there were boxes of unsecured medical records at the site on 25 November 2013.

The personal information compromised in the data breach consisted of:

1. patients’ ‘identifying particulars’, Read the rest of this entry »

House of Representatives Standing Committee on Social Policy and Legal Affairs has handed down the report Eyes in the Sky, based on its inquiry into drone technology.  It is a comprehensive report which hands down some very useful and sensible recommendations.  Including Recommendation 3 which recommends legislation which provides protection against privacy invasive technologies. It goes further and recommends creating a tort of serious invasion of privacy.  It is the latest in a long line of committees and Commissions to come to the conclusion, the inevitable logical conclusion, that there is a serious gap in Australia’s legal protections and a tort of privacy is required to fill that gap.  Governments of both persuasions have been avoided, ignored or just plain danced on the spot on the issue and abrogated their responsibilities.  But the technology develops at a pace and the issue looms large as a practical problem for more than academics.

The Committee’s press release provides:

New privacy laws might be needed Read the rest of this entry »

On the human side of data security maintaining strong passwords is a continuous challenge.  As Wired reports on How to Teach Humans to Remember Really Complex Passwords the use of “password” is depressingly common.  As is “qwerty.”  A recipe for disaster.  The Wired article reports on an experiment that will be held to teach people to remember complicated passwords and passphrases.  That is one key way of minimising the chance of hacking.  Long string almost randomised passwords cost hackers Read the rest of this entry »

In 2 pieces in New Zealand paper Business Day  Vodafone privacy breach ‘serious’  and Vodafone alerts privacy watchdog  reports on a serious privacy breach on the Vodafone network, this time by use of a master password to access private customer information.  Curiously a customer identified the breach and notified Vodafone when he found he could access other private customer information.  A structural issue in the password system and data storage.  Very embarrassing and highlights the need to have comprehensive and reviewable password system.

The Vodafone privacy breach article provides:

Vodafone is experiencing a serious privacy breach – people with a master password are able to access private customer information, including credit card details.

The loophole was discovered Read the rest of this entry »

The New South Wales Police Commissioner recently raised the hoary old chestnut that we face a a stark and of course immutable dichotomy – privacy or security.  That is captured in the Sydney Morning Herald Article Time to trade privacy for safety, says NSW Police Commissioner. The context is the police and security services demands, if not obsession with expanded data retention laws.  The starting point is that it is not logical.  There can be both privacy and security.  It is not one or the other.  It would be wrong to only critisise the police for this utterly wrong headed nonsensical simplifying of what is a far more complex and Read the rest of this entry »

Apps are notorious for having minimal privacy protections, lousy to non existent privacy policies but an excellent source of data leakage for hackers. Privacy regulators have been focusing on privacy issues with apps in the recent past.  Breach of data security or loss of data through an app is just as much a breach of the Privacy Act at the Commonwealth level or the Victorian Information Privacy Act as if it was lost on the street or via a hacking attack on line.  Apps are becoming a necessary feature of service delivery for government agencies and organisations.

The findings, found here, provide:

Twenty-seven participating data protection authorities from around the world undertook a coordinated exercise to examine privacy protections and related issues raised by apps. Some of the issues considered were: whether consumers are clearly informed about the types of personal information an app collects and uses; why that data is needed; and how many apps collect information way beyond what is actually needed for an app’s functionality.

Privacy Victoria examined 64 mobile apps developed by Victorian public sector organisations. Each organisation has now been Read the rest of this entry »

The Age reports in Superannuation giant Cbus under the spotlight at Royal Commission into union corruption on a very serious allegation of strategic leak of personal information from Cbus to a union, the CFMEU in 2013.  The Privacy Commissioner is reportedly investigating the allegations.  Read the rest of this entry »

In the United States privacy regulation at a Federal level is sectoral.  There are some strong protections but a lack of general coverage.  The key regulator, the Federal Trade Commission (FTC) wants more powers and broader coverage.  At the moment it has power to take action over unfair and deceptive practices and has powers to enforce the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act.  Its enforcement activities and educational activities even with restrictions are quite impressive.  Certainly something for other privacy regulators to heed.  It has also been a regulator not afraid to take on and best large organisations .

In Federal Trade Commission 2014 Privacy and Data Security Update the FTC provides an update of its activities.  Its settlements and the undertakings it has extracted from organisations are hugely influential for privacy practitioners in the United States.  Given the issues Read the rest of this entry »

On line tracking can be irksome if not alarming for those who want some anonymity in searching the net.  It is a key privacy concern as Read the rest of this entry »

In the United States privacy protection is as much a focus at the state level as the Federal level.  Unfortunately at the Federal level the law has not changed for some time and when it does it tends to respond to a particular public policy crisis or concern.  Hence there is strong protection on Read the rest of this entry »