Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • EU release pseudonymisation guidelines

    March 13, 2025

    On 16 January the European Data Protection Board (EDPB) adopted Guidelines 01/2025 on Pseudonymisation which is effective on 17 January 2025. Pseudonymisation is poorly understood by organisations and some practitioners. It is also an important means of data protection.

    t should be noted that OVIC has undertaken a very detailed assessment into de identification and higlighted the problems with it.

    The guidelines sets out in details guidance on on the use and benefits of pseudonymisation under the General Data Protection Regulation (GDPR). Importantly it clarifies

    • what pseudonymization means,
    • how to use it to meet data protection requirements, and
    • how to implement it.

    Australia operates under the Privacy Act and is not bound by the GDPR.  That said many organisations in Australia operate in Europe nad to that extent are bound by hte operation of the GDPR.  Further, the guidelines from the EU like the NIST publications provide valuable assistance in dealing with privacy issues. 

    What is Pseudonymization?

    Art. 4(5) of the GDPR defines pseudonymisation as “the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it is not attributed to an identified or identifiable natural person.”

    Pseudonymisation can be implemented through various techniques, such as the use of tables that map pseudonyms to original identifiers while keeping pseudonyms and original identifiers separate and secure (e.g., in the hands of two separate organizations). 

    Pseudonymisation should at least concern direct identifiers (e.g. passport or social security numbers, but also the combination of the full name of a person with his or her date of birth) which, alone, allow to identify data subjects. The pseudonymising entity should also be mindful of indirect identifiers (e.g. by deleting such indirect identifiers, generalising or randomising them), which may also allow to identify a data subject despite the pseudonymisation.
    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Office of the Information Commissioner attend Estimates

    March 1, 2025


    Senate Estimates is an annual event. For Governments it is a mandatory evil. For oppositions it promises to reveal a cornucopia of a information to embarrass the government and burnish its credentials. For the agencies, in particular the public servants who front the various Estimates Committees, it is a burden to be carried as part of the job. This year the Information Commissioner’s attendance before the Legal and Constitutional Affairs Legislation Committee proved to be no different. The Commissioner’s opening statement was the usual anodyne, nothing to see here, statement providing.

    With the chair’s leave I take this opportunity to acknowledge the committee’s role and in doing so provide a brief opening statement outlining the important work of the Office of the Australian Information Commissioner (OAIC).

    I appear today with the assistance of the FOI Commissioner Ms Toni Pirani and with the chair’s leave the Privacy Commissioner Ms Carly Kind appearing via link and Executive General Manager, Information Rights Ms Ashleigh McDonald.

    Supported by our new organisational structure we are better positioned to operate as a contemporary and proactive regulator. Some of our recent initiatives and outcomes demonstrate our future direction. We have:

      • commenced preliminary inquiries into the privacy impacts of connected vehicles
      • commenced the development of a Children’s Online Privacy Code
      • developed a public facing dashboard to ensure that agency freedom of information (FOI) data is reported and presented more effectively
      • We will shortly deliver a report examining the use of messaging apps by Australian government agencies
      • We are building our strategic intelligence capabilities.

    To deliver a proactive and contemporary regulatory approach to benefit the Australian community, agencies and industry alike, we will also focus on building staffing capabilities through an investment in new ways of working and professional development. Within our budgetary parameters, our technology and systems will also be a focus to support our new direction.

    However, we are also mindful to deal with our core case management responsibilities and reduce our backlog in both FOI and privacy cases. Our resources are challenged by a 25% increase in FOI Information Commissioner review (IC review) applications compared to the same period last year. This is against a backdrop of an increase in FOI IC review applications over the last 5 years that is estimated to double the number of FOI IC review applications received in 2019–20. We also face an overall growth in privacy case work and increasing complexity in our case work arising from digital services and emerging technologies. This has a particular impact on our privacy case work.

    Our enforcement capabilities have been assisted by an increase of funding in recognition of the complexities of enforcement. Similarly designated funding has been provided to the OAIC to develop the Children’s Online Privacy Code and guidance regarding the social media age limit.

    Our appearance and preparatory papers are informed by data as at 15 January 2025.  However, to assist the committee, as at 23 February 2025 the OAIC 2024–25 case statistics are as follows:

      • 1,279 FOI review applications were received and 1,494 finalised.
      • 196 FOI complaints were received and 216 finalised.
      • 1,966 privacy complaints were received and 1,687 finalised.

    During this period, we also finalised a number of complex privacy matters that have delivered a strong enforcement message and importantly established our expectations of the regulated community. In doing so, we are upholding the rights of privacy and information access enshrined in statute by the Australian Parliament and better serving the values and expectations of the Australian community.

    I wish to acknowledge the significant work and expertise of the OAIC leadership in taking forward this major change program and recognise with gratitude OAIC staff for their dedication and commitment as we secure the fundamental human rights of privacy and information access in an increasingly complex environment.

    The hearing before the Estimates Committee focused on the reduction in staffing in the office from 200 to 138 staff in the Office.  A 23% reduction in staff.  Also of interest is the Privacy Commissioner’s admission that the the findings of the Property Lovers determination is not being complied with.  In short, the behaviour complained of is continuing.  The Privacy Commissioner is investigating what to do next.  

    An understaffed office is bad news for effective regulation.  That has been a chronic problem for this office.  Fortunately there will be a statutory tort as of June 2025 so in many cases individuals will not need to rely on the Commissioner taking up an investigation from a member of the public.

    The Transcript provides:

    CHAIR: With 20 minutes to go in our hearing, we’re going to politely and apologetically, dismiss the Australian Human Rights Commission. We won’t get to them this evening. We thank them for their time and for travelling. We do have questions for them, but we won’t have time to put them. We thank them for their ongoing work, particularly in the current environment. I know they’re working very hard. So thank you very much.

    Welcome, commissioners. Do you have an opening statement you’d like to table?

    Ms Tydd : I do have a very brief opening statement and I’m happy to table that.

    CHAIR: Thank you very much. That will be circulated to senator so they can read from that when they have it in front of them. In the meantime, I’ll pass the call to Senator Scarr.

      Senator SCARR: Commissioner, how many staff have left the OAIC since August last year?

    Ms Tydd : I don’t think I could speak with authority from the date of August, but I can give you the very high-level numbers of staffing pre and post our organisational redesign.

      Senator SCARR: Can you give me the dates for the organisational redesign, so I can calibrate that with my August date.

    Ms Tydd : Yes. That was finalised in mid-November, about 17 November. The organisational redesign responded to our significant budgetary situation, in which we would be operating at a deficit. Action was taken around that. At the time, in July, we had an FTE of just over 200. Our organisational redesign that allowed us to operate within our budgetary parameters—

      Senator SCARR: Sorry; it’s late. I’ve got to get these numbers right. In July your FTE was just over 200?

    Ms Tydd : Correct. And our ASL cap came down to 173. We knew that within our budgetary parameters we’d need to operate at around 165. We didn’t purely look at staffing levels in relation to meeting our budgetary parameters; we looked at a range of measures. They included external supply costs. Legal costs were something that we focused on as well. So, yes, we were required to reduce staffing in response to our revised budgetary parameters, and that process was completed around mid-November.

      Senator SCARR: Okay. What were the FTE numbers as at mid-November, when you completed that process?

    Ms Tydd : There probably was still some lag. I’d say it would be about 175. I’ll see if I have any dates that will help you further. I can tell you that as at 18 December, as we were still working through that process, our staffing level was 175.

      Senator SCARR: Do you have the data as at today or the most recent data as at the end of the month? Do you have any most recent data?

    Ms Tydd : As at 29 January, it was 138.4.

      Senator SCARR: So you went from 175 as at 18 December—that was the figure you gave?—

    Ms Tydd : Correct.

      Senator SCARR: to 138.4 as at 29 January?

    Ms Tydd : That’s correct, with a headcount of 156.

      Senator SCARR: Okay, so you’ve got part-time—

      Senator SHOEBRIDGE: So as we don’t have to traverse across this, do you mind if I ask: you’ve been talking FTE all the time through, so these have all been the same dataset of FTE, full-time equivalents?

    Ms Tydd : Yes.

      Senator SCARR: So you went from—we’ll try and use the common terminology—FTE as at 18 December of 175 to FTE as at 29 January, which is only a month later, of 156. Is that correct?

    Ms Tydd : The figure I have is 138.4.

      Senator SCARR: 175 to 138.4?

    Ms Tydd : Yes. They’re the figures I have before me. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner | Post a comment »

    Patient information from the Genea data breach posted on the dark web..

    February 27, 2025

    Exactly a week ago I posted on the Genea data breach and raised concerns about the way it was handling the matter. The public statement was dreadful and it was clear from the subsquent reporting that it was keeping a lot of information away from the public eye. Information that is commonly provided by US companies when they suffer data breaches. That dreadful approach has given way to a much more expansive attitude with a long statement on 24 February 2025 and notice of an injunction yesterday.

    The Genea statement of 24 February provides:

    We are endeavouring to communicate with all current and former Genea patients the latest updates of our investigation into the incident. A copy of our communication is included below.
     
    Thank you for your patience as we investigate the cyber incident that has impacted our organisation (Genea Pty Limited). We understand that hearing about an incident like this can cause concern and we sincerely apologise for this. We want to reassure you that our teams of specialists, nurses, scientists and support staff are working tirelessly to minimise any impact to the treatment of our patients which is always our highest priority. Our technology teams have also been working around the clock with cyber security professionals to securely restore our systems while progressing our investigation.
     
    We are committed to doing all we can to protect your privacy. In this letter, we’ll step you through what happened, what types of personal information relating to you may have been involved in the incident and identify clear steps you can take to help ensure your information is protected.

    What has happened?

    On 14 February 2025, we became aware of suspicious activity on our network. Following this, we promptly launched an investigation to determine the nature and scope of the activity. In the course of these investigations, Genea discovered that it had been impacted by a cyber security breach.  
     
    Since the incident, we have undertaken extensive remediation efforts and actions in line with our incident response process to prevent reoccurrence. This has involved securing our networks in partnership with our cybersecurity partners and bringing our core systems online to ensure that we can continue to provide the very best care to our patients.
     
    We advised in our prior communication that we were continuing to investigate the nature and extent of data that had been accessed and the extent to which it contained personal information. As a result of our ongoing investigation, we now believe the attacker may have accessed and taken personal information which we hold.
     
    We have notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre of the incident. We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them.
     
    Our investigation is ongoing, and we will continue to communicate any relevant updates you.
     

    What personal information has been impacted?

    Our investigation has identified that Genea’s patient management systems, which contain information about you, was accessed by an unauthorised third party. We stress that at this point in time it is unknown what personal information within the folders on the patient management system has been compromised. However, the folders on the patient management system include the following types of your information:  

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    South Koreans privacy regulator suspends DeepSeek citing privacy concerns

    February 18, 2025

    Yesterday the Personal Information Protection Commission (PIPC) announced that it temporarily suspended Hangzhou DeepSeek Artificial Intelligence Co., Ltd.’s services until improvements and supplements are made in accordance with the Personal Information Protection Act (PIPA). The decision follows an investigation by the PIPC. The PIPC sent an official inquiry to Deepseek’s headquarters regarding the collection and processing of personal information shortly after the launch of Deepseek’s service.

    The PIPC found some deficiencies in privacy policies, among other things. DeepSeek acknowledged that it had failed to consider domestic protection laws in its global service rollout and expressed its intention to cooperate with the PIPC. PIPC will present a guide (in the form of a checklist) that overseas artificial intelligence (AI) developers should check before launching their services in Korea. The story has been reported in the Australian with DeepSeek removed from South Korea app stores pending privacy review which provides:

    Chinese AI app DeepSeek will not be available to download in South Korea pending a review of its handling of user data, Seoul authorities said Monday.

    DeepSeek’s R1 chatbot stunned investors and industry insiders with its ability to match the functions of its Western competitors at a fraction of the cost.

    But a number of countries have questioned DeepSeek’s storage of user data, which the firm says is collected in “secure servers located in the People’s Republic of China”.

    Seoul’s Personal Information Protection Commission said DeepSeek would no longer be available for download until a review of its personal data collection practices was carried out.

    The Chinese AI firm has “acknowledged that considerations for domestic privacy laws were somewhat lacking”, the data protection agency said.

    It assessed that bringing the app into line with local privacy laws “would inevitably take a significant amount of time”, the agency added. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Six massive data breaches in 2024 resulted in 1.7 billion data breach notices. A 312% increase over 2023. Most of the data breaches were avoidable

    February 2, 2025

    The number of data breaches year on year continue to rise. More concerningly the numbers of victims affected grow exponentially. Data Breach Today in 312% Surge in Breach Notices That Could Have Been Prevented reports on a enormous spike in data breach notices being sent out on the back of 6 massive data breaches. Concurrently Bleeping Computer reports in US healthcare provider data breach impacts 1 million patients that Community Health Centre in Connecticut suffered a data breach in Mid October 2024 which was only discovered on 2 January 2025. It also reports in Backdoor found in two healthcare patient monitors, linked to IP in China that the US Cybersecurity and Infrastructure Security Agency (CISA) has warned that certain patient monitoring devices manufactured by Contec include a back door which sends patient data to a remote IP address. Contec is a China based company. These stories highlight the continuing need for companies to adopt a comprehensive and holistic approach to privacy protection.

    The Data Breach Today story provides:

    Six mega cybersecurity incidents led to a record 1.7 billion data breach notices going out to victims in 2024 – a dramatic 312% increase over the previous year. Among the mega-breaches, the Change Healthcare ransomware attack – the third-largest breach – continues to grow. The insurance company last week nearly doubled its estimated breach count to 190 million people. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Australian Privacy Commissioner gets a nice media makeover, er is the subject of deep insightful report the way it is currently done, over lunch

    C’est chic to do an in depth piece by over an extravagantly priced breakfast or lunch. Not only does the reader get to know something about the subject but we get an insight of what the movers and shakers are eating and where they congregate to consume. The Australian Financial Review has recently published a profile of Carly Kind, the recently appointed Privacy Commissioner. This is something of a first for Privacy Commissioners. The most recent Information Commissioners (who covered privacy), Timothy Pilgrim (a pleasant but through and through public servant) and Angeline Falk (a long serving deputy in the Office of the Australian Information Commissioner), were not media averse as such. But their media forays were relatively few and brief. Usually confined to an interview on the ABC or quotes for other media. Their speeches at conferences were safe and predictable and certainly not designed to shake up the woeful privacy culture in the Australian marketplace. Even by the grey standards of Australian regulators they were distinctly in the background. Which was a shame. Privacy issues did not get ventilated as much as they should have. That is perhaps understandable given the generally ineffective regulation and enforcement of the Privacy Act. To be fair the last few years has seen a marked improvement in enforcement but has come off a low base and has not had a significant impact on the market yet.  And to be fair Pilgrim and Falk were marked improvements on their predecessors.

    Carly Kind has had a good start as Privacy Commissioner.  A distinct up tick in enforcement action and more assertive commentary.  That she has a pedigree largely outside the Australian Public Service is a huge advantage.  She may be less hidebound by conservative self restraining litigation guidelines.  We can only hope given she has been handed even more enforcement powers in the most recent amendments to the Privacy Act late last year. In this article she was candid in criticising poor public policy which has led to privacy invasive practices.  As I have been writing about for years.  She needs to bring high profile actions which puts high profile privacy breaching companies into the media spotlight.  This is a common approach of ASIC and the ACCC.  That is the only way of changing the culture in the market place.

    The article gives some restrained hope that the coming years will see more effective and high profile regulation of privacy breaches.  It is well overdue.

    The article provides:

    My lunch with the Australian Privacy Commissioner, Carly Kind, begins with a confession.

    “I tried to stalk you on social media on my Uber on the way,” I say as she sits down at Manly’s Noon café, bike helmet in hand.

    Looking up other people’s social media is something everyone does but no one should ever admit to, particularly not to the woman charged with protecting the nation’s privacy by upholding the Privacy Act of 1988.

    Kind is taken aback and for a moment, I think I’ve blown it before we’ve even ordered a coffee, let alone lunch.

    “Did you find anything interesting?” she responds after what feels like an age.

    No. She is on Instagram and on Facebook. But both attempts to glean any information of value were foiled despite me being a Millennial journalist well versed in the art of lurking.

    Privacy Commissioner Carly Kind admits she’s less idealistic about the role of regulation in protecting online privacy and worries one day big tech will decide not to obey the law.  

    Her Instagram is set to private. Her Facebook isn’t locked but the only photo I can click on is of the back of her head. I did manage to deduce she has 737 Facebook friends, but there are no workplaces, relationships, or really any other information to show.

    When I lament my efforts were dashed, she’s nonchalant, “I really don’t use Facebook these days, but I can’t get rid of it because of Marketplace.”

    I feel seen immediately.

    Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    The UK Information Commissioner’s Office releases a code of practice for online services involving children

    The most active form of regulation in privacy across the world now relates to protecting children and limiting the data taken from them and used by businesses. The UK Parliament passed the Online Safety Act 2023. The Act imposes new duties on social media companies and search services, making them more responsible for their users’ safety on their platforms. Those new duties include implementing systems and processes to reduce risks that their services are used for illegal activity, and to take down illegal content when it does appear.  Regarding children, platforms are required to prevent children from accessing harmful and age-inappropriate content and provide parents and children with clear and accessible ways to report problems online when they do arise. The main regulator Ofcom has set out an age check guidance regarding accessing online pornography.  The Information Commissioner has had a code of practice for some time regarding the developing an age appropriate design for online platforms. The core of the code are 15 standards.

    The 15 standards are:

    1. Best interests of the child

    2. Data protection impact assessments

    3. Age appropriate application

    4. Transparency

    5. Detrimental Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    Brazilian regulators ban iris scan company from paying citizens for biometric data

    January 31, 2025

    The collection of vast amounts of data fuels any number of programs from basic analytics to facial recognition and AI. Not surprisingly then that Tools for Humanity, a company co founded by Sam Altman the CEO of OpenAI is collecting iris data. For money. This has quite legitimately attracted the ire of the Brazliian National Data Protection Authority which has reportedly moved to ban the practice.

    The article provides:

    Brazil bans iris scan company co-founded by Sam Altman from paying citizens for biometric data

    Brazilian data privacy regulators say they are prohibiting Tools for Humanity (TFH), a biometric identity company co-founded by OpenAI CEO Sam Altman, from paying citizens for iris scans. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Federal Trade Commission finalises changes to the Childrens Privacy Rule so as to limit companies ability to monetise children’s data

    The United States has quite an effective child privacy protection law, the Children’s Online Privacy Act. It also has a very sophisticated data broking and analytic industry. And some businesses have no problem in collecting data on children to assist in marketing products and services. The Federal Trade Commission has announced changes to Children’s Online Privacy Protection Rule which sets new requirements about the collection, use and disclosure of childrens’ personal information, requires parents to opt in to the third party advertising and places limits on data retention.

    The United States and the European Union are far ahead of Australia when it comes to dedicated privacy protection. The E Safety Commissioner provides some regulatory assistance but it is not focused enough on privacy. In the amendments to the Privacy Act 1988, the Privacy and Other Legislation Amendment Bill 2024, passed late November last year the Commissioner will develop a a Children’s Online Privacy Code to better protect children from a range of online harms. That Code will take effect in 2 years.

    The media release from the FTC provides:

    The Federal Trade Commission finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

    The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized. Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    An unsuprising criticism about the upcoming statutory tort of privacy which is generally wrong

    January 20, 2025

    Chris Merritt is a good journalist and has ably edited the Legal Affairs section of the Australian. But he has bug bears which defy logic and fact. One of them is a statutory tort of privacy. The Australian has always had a set against the tort, primarily because of fears that it would interfere with the practice of journalism. Given the exemption which precludes a claim from being brought against journalists this is no longer a thing for the Australian. That of course does not stop Merritt from having a major rant against the statutory tort in last week’s Business to pay the price for new privacy tort. It is quite surprising that the Australian has been so slow to start its complaint about the statutory tort.  In the past it campaigned a long time before any tort was even proposed.  Here the complaint is made after the fact.

    Now Merritt’s complaint is that businesses will be bankrupted for being vicariously liable for the breaches of privacy

    The focus of the article is on the possible impact on businesses.  The reliance is on the submissions by the Business Council of Australia and the Australian Industry Group to the Senate Committee reviewing the Bill.  The BCA and the AIG have always been hostile to any form of actionable right to privacy.  Their submissions to this heavily circumscribed statutory right have followed that line.  They were not particularly analytical submissions and had a heavy dose of Henny Penny “the sky is falling” hypotheticals.  One hypothetical is how this tort will impact insurance premiums in the future.  Merritt draws a very long bow in drawing a comparison of the impact of the tort with the insurance disruption following the collapse of HIH.  That a similar result is in the offing.  Given the general damages award is capped this is quite a stretch.  It is quite an illogical analysis because given the tort requires an intentional or reckless act it is not proper to compare those claims, in the future, with claims of a sort and awards of the quantum associated with personal injury and medical negligence. The statutory tort provisions makes no comment on vicarious liability so the principle applies.  But so what?  The situations where that happens will be quite limited.  But if a person uses company resources to interfere with someone’s privacy then a company may be called to account if it is done in the course of company business and not inconsistent with its activities.

    It is a quite a poor article but does highlight the continuing, largely ideological, fighting retreat by some areas of the media to a statutory tort.

    The article provides:

    Right now, companies are failing at a record rate. So can anyone think of a worse time to create a new way of suing business?

    Unfortunately, that’s exactly what federal parliament did on November 29 when it approved a new statutory tort for serious invasions of privacy.

    Despite warnings from peak industry groups, parliament did nothing to stop innocent employers being held vicariously liable for invasions of privacy committed by employees who break corporate rules.

    Everyone should be accountable for their misdeeds – but not the wrongs committed by others. ?Yet that is a key feature of the new privacy tort sitting on the federal statute book, just waiting for enterprising lawyers to give it a run when it comes into force in June.

    In October, the Business Council of Australia warned about the potential unfairness of holding employers vicariously liable for the wrongful actions of their employees – particularly if companies have taken all reasonable steps to prevent staff from invading anyone’s privacy. Read the rest of this entry »

    Posted in Legal, Privacy | Post a comment »

    « Previous Entries
    Next Entries »