August 15, 2013
The Privacy Commissioner has issued a media release, Privacy Commissioner: Website privacy policies are too long and complex, announcing the release of what he calls as “privacy sweep” of websites used by most Australians. He found nearly 50% of website policies were difficult to read. In my professional experience it is usually more than that and sometimes difficult merges into completely incoherent.
The summary of the sweep is:
the OAIC examined Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Practical issues, Privacy
|
Post a comment »
August 13, 2013
The Information Commissioner’s Office has recently undertaken a study of data breach incidents reported in the period 1 April – 30 June of this year.
The diagram of the findings are show:
Incident type
Posted in Privacy
|
Post a comment »
August 11, 2013
Der Spiegal reports on paparazzi using drones to take photo’s at Tina Turner’s recent wedding in Switzerland.
The story provides:
When Tina Turner got married at her estate in Switzerland over the weekend, she wanted to keep paparazzi away. But photographers used drones and other aircraft to get the exclusives they needed. The battle for pictures is increasingly moving into the airspace.
Tina Turner and German music producer Erwin Bach wanted to make sure that their wedding would not be disturbed. The ceremony, with its roughly 120 celebrity guests, took place on Sunday behind the high walls and trees surrounding Turner’s Villa Algonquin estate in the suburb of Küsnacht, on Lake Zurich. The couple set up large red cloth to block the lakeside garden from prying eyes and photographer’s lenses.
Shortly after the Buddhist ceremony, the wedding party was startled by a small plane overhead. Toto Marti, a photographer for the Swiss tabloid Blick, leaned forward in the copilot seat and hit the shutter release. The publication landed a scoop and cashed in. Tabloids and magazines all over the world printed the photo. In Germany, it was the cover photo on both the mass-circulation daily Bild and the popular glossy Bunte.
It was exactly this that Turner, 73, and Bach wanted to prevent — and most likely, in the interest of their media partners, were obligated to prevent. They expected that photographers Read the rest of this entry »
Posted in Privacy
|
Post a comment »
August 9, 2013
The Information Commissioner’s Office has served the Bank of Scotland with a monetary penalty for wrongly and repeatedly faxing personal information, to unintended recipients.
The penalty notice relevantly provides (found here):
Bank of Scotland pic is the data controller, as defined in section 1(1) of the Data Protection Act 1998 (the “Act”), in respect of the processing of personal data carried on by Bank of Scotland pie and is referred to in this notice as the “data controller”. Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is the data controller.
The Act came into force on 1 March 2000 and repealed the Data Protection Act 1984 (the “1984 Act”). By virtue of section 6(1) of the Act, the office of the Data Protection Registrar originally established by section 3(1) (a) of the 1984 Act became known as the Data Protection Commissioner. From 30 January 2001, by virtue of section 18(1) of the Freedom of Information Act 2000 the Data Protection Commissioner became known instead as the Information Commissioner (the “Commissioner”).
Posted in General, Privacy, UK case law
|
Post a comment »
August 8, 2013
Last week, on 1 August, the Office of the Information Commissioner commenced the consulation process of Guidelines for recognising external dispute resolution schemes under section 35A of the Privacy Act 1988. The Privacy Commissioner’s post on line is found here. The consultation process closes on 30 August 2013.
The draft guidelines relevantly provides as follows:
Key messages
- In developing these guidelines, the Information Commissioner acknowledges the expertise and experience of existing industry external dispute resolution (EDR) schemes, and the important role these schemes play alongside the Office of the Australian Information Commissioner (OAIC) in relation to privacy complaint handling.
- The Information Commissioner also acknowledges that there are a range of existing recognition mechanisms for those schemes, and the importance of not unduly burdening existing schemes where their existing recognition mechanism generally covers the same matters required by the Privacy Act 1988 (the Privacy Act) for recognition.
- Recognition of an EDR scheme is undertaken by the Information Commissioner under s 35A of the Privacy Act. EDR schemes must demonstrate their accessibility, independence, fairness, accountability, efficiency and effectiveness to be recognised by the Information Commissioner. The recognition requirements, as set out in s35A, are based on the Benchmarks for Industry Based Customer Dispute Resolution Schemes developed in 1997 by the then Australian Government Department of Industry, Science and Tourism. Most existing EDR schemes are required to, or do, design their operations in accordance with these benchmarks.
- To be recognised under the Privacy Act, EDR schemes should also meet additional requirements in relation to privacy-related complaints. In most cases existing schemes handling privacy complaints will already be meeting most of these additional requirements.
- Additional requirements for recognition of an EDR scheme under the Privacy Act involve accountability, reporting and regular reviews. Again, most existing schemes will already be subject to similar requirements from their existing recognition mechanism. Wherever possible these existing requirements can be utilised by existing schemes in relation to the requirements under these guidelines. Some additional supplementary requirements may be required for ongoing Privacy Act recognition.
- The detail in these guidelines should generally assist a proposed new EDR scheme which is not already recognised under another recognition scheme, and/or does not have a statutory basis for their operation, in seeking recognition under the Privacy Act to understand the full extent of what is required for initial and ongoing recognition.
Part 1 – Purpose and objectives of the guidelines
The purpose of these guidelines
1.1 The Office of the Australian Information Commissioner (OAIC) developed these guidelines to assist external dispute resolution (EDR) schemes to understand:
Posted in Privacy
|
Post a comment »
August 6, 2013
Today 3 journalists, Royce Millar, Nick McKenzie and Ben Schneiders, have penned a letter of apology on page 2 of the Age. It is found here. The Herald Sun reported (no doubt very reluctantly) on the three having their cases diverted and therefore they are released without conviction and a good behaviour bond of 12 months.
The apology provides:
In November 2010, while researching a story for The Age newspaper, we the undersigned journalists accessed the ALP’s Electrac database without authorisation.
The focus of the story, published on 23 November 2010, was upon databases maintained by political parties, which contain private information concerning voters, and how that information is used for election campaigning. The Electrac database is such a database. Other political parties have similar databases.
We were able to access Electrac through the use of passwords provided to one of the undersigned. We accept that we did not have authorisation Read the rest of this entry »
Posted in Practical issues, Privacy
|
Post a comment »
August 2, 2013
The Federal Trade Commission in Federal Trade Commission, Plaintiff v. Asset & Capital Management Group & ors obtained a restraining order against defendants using illegal practices against consumers, including interfering with their privacy. The orders are found here.
The Federal Trade Commission’s press release, At FTC’s Request, Court Orders Halt to Debt Collector’s Illegal Practices, Freezes Assets, relevantly provides:
At the request of the Federal Trade Commission, a U.S. district court has halted a debt collection operation that allegedly extorted payments from consumers by using false threats of lawsuits and calculated campaigns to embarrass consumers by unlawfully communicating with family members, friends, and coworkers. The court order stops the illegal conduct, freezes the operation’s assets, and appoints a temporary receiver to take over the defendants’ business while the FTC moves forward with the case.
The lawsuit Read the rest of this entry »
Posted in Privacy
|
Post a comment »
June 25, 2013
The Senate Standing Committees on Legal and Constitutional Affairs has reported on the Privacy Amendment (Privacy Alerts) Bill 2013. The Committee endorsed the Bill.
The report relevantly provides (absent footnotes, introduction and appendices)
RECOMMENDATION
Recommendation 1
2.30 The committee recommends that the Senate pass the Bill.
CHAPTER 1
INTRODUCTION
1.1 On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) was introduced into the House of Representatives by the Attorney-General, the Hon. Mark Dreyfus QC MP.1 On 17 June 2013, the Bill was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee (committee) for inquiry and report by 24 June 2013.
Background to the Bill
1.2 In his second reading speech, the Attorney-General Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Legal, Privacy
|
Post a comment »
June 23, 2013
The Parliamentary Library has prepared a Bills Digest on the Privacy Amendment (Privacy Alerts) Bill 2013. It is found here.
As usual it is an excellent resource. It provides:
Structure of the Bill
The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 4 which inserts a new Part IIIC, titled ‘Data breach notification’, into the Privacy Act following existing Part IIIB. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.
The new Part IIIC is divided into three Divisions. Broadly, the first Division sets out when a ‘serious data breach’ will have occurred, the second Division contains obligations for entities to notify of that serious data breach, subject to certain exceptions. The third Division concerns general matters including relevant definitions specific to Part IIIC and application provisions.
Background
Data breach notifications
As the Explanatory Memorandum notes, mandatory data breach notification commonly refers to:
… a legal requirement to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons. Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information (e.g. a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.
Data breach notification is Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Privacy
|
Post a comment »
June 22, 2013
The Committee has received 20 submissions to the Bill. That is impressive given there was effectively 2 days from referral to cut off period to lodge submissions.
The submissions are:
Fundraising Institute Australia.
Opposed. It says, in part:
.. the Fundraising Institute Australia believes that insufficient consideration has been given to the effect which mandatory data breach notification would have on charities and not-for-profit organisations. Government decision makers seem unaware that fundraisers use extensive donor databases in the same way as business organisations do.
………
The additional burden and cost of Read the rest of this entry »
Posted in Australian Legislation, Commonwealth Legislation, Commonwealth Privacy Commissioner, General, Privacy
|
Post a comment »