Peter A Clarke

After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

The US Federal Trade Commission (“FTC”) is the most active Federal regulator in the United States of privacy and data breaches. It has its fair share of critics but is frenetic compared to Australian regulators. It has announced that it has taken action against Global Tel*Link Corp, a prison communications provider. It alleges that Global failed to secure sensitive personal information of hundreds of thousands of users by posting unencrypted personal information of 650,000 users in the cloud in August 2020 without firewall protection, encryption and monitoring software. It was only when a security researcher alerted the Global that it became aware of the problem. In the meantime hackers accessed billiions of bytes of this exposed data and put it on the dark web and was so advised in September 2020. Global waited 9 months to notify affected customers and in any event only notified 45,000. It has been reported in arstechnica with Prison phone company leaked 600K users’ data and didn’t notify them, FTC says.

The FTC Read the rest of this entry »

The Australian Securities and Investments Commission (ASIC) has had a reasonably long interest in corporates maintaining proper cyber security.  Last year it successfully prosecuted a claim in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) for RI Advice Group failing to maintain proper cyber security. The chair of ASIC today released Spotlight on cyber: Findings and insights from the cyber pulse survey 2023.  The warnings about weaknesses in cyber defences is not surprising to those who work in the privacy and cyber security space.  Some organisations take the problem seriously, many don’t.  It is yet another clarion call for proper regulation and then proper enforcement.

The statement provides:

The Australian Securities and Investments Commission (ASIC) has called for organisations to prioritise their cybersecurity after a recent survey shows 58 percent of Australian businesses have limited or no capability to protect confidential information adequately.

The inaugural Cyber Pulse Survey commissioned by ASIC, also highlighted that 44 percent of participants do not manage third-party or supply chain risk and 33 percent of participants do not have a cyber incident response plan.

ASIC noted the results of the voluntary self-assessment survey have exposed deficiencies in cybersecurity risk management of critical cyber capabilities, indicating that organisations are reactive rather than proactive when it comes to managing their cybersecurity.

Joe Longo, chair at ASIC said for all organisations, cybersecurity and cyber resilience must be a top priority.

“ASIC expects this to include oversight of cybersecurity risk throughout the organisation’s supply chain – it was alarming that 44 percent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.

Participating organisations indicated well-developed capabilities in identity and access management, governance and risk management, and information asset management, with large organisations consistently self-reporting more mature cyber capabilities.

Due to competing demands for limited human and financial resources, the survey showed that small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities.

“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cybersecurity risks,” Longo said.

“An effective cybersecurity strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”

Air marshal Darren Goldie, national cybersecurity coordinator said cybersecurity must be a priority for everyone, including individuals and businesses large and small.

“Support is available – the national office of cybersecurity works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents,” he ended.

The Executive Summary of the Report Read the rest of this entry »

The Federal Government recently announced support for the International Counter Ransomware Initiative.  Today the Government announced that it will introduce a mandatory ransomware reporting scheme as part of its cyber security strategy. It has been reported by innovation Aus with Business face cyber ransom reporting scheme.  The legislation or even details of the proposal has not been released.

Banning ransomware is difficult.  The first problem is enforcement. Data breaches and ransomware attack are notoriously under reported.  Professional hackers are quite sophisticated and can make the payment of ransom a relatively quick operation.  For a desperate victim whose business is being affected and concerned about reputational damage this can be the least worst option.   Having a no fault no liability mandatory reporting scheme is more complicated than it would appear.  Commonly an organisation will suffer a data breach because of its own laxity; failing to proper patch anti virus software, inadequate privacy training, and poor culture. It is always a matter of the legislation works.  Will reporting a breach provide an organisation with protection from action by a regulator.  Will that protection only Read the rest of this entry »

Last Friday ( known trash day for those wanting to put out news that won’t get a run in the mainstream press) the Information Commissioner announced that she would not be seeking a third term. Her term ends in August 2024.  What is not clear from the statement was whether the Commissioner received an indication from the Government that  a third term was a reasonable prospect if she wanted it. 

Her statements is:

The Australian Information Commissioner Angelene Falk has advised the Attorney-General that after having the privilege of serving two terms she will not be seeking a third term.

The Australian Information Commissioner said: “I am greatly honoured to have led the Office of the Australian Information Commissioner (OAIC) through a time of exponential growth, technological development, heightened community expectations and great domestic and international change in the regulatory landscape. I remain focused on the protection and promotion of privacy and information access rights and ensuring the OAIC is well positioned for the challenges of the future.”

Commissioner Falk said the move to a three Commissioner model marked an exciting chapter for the OAIC.

“There is much I wish to do in the remainder of my term and a key priority is to support Commissioners in their roles and leverage our current strategic review so the OAIC can continue to serve the Australian community over the next decade,” she said.

The Attorney-General’s Department has advertised the position ahead of the conclusion of the Australian Information Commissioner’s term in August 2024.

Falk’s tenure has been more effective than her predecessors.  That is partly because she has had more resources of late and the pressures to do more given the increased number and size of data breaches have grown.  That said, previous Commissioners left a disappointing legacy.  Regulation has been weak and enforcement negligible.  As such Read the rest of this entry »

The Health Industry is notorious for its data breaches. In Australia, United States, the United Kingdom and Europe. It us a chronic problem with many causes; dreadful culture, especially amongst medical staff, poor systems, poor training, large numbers of staff with many ways of accessing data and such a rich load of personal information concentrated on one system. The information we are expected to provide to doctors, hospitals, ambulance providers, respite centers..the list goes on. In many cases the information is sufficiently broad and detailed to commit identity theft. The Age reports in ‘Curious’ pharmacist spied on patient records at The Alfred that an employed pharamacist accessed the personal information of 7,000 patients over a 4 year period without authorisation. That access included viewing the records of fellow staff members. This is a depressingly common occurence, which I post on regularly such as August last year with Health advisor in the UK fined for unlawfully accessing patient records. And in NSW such conduct resulted in a nurse having her registration cancelled. and UK Information Commissioner prosecutes unauthorised access to personal information..part of a growing problem just by way of example. The Guardian reported last year that 24 UK doctors were censured in a 5 year period for medical record breaches. Earlier this week Ontario hospitals suffered a data breach as a result of a cyber attack. That data breach was caused by a ransomware group Daixin team and it is leaking the data. Last Friday a Medibank owned health insurer, ahm, had to take down its online insurance quote form because personal information entered by one person was made available to another when the latter tried to fill out the form.

The Alfred Health released a statement today about the privacy breach. There is not too much in the way of good corporate citzenry involved in this release. The investigation began in June. The pharmacist was subsequently sacked.

The Alfred Health’s statement provides:

The last sentence is the most apt, having technology and systems to improve detection of unusual behaviour.  Of course there are such programs and of course they operate in the health sector.  That it took the Alfred 4 years to detect unusual behaviour, Read the rest of this entry »

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is Read the rest of this entry »

Its annual report time. And the Information Commissioner is no exception to this exercise ordained by law. And, in the tradition of the Australian Public Service, it was released on a Friday. The 19th October to be exact, even though the Information Commissioner signed the report as being 3 October 2023. That way it avoids serous scrutiny by the traditional media. There is no time to push out a story for the weekend papers and the electronic media would have no interest in that being a weekend story. By Monday the caravan has moved on.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) delivered work for the Australian community through unprecedented times in 2022–23 as millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme.

Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.

“Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation. This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.

“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms.”

Commissioner Falk said the OAIC had sought to influence quality freedom of information (FOI) decision making by providing guidance to government agencies and working with them to improve the system. However, the OAIC still requires sufficient resources to meet current demand and address backlogs.

This year, applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years, and FOI complaints fell 2% to 212.

The OAIC finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 35% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.

“We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure,” Commissioner Falk said.

The OAIC performs an important privacy complaint handling role for the community. In 2022–23, it received 34% more privacy complaints (3,402, a record number) than in 2021–22.

In a year in which data breaches were so prominent, the OAIC received a 5% increase in notifications.

“Not surprisingly, our Australian Community Attitudes to Privacy Survey 2023 released soon after the end of the reporting period in August 2023, found that data breaches are seen as the number one privacy concern by the community,” Commissioner Falk said.

During 2022–23, the OAIC launched significant investigations into Optus, Medibank Private, Latitude Group and Australian Clinical Labs in relation to their data breaches. Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.

The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission. During 2022–23, the OAIC provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.

During the reporting period, the OAIC contributed to the Attorney-General’s Department’s review of the Privacy Act 1988. The Australian Government released its response to the review in September 2023 and legislation is expected in 2024.

“In the May 2023 Budget, the OAIC received additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future,” Commissioner Falk said.

“This is an opportunity full of promise and will occur alongside a change in the composition of the OAIC following the Australian Government’s announcement that the 3 statutory office holder model will be reinstated, with an Information Commissioner (as agency head), FOI Commissioner and Privacy Commissioner.

“The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”

Read the OAIC Annual report 2022–23.

Key 2022–23 statistics

• • Received 1,647 applications for IC review of FOI decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%).
  • Received 212 FOI complaints (down 2%) and finalised 124 FOI complaints (down 44%). The fall in complaints finalised was due to a focus on finalising IC reviews received in 2018 and 2019.
  • Received 3,402 privacy complaints (up 34%) and finalised 2,576 privacy complaints (up 17%).
  • Received 895 notifications under the NDB scheme (up 5%) and finalised 77% of notifications within 60 days against a target of 80%.
  • Handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%).

The overview provides:

In 2022–23 the OAIC delivered our work for the  Australian community through unprecedented times, as tens of millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme in 2018.
With the welcome support of additional government funding for privacy, we commenced and have
substantially progressed major investigations into these breaches. They have brought into sharp relief the requirement for boards across corporate Australia, Ministers and Secretaries of Departments, to prioritise investment in protecting personal information and limiting its collection and retention. As cyber-attacks become increasingly prevalent and impactful, it’s individuals who are at risk of harm but business and others with custody of personal information at risk of serious reputational damage.
This is why the OAIC seeks to serve the Australian people by putting the individual at the centre of our approach. We focus on applying our regulatory tools to promote access to government-held information and protect personal information. This means assessing where potential community impacts are most significant, being targeted in our approach, maximising the use of our resources, and adapting to a rapidly changing and increasingly complex environment.
Achieving that goal requires certain foundations to be in place: appropriate law, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and
importantly, collaboration.
The OAIC has developed these foundations to take a proportionate and proactive approach to identifying and reducing harms. We have sought to influence quality Freedom of Information (FOI) decision-making by providing guidance to agencies and working with them to improve the system. However, to achieve the vision for the OAIC’s role in FOI requires sufficient resources to meet current demand and address backlogs which have arisen since the office’s establishment, resulting in a legacy case load that persists and continues to grow.
This year applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years primarily attributable to the Department of Home Affairs; and FOI complaints fell 2% to 212.
We finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 37% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.
In 2018 the OAIC began efforts to garner support for a review of its functions and resourcing requirements, to ensure the organisation is positioned to meet the needs of the community. We have been consistent and persistent in our representations across all our functions. In the May 2023 Budget we were pleased to receive additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future. Read the rest of this entry »

The National Institute of the Science and Technology (“NIST”) is hugely influential in providing systems and setting out standards in the area of cyber security. It has no real peer. That doesn’t mean it is given the credit it should be by many practitioners. The NIST has released Cybersecurity Log Management Planning Guide.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for such things as identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for the required period of time.

The guide aims to assist organizations improve cybersecurity log management practices.

The Abstract provides:

A log is a record of events that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments. Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for many purposes, including identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for the required period of time. This document defines a playbook intended to help any organization plan improvements to its cybersecurity log management.

A log is a record of the events that occur within an organization’s computing assets, including  physical and virtual platforms, networks, services, and cloud environments.

Log management:

• is the process for generating, transmitting, storing, accessing, and disposing of log data.
• facilitates log usage and analysis to identify and investigate cybersecurity incidents, finding operational issues, and ensures that records are stored for the required period of time.

The guide sets out Read the rest of this entry »

The privacy concerns regarding the use of AI have always been present. As usual, they have been pushed into the background as the potential and use of AI has dominated the debate. That does not mean that AI developers and users are exempt under the law. As Snap has discovered in the United Kingdom. The UK Information Commissioner has issued a preliminary enforcement notice against Snap regarding its failure to properly assess privacy risks when using its generative AI chatbot “My AI”. The UK Information Commissioner found that Snap’s risk assessment was defective, particularly as it related to children.

The media release provides:

• • Snap issued with preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’
  • Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.

The Information Commissioner’s Office (ICO) has issued Snap, Inc and Snap Group Limited (Snap) with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by Snap’s generative AI chatbot ‘My AI’.

The preliminary notice sets out the steps which the Commissioner may require, subject to Snap’s representations on the preliminary notice. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. This means not offering the ‘My AI’ product to UK users pending Snap carrying out an adequate risk assessment. Read the rest of this entry »