Peter A Clarke

Under the Australian Privacy Principle 8.1 an organisation must:

Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

1. who is not in Australia or an external Territory; and
2. who is not the entity or the individual;

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

In short an organisation must Read the rest of this entry »

The contrast between the way Australian regulators approach privacy breaches and those in other jurisdictions is stark.  In Australia when the Privacy Commissioner takes action, rarely, the impact is minimal.  The awards from determinations are risable, the terms of the enforceable undertakings are weak and not once has the Privacy Commissioner used the very strong injunction powers under the Privacy Act.  As such the privacy culture of Australian organisations remains poor. There is no real incentive to improve.

By contrast the Information Commissioner has imposed monetary penalty notices of tens of thousands of pounds with such regulatory as to not warrant comment.  In the United States the Federal Trade Commission has imposed rigorous enforceable undertakings on organisations who mislead their customers about privacy protection.  The Financial Industry Regulatory Authority has imposed very significant fines on organisations who have breached or exposed their customers’ personal information.  As it did on 14 November 2016 when Lincolm Financial Securities Corporation was fined $650,000 and required to implement tighter security protocols after hackers in mid-2012 accessed its cloud server and stole the confidential records of roughly 5,400 customers.  Read the rest of this entry »

Today the HOn Michael Keenan, Minister for Justice, has announced the first phase of a Face Verification Service.  The claimed aim is to tackle identity crime.

The media release Read the rest of this entry »

Apart from obligations under Australian Privacy Principle 11, regarding data security, proper cyber security makes good business sense.  Lloyds is reported to have said that Australia is exposed to a potential $16 billion damages bill over the next decade.  According Lloyd’s City Risk Index 2015 – 2025 Sydney is the 12th most exposed city with the exposure running at $4.86 billion of economic growth at risk.  The next most exposed in Australia are, in order, Melbourne, Brisbane, Perth, Adelaide and Canberra.  This comes as little surprise to privacy practitioners.  The level of awareness of cyber risks in Australia is generally low, the privacy culture poor, the regulation inadequate and its regulation lethargic and timid.  Given the potential legal liability under a number of causes of action that is very foolish behaviour by many businesses.

The National Institute of Standards and Technology (the “NIST”) produces many excellent publications on cyber issues, in particular regarding standards and security.  Its publications are far more useful than the guidelines  such as those relating to information security,  produced by the Privacy Commissioner which run to the opaque and general.

The NIST has released a guide on helping small businesses improve their cyber security.  The press release Read the rest of this entry »

Recently Justice Warby in TRK & BVP v ICM 2016] EWHC 2810  granted an injunction Read the rest of this entry »

A regular theme running through privacy and data protection law is how poorly government agencies and private organisations manage health records.  That seems to be counter intuitive given the extraordinary problems that arise from revealing personal information held in medical records.  Under Australian law there are potentially serious consequences for Read the rest of this entry »

Data breaches through lost or stolen lap tops or other BYODs (bring your own devices) is quite common.  Unlike lost paper documents it is possible to lose a significant amount of data held in digital form.  Which is what happened to a Historical Society recently.  The Information Commissioner has issued a Monetary Penalty Notice, fining the Historical Society £500.

The media release Read the rest of this entry »

Data breaches involving the personal information of thousands of people barely rates a mention in data security journals.  Even those involving hundreds of thousands are seemingly ubiquitous, though Read the rest of this entry »

The Health sector is a perfect storm of a poor privacy culture, high staff turnover, inadequate training for professionals resistant to perceived outside interference, ineffective regulation and highly sensitive personal information of patients.  It is little wonder that data breaches and privacy invasive practices in the health sectory are chronic problems. On 12 November two Dutch Hospitals reportedly stopped using a Belgium laboratory for pre natal testing when they found it was using the personal information for commercial marketing.   A California health plan had a data breach in October while in Florida Read the rest of this entry »

Ransomware is a chronic problem, particularly in the health sector which is reliant on very sensitive records, including those of patients, and in a work environment which has a high turnover of staff and generally a poor privacy culture. Ransomware is almost invariably Read the rest of this entry »