Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • The EU Commission announces the publication of general purpose AI code of practice

    March 12, 2025

    The European Commission has released the third draft of the General-Purpose AI Code of Practice. It includes commitments by providers of general-purpose artificial intelligence (AI) models, including:

    • documentation: the signatories commit to drawing up and keeping up-to-date model documentation, including ensuring quality, security, and integrity of the documented information and providing it to providers of AI systems and to the AI Office upon request; and
    • copyright policy

    Providers of general-purpose AI models with systemic risk must commit to :

    • adopting and implementing a Safety and Security Framework that will apply to the AI models with systemic risk, as well as detail the systemic risk assessment;
    • conducting systemic risk assessment systematically at appropriate points along the entire model lifecycle;
    • selecting and further characterizing systemic risks;
    • determining the acceptability of the systemic risks;
    • implementing technical safety mitigations along the entire model lifecycle of the model, and ensuring they are proportionate and state-of-the-art;
    • mitigating systemic risks that could arise from unauthorized access to unreleased models;
    • reporting to the AI Office on the safety and security of the models;
    • carrying out adequacy assessments;
    • implementing systemic risk responsibility allocation;
    • obtaining independent external systemic risk assessments, including model evaluations;
    • keeping track of, documenting, and reporting serious incidents to the AI Office and, as appropriate, to national competent authorities;
    • ensuring protections on non-retaliation against any worker providing information about systemic risks;
    • notifying the AI Office of relevant information and the implementation of commitments;
    • carrying out documentation, as prescribed by the code of practice and the Artificial Intelligence Act (AI Act); and
    • implementing public transparency on systemic risks stemming from their AI models with systemic risk.

    The AI Office will:

    • report on the feedback received from stakeholders on the template for an adequate public summary of the training data under Article 53(1)d) of the AI Act and outline the next steps for adopting the template; and
    • publish guidance clarifying the scope of the AI Act rules for general-purpose AI, including information on:
      • the definitions of general-purpose AI models;
      • placement of models on the market and providers;
      • exemptions for models provided under free and open-source licenses; and
      • the effects of the AI Act on models placed on the market before August 2025.

    The press release Read the rest of this entry »

    Posted in Legal | Post a comment »

    Office of the Information Commissioner attend Estimates

    March 1, 2025


    Senate Estimates is an annual event. For Governments it is a mandatory evil. For oppositions it promises to reveal a cornucopia of a information to embarrass the government and burnish its credentials. For the agencies, in particular the public servants who front the various Estimates Committees, it is a burden to be carried as part of the job. This year the Information Commissioner’s attendance before the Legal and Constitutional Affairs Legislation Committee proved to be no different. The Commissioner’s opening statement was the usual anodyne, nothing to see here, statement providing.

    With the chair’s leave I take this opportunity to acknowledge the committee’s role and in doing so provide a brief opening statement outlining the important work of the Office of the Australian Information Commissioner (OAIC).

    I appear today with the assistance of the FOI Commissioner Ms Toni Pirani and with the chair’s leave the Privacy Commissioner Ms Carly Kind appearing via link and Executive General Manager, Information Rights Ms Ashleigh McDonald.

    Supported by our new organisational structure we are better positioned to operate as a contemporary and proactive regulator. Some of our recent initiatives and outcomes demonstrate our future direction. We have:

      • commenced preliminary inquiries into the privacy impacts of connected vehicles
      • commenced the development of a Children’s Online Privacy Code
      • developed a public facing dashboard to ensure that agency freedom of information (FOI) data is reported and presented more effectively
      • We will shortly deliver a report examining the use of messaging apps by Australian government agencies
      • We are building our strategic intelligence capabilities.

    To deliver a proactive and contemporary regulatory approach to benefit the Australian community, agencies and industry alike, we will also focus on building staffing capabilities through an investment in new ways of working and professional development. Within our budgetary parameters, our technology and systems will also be a focus to support our new direction.

    However, we are also mindful to deal with our core case management responsibilities and reduce our backlog in both FOI and privacy cases. Our resources are challenged by a 25% increase in FOI Information Commissioner review (IC review) applications compared to the same period last year. This is against a backdrop of an increase in FOI IC review applications over the last 5 years that is estimated to double the number of FOI IC review applications received in 2019–20. We also face an overall growth in privacy case work and increasing complexity in our case work arising from digital services and emerging technologies. This has a particular impact on our privacy case work.

    Our enforcement capabilities have been assisted by an increase of funding in recognition of the complexities of enforcement. Similarly designated funding has been provided to the OAIC to develop the Children’s Online Privacy Code and guidance regarding the social media age limit.

    Our appearance and preparatory papers are informed by data as at 15 January 2025.  However, to assist the committee, as at 23 February 2025 the OAIC 2024–25 case statistics are as follows:

      • 1,279 FOI review applications were received and 1,494 finalised.
      • 196 FOI complaints were received and 216 finalised.
      • 1,966 privacy complaints were received and 1,687 finalised.

    During this period, we also finalised a number of complex privacy matters that have delivered a strong enforcement message and importantly established our expectations of the regulated community. In doing so, we are upholding the rights of privacy and information access enshrined in statute by the Australian Parliament and better serving the values and expectations of the Australian community.

    I wish to acknowledge the significant work and expertise of the OAIC leadership in taking forward this major change program and recognise with gratitude OAIC staff for their dedication and commitment as we secure the fundamental human rights of privacy and information access in an increasingly complex environment.

    The hearing before the Estimates Committee focused on the reduction in staffing in the office from 200 to 138 staff in the Office.  A 23% reduction in staff.  Also of interest is the Privacy Commissioner’s admission that the the findings of the Property Lovers determination is not being complied with.  In short, the behaviour complained of is continuing.  The Privacy Commissioner is investigating what to do next.  

    An understaffed office is bad news for effective regulation.  That has been a chronic problem for this office.  Fortunately there will be a statutory tort as of June 2025 so in many cases individuals will not need to rely on the Commissioner taking up an investigation from a member of the public.

    The Transcript provides:

    CHAIR: With 20 minutes to go in our hearing, we’re going to politely and apologetically, dismiss the Australian Human Rights Commission. We won’t get to them this evening. We thank them for their time and for travelling. We do have questions for them, but we won’t have time to put them. We thank them for their ongoing work, particularly in the current environment. I know they’re working very hard. So thank you very much.

    Welcome, commissioners. Do you have an opening statement you’d like to table?

    Ms Tydd : I do have a very brief opening statement and I’m happy to table that.

    CHAIR: Thank you very much. That will be circulated to senator so they can read from that when they have it in front of them. In the meantime, I’ll pass the call to Senator Scarr.

      Senator SCARR: Commissioner, how many staff have left the OAIC since August last year?

    Ms Tydd : I don’t think I could speak with authority from the date of August, but I can give you the very high-level numbers of staffing pre and post our organisational redesign.

      Senator SCARR: Can you give me the dates for the organisational redesign, so I can calibrate that with my August date.

    Ms Tydd : Yes. That was finalised in mid-November, about 17 November. The organisational redesign responded to our significant budgetary situation, in which we would be operating at a deficit. Action was taken around that. At the time, in July, we had an FTE of just over 200. Our organisational redesign that allowed us to operate within our budgetary parameters—

      Senator SCARR: Sorry; it’s late. I’ve got to get these numbers right. In July your FTE was just over 200?

    Ms Tydd : Correct. And our ASL cap came down to 173. We knew that within our budgetary parameters we’d need to operate at around 165. We didn’t purely look at staffing levels in relation to meeting our budgetary parameters; we looked at a range of measures. They included external supply costs. Legal costs were something that we focused on as well. So, yes, we were required to reduce staffing in response to our revised budgetary parameters, and that process was completed around mid-November.

      Senator SCARR: Okay. What were the FTE numbers as at mid-November, when you completed that process?

    Ms Tydd : There probably was still some lag. I’d say it would be about 175. I’ll see if I have any dates that will help you further. I can tell you that as at 18 December, as we were still working through that process, our staffing level was 175.

      Senator SCARR: Do you have the data as at today or the most recent data as at the end of the month? Do you have any most recent data?

    Ms Tydd : As at 29 January, it was 138.4.

      Senator SCARR: So you went from 175 as at 18 December—that was the figure you gave?—

    Ms Tydd : Correct.

      Senator SCARR: to 138.4 as at 29 January?

    Ms Tydd : That’s correct, with a headcount of 156.

      Senator SCARR: Okay, so you’ve got part-time—

      Senator SHOEBRIDGE: So as we don’t have to traverse across this, do you mind if I ask: you’ve been talking FTE all the time through, so these have all been the same dataset of FTE, full-time equivalents?

    Ms Tydd : Yes.

      Senator SCARR: So you went from—we’ll try and use the common terminology—FTE as at 18 December of 175 to FTE as at 29 January, which is only a month later, of 156. Is that correct?

    Ms Tydd : The figure I have is 138.4.

      Senator SCARR: 175 to 138.4?

    Ms Tydd : Yes. They’re the figures I have before me. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner | Post a comment »

    Patient information from the Genea data breach posted on the dark web..

    February 27, 2025

    Exactly a week ago I posted on the Genea data breach and raised concerns about the way it was handling the matter. The public statement was dreadful and it was clear from the subsquent reporting that it was keeping a lot of information away from the public eye. Information that is commonly provided by US companies when they suffer data breaches. That dreadful approach has given way to a much more expansive attitude with a long statement on 24 February 2025 and notice of an injunction yesterday.

    The Genea statement of 24 February provides:

    We are endeavouring to communicate with all current and former Genea patients the latest updates of our investigation into the incident. A copy of our communication is included below.
     
    Thank you for your patience as we investigate the cyber incident that has impacted our organisation (Genea Pty Limited). We understand that hearing about an incident like this can cause concern and we sincerely apologise for this. We want to reassure you that our teams of specialists, nurses, scientists and support staff are working tirelessly to minimise any impact to the treatment of our patients which is always our highest priority. Our technology teams have also been working around the clock with cyber security professionals to securely restore our systems while progressing our investigation.
     
    We are committed to doing all we can to protect your privacy. In this letter, we’ll step you through what happened, what types of personal information relating to you may have been involved in the incident and identify clear steps you can take to help ensure your information is protected.

    What has happened?

    On 14 February 2025, we became aware of suspicious activity on our network. Following this, we promptly launched an investigation to determine the nature and scope of the activity. In the course of these investigations, Genea discovered that it had been impacted by a cyber security breach.  
     
    Since the incident, we have undertaken extensive remediation efforts and actions in line with our incident response process to prevent reoccurrence. This has involved securing our networks in partnership with our cybersecurity partners and bringing our core systems online to ensure that we can continue to provide the very best care to our patients.
     
    We advised in our prior communication that we were continuing to investigate the nature and extent of data that had been accessed and the extent to which it contained personal information. As a result of our ongoing investigation, we now believe the attacker may have accessed and taken personal information which we hold.
     
    We have notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre of the incident. We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them.
     
    Our investigation is ongoing, and we will continue to communicate any relevant updates you.
     

    What personal information has been impacted?

    Our investigation has identified that Genea’s patient management systems, which contain information about you, was accessed by an unauthorised third party. We stress that at this point in time it is unknown what personal information within the folders on the patient management system has been compromised. However, the folders on the patient management system include the following types of your information:  

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Privacy Commissioner enters into enforceable undertaking with Oxfam Australia resulting from a data breach on 20 January 2021 resulting in the loss of up to 1.7million records

    February 20, 2025

    Today the Privacy Commissioner announced that she has entered into an enforceable undertaking with Oxfam Australia arising from a large data breach on 20 January 2021. What is clear from the undertaking and the Commissioner’s blog is that Oxfam had poor data handling practices and held data for long after they were needed.  This is a common problem and aggravates the damage associated with a data breach.

    The term of the undertaking is 2 years. The key obligations are found at paragraph 6 setting out obligations within 3 months to set up a coherent system of using shared credentials, password controls and multi factor authentication and within 6 months to destroy personal information held by Oxfam for more than 7 years or in other specific categories.  Oxfam must undertake a review of the all current uses of personal information within 3 months.  And expert will review compliance in 12 months time and implement any recommendations.  It will also engage in “a a program of public engagement” with the Commissioner and provide to her documents or information she requests from time to time to determine compliance with Undertaking.  

    It is a reasonably stringent Undertaking by Australian standards. It is quite lax compared to actions the UK Information Commissioner takes and very easy going compared to the Federal Trade Commission’s enforceable undertakings which often involve swingeing fines and a period of 10 – 20 years of compliance with regular reporting. 

    The media release provides:

    Privacy Commissioner Carly Kind has accepted an enforceable undertaking (EU) offered by Oxfam Australia (Oxfam).

    A data breach was experienced by the not-for-profit in January 2021, and reported to the OAIC in February 2021, following which, the Commissioner initiated an investigation. The data breach resulted in the loss of up to 1.7 million Oxfam records.

    The Commissioner’s acceptance of the EU is not a finding that Oxfam has breached the Privacy Act nor the Australian Privacy Principles, but rather highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices.

    Oxfam is undertaking a range of measures outlined in the EU, particularly in relation to not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and the use of privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.

    Oxfam has been working collaboratively with the OAIC across the investigation period, and since offering the enforceable undertaking has contributed to an awareness raising campaign directed at others in the not-for-profit sector in relation to the incident and its response to the incident.

    The OAIC has used insights from its investigations into Oxfam’s experience, and the separate data breach which affected the telemarketing firm Pareto, to update its privacy guidance for not-for-profits. The guidance, updated in October 2024 (media release), includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

    Timeline

      • On 20 January 2021 an unknown user gained access to an Oxfam Australia (Oxfam) database.
      • The data breach resulted in the loss of up to 1.7 million Oxfam records.
      • Oxfam was alerted to the incident on 27 January 2021.
      • Oxfam notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the incident on 26 February 2021.
      • Oxfam Australia alerted its supporters of the potential risk on 4 February 2021.
      • On 1 March 2021 Oxfam began notifying their supporters about steps that they could take to protect personal information and provided access to IDCARE.
      • On 10 September 2021 the Australian Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.
      • Privacy Commissioner Carly Kind concluded the investigation in late 2024.
      • Following the conclusion of the investigation, Oxfam presented Privacy Commissioner Carly Kind with their enforceable undertaking on 18 December 2024.
      • Privacy Commissioner Carly Kind accepted the Oxfam enforceable undertaking on 20 December 2024.

    Key privacy points for NFPs

      • NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
      • Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
      • It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
      • Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
      • Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
      • When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.
      • Refer to our privacy guidance for not-for-profits for advice on security of information, and steps your NFP should put in place to ensure compliance with retention and destruction obligations. The guidance also covers what to consider when engaging third-party providers, such as for fundraising, or software vendors.

    Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.

    The Enforceable Undertaking Read the rest of this entry »

    Posted in General | Post a comment »

    Genea, an IVF provider, suffers a significant data breach.

    February 19, 2025

    Genea is a large IVF provider has suffered a cyber attack. Today publicly announced that it has been the subject of a cyber attack. The statement, 19 February 2025: Important update about a cyber incident, is a model of saying precious little.

    It provides:

    Genea is urgently investigating a cyber incident after identifying suspicious activity on our network. As soon as we detected the incident, we took immediate steps to contain the incident and secure our systems. 
     
    Out of an abundance of caution, this included taking some of our systems and servers offline while we investigated the incident. These are now being restored while we continue our investigation.
     
    Our ongoing investigation has identified that an unauthorised third party has accessed Genea data. We are urgently investigating the nature and extent of data that has been accessed and the extent to which it contains personal information.
     
    We acknowledge the importance that people place on their information, especially in this current environment. We are committed to keeping you updated as we learn more.

    Are Genea clinics still open and treatments being provided?

    We are working hard to ensure that there is minimal disruption to treatment being provided to our patients. If you do not hear from your local Genea clinic, there is no change to your current treatment schedule.
     

    What should I do?We will communicate with relevant individuals if our investigation identifies any evidence that their personal information has been impacted.

    We sincerely apologise for any concern this incident may cause and want to reassure patients that we take your privacy and the security of your data very seriously.
     
    We also want to reassure you that our teams of specialists, nurses and office support staff are working tirelessly to ensure that there is minimal disruption to your treatment, which is of our utmost priority and importance.
     

    Need to get in touch?

    If you have any further questions, please email cyber@genea.com.au.

    The statement is more about appearing to provide information while not doing any such thing.  There are no details of when the attack occurred, when it was detected, what data was accessed. The ABC’s sleuthing partially filled in those gaps.  The ABC suggests the attack occurred sometime on the weekend when Genea’s phone line went down (which it announced on 14 February – last Saturday) and its app was unusable and patients started posting on Genea’s Instagram account. It claims to be investigating the extent to which personal information has been accessed.  That is improbable.  If it is accurate then the resources it is deploying to determine whether personal information accessed is inadequate.  So Genea’s vague say not much media release is less than helpful.  IVF patients have a very strong interest in using the digital resources of Genea, are very proactive and many are quite sophisticated.  So throwing a digital blanket over a serious breach is a poor way of managing a crisis.  The reluctance by Genea to be more open may expose it to more media coverage. 

    Given the nature of the treatment provided and the likelihood that very sensitive personal information was stored in Genea’s records it is almost certainly a notifiable data breach. 

    The story has been reported in Read the rest of this entry »

    Posted in General | Post a comment »

    South Koreans privacy regulator suspends DeepSeek citing privacy concerns

    February 18, 2025

    Yesterday the Personal Information Protection Commission (PIPC) announced that it temporarily suspended Hangzhou DeepSeek Artificial Intelligence Co., Ltd.’s services until improvements and supplements are made in accordance with the Personal Information Protection Act (PIPA). The decision follows an investigation by the PIPC. The PIPC sent an official inquiry to Deepseek’s headquarters regarding the collection and processing of personal information shortly after the launch of Deepseek’s service.

    The PIPC found some deficiencies in privacy policies, among other things. DeepSeek acknowledged that it had failed to consider domestic protection laws in its global service rollout and expressed its intention to cooperate with the PIPC. PIPC will present a guide (in the form of a checklist) that overseas artificial intelligence (AI) developers should check before launching their services in Korea. The story has been reported in the Australian with DeepSeek removed from South Korea app stores pending privacy review which provides:

    Chinese AI app DeepSeek will not be available to download in South Korea pending a review of its handling of user data, Seoul authorities said Monday.

    DeepSeek’s R1 chatbot stunned investors and industry insiders with its ability to match the functions of its Western competitors at a fraction of the cost.

    But a number of countries have questioned DeepSeek’s storage of user data, which the firm says is collected in “secure servers located in the People’s Republic of China”.

    Seoul’s Personal Information Protection Commission said DeepSeek would no longer be available for download until a review of its personal data collection practices was carried out.

    The Chinese AI firm has “acknowledged that considerations for domestic privacy laws were somewhat lacking”, the data protection agency said.

    It assessed that bringing the app into line with local privacy laws “would inevitably take a significant amount of time”, the agency added. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Guardian reports that UK gambling firms secretly sharing user data with Facebook without permission

    The Guardian’s report Revealed: gambling firms secretly sharing users’ data with Facebook without permission is unfortunately hardly surprising. On this occasion the personal information is going from gambling companies to Meta for it to profile its users and place advertisements.

    Posted in General | Post a comment »

    Six massive data breaches in 2024 resulted in 1.7 billion data breach notices. A 312% increase over 2023. Most of the data breaches were avoidable

    February 2, 2025

    The number of data breaches year on year continue to rise. More concerningly the numbers of victims affected grow exponentially. Data Breach Today in 312% Surge in Breach Notices That Could Have Been Prevented reports on a enormous spike in data breach notices being sent out on the back of 6 massive data breaches. Concurrently Bleeping Computer reports in US healthcare provider data breach impacts 1 million patients that Community Health Centre in Connecticut suffered a data breach in Mid October 2024 which was only discovered on 2 January 2025. It also reports in Backdoor found in two healthcare patient monitors, linked to IP in China that the US Cybersecurity and Infrastructure Security Agency (CISA) has warned that certain patient monitoring devices manufactured by Contec include a back door which sends patient data to a remote IP address. Contec is a China based company. These stories highlight the continuing need for companies to adopt a comprehensive and holistic approach to privacy protection.

    The Data Breach Today story provides:

    Six mega cybersecurity incidents led to a record 1.7 billion data breach notices going out to victims in 2024 – a dramatic 312% increase over the previous year. Among the mega-breaches, the Change Healthcare ransomware attack – the third-largest breach – continues to grow. The insurance company last week nearly doubled its estimated breach count to 190 million people. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Australian Privacy Commissioner gets a nice media makeover, er is the subject of deep insightful report the way it is currently done, over lunch

    C’est chic to do an in depth piece by over an extravagantly priced breakfast or lunch. Not only does the reader get to know something about the subject but we get an insight of what the movers and shakers are eating and where they congregate to consume. The Australian Financial Review has recently published a profile of Carly Kind, the recently appointed Privacy Commissioner. This is something of a first for Privacy Commissioners. The most recent Information Commissioners (who covered privacy), Timothy Pilgrim (a pleasant but through and through public servant) and Angeline Falk (a long serving deputy in the Office of the Australian Information Commissioner), were not media averse as such. But their media forays were relatively few and brief. Usually confined to an interview on the ABC or quotes for other media. Their speeches at conferences were safe and predictable and certainly not designed to shake up the woeful privacy culture in the Australian marketplace. Even by the grey standards of Australian regulators they were distinctly in the background. Which was a shame. Privacy issues did not get ventilated as much as they should have. That is perhaps understandable given the generally ineffective regulation and enforcement of the Privacy Act. To be fair the last few years has seen a marked improvement in enforcement but has come off a low base and has not had a significant impact on the market yet.  And to be fair Pilgrim and Falk were marked improvements on their predecessors.

    Carly Kind has had a good start as Privacy Commissioner.  A distinct up tick in enforcement action and more assertive commentary.  That she has a pedigree largely outside the Australian Public Service is a huge advantage.  She may be less hidebound by conservative self restraining litigation guidelines.  We can only hope given she has been handed even more enforcement powers in the most recent amendments to the Privacy Act late last year. In this article she was candid in criticising poor public policy which has led to privacy invasive practices.  As I have been writing about for years.  She needs to bring high profile actions which puts high profile privacy breaching companies into the media spotlight.  This is a common approach of ASIC and the ACCC.  That is the only way of changing the culture in the market place.

    The article gives some restrained hope that the coming years will see more effective and high profile regulation of privacy breaches.  It is well overdue.

    The article provides:

    My lunch with the Australian Privacy Commissioner, Carly Kind, begins with a confession.

    “I tried to stalk you on social media on my Uber on the way,” I say as she sits down at Manly’s Noon café, bike helmet in hand.

    Looking up other people’s social media is something everyone does but no one should ever admit to, particularly not to the woman charged with protecting the nation’s privacy by upholding the Privacy Act of 1988.

    Kind is taken aback and for a moment, I think I’ve blown it before we’ve even ordered a coffee, let alone lunch.

    “Did you find anything interesting?” she responds after what feels like an age.

    No. She is on Instagram and on Facebook. But both attempts to glean any information of value were foiled despite me being a Millennial journalist well versed in the art of lurking.

    Privacy Commissioner Carly Kind admits she’s less idealistic about the role of regulation in protecting online privacy and worries one day big tech will decide not to obey the law.  

    Her Instagram is set to private. Her Facebook isn’t locked but the only photo I can click on is of the back of her head. I did manage to deduce she has 737 Facebook friends, but there are no workplaces, relationships, or really any other information to show.

    When I lament my efforts were dashed, she’s nonchalant, “I really don’t use Facebook these days, but I can’t get rid of it because of Marketplace.”

    I feel seen immediately.

    Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    The UK Information Commissioner’s Office releases a code of practice for online services involving children

    The most active form of regulation in privacy across the world now relates to protecting children and limiting the data taken from them and used by businesses. The UK Parliament passed the Online Safety Act 2023. The Act imposes new duties on social media companies and search services, making them more responsible for their users’ safety on their platforms. Those new duties include implementing systems and processes to reduce risks that their services are used for illegal activity, and to take down illegal content when it does appear.  Regarding children, platforms are required to prevent children from accessing harmful and age-inappropriate content and provide parents and children with clear and accessible ways to report problems online when they do arise. The main regulator Ofcom has set out an age check guidance regarding accessing online pornography.  The Information Commissioner has had a code of practice for some time regarding the developing an age appropriate design for online platforms. The core of the code are 15 standards.

    The 15 standards are:

    1. Best interests of the child

    2. Data protection impact assessments

    3. Age appropriate application

    4. Transparency

    5. Detrimental Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    « Previous Entries
    Next Entries »