Peter A Clarke

Background Checks has listed the best apps to protect one’s mobile device.  The post is found Read the rest of this entry »

Last week, on 1 August, the Office of the Information Commissioner commenced the consulation process of Guidelines for recognising external dispute resolution schemes under section 35A of the Privacy Act 1988.  The Privacy Commissioner’s post on line is found here.  The consultation process closes on 30 August 2013.

The draft guidelines relevantly provides as follows:

Key messages

1. In developing these guidelines, the Information Commissioner acknowledges the expertise and experience of existing industry external dispute resolution (EDR) schemes, and the important role these schemes play alongside the Office of the Australian Information Commissioner (OAIC) in relation to privacy complaint handling.
2. The Information Commissioner also acknowledges that there are a range of existing recognition mechanisms for those schemes, and the importance of not unduly burdening existing schemes where their existing recognition mechanism generally covers the same matters required by the Privacy Act 1988 (the Privacy Act) for recognition.
3. Recognition of an EDR scheme is undertaken by the Information Commissioner under s 35A of the Privacy Act. EDR schemes must demonstrate their accessibility, independence, fairness, accountability, efficiency and effectiveness to be recognised by the Information Commissioner. The recognition requirements, as set out in s35A, are based on the Benchmarks for Industry Based Customer Dispute Resolution Schemes developed in 1997 by the then Australian Government Department of Industry, Science and Tourism. Most existing EDR schemes are required to, or do, design their operations in accordance with these benchmarks.
4. To be recognised under the Privacy Act, EDR schemes should also meet additional requirements in relation to privacy-related complaints. In most cases existing schemes handling privacy complaints will already be meeting most of these additional requirements.
5. Additional requirements for recognition of an EDR scheme under the Privacy Act involve accountability, reporting and regular reviews. Again, most existing schemes will already be subject to similar requirements from their existing recognition mechanism. Wherever possible these existing requirements can be utilised by existing schemes in relation to the requirements under these guidelines. Some additional supplementary requirements may be required for ongoing Privacy Act recognition.
6. The detail in these guidelines should generally assist a proposed new EDR scheme which is not already recognised under another recognition scheme, and/or does not have a statutory basis for their operation, in seeking recognition under the Privacy Act to understand the full extent of what is required for initial and ongoing recognition.

Part 1 – Purpose and objectives of the guidelines

The purpose of these guidelines

1.1              The Office of the Australian Information Commissioner (OAIC) developed these guidelines to assist external dispute resolution (EDR) schemes to understand:

• the Information Commissioner’s process for recognising EDR schemes
• how the Information Commissioner will Read the rest of this entry »

Today 3 journalists, Royce Millar, Nick McKenzie and Ben Schneiders, have penned a letter of apology on page 2 of the Age. It is found here. The Herald Sun reported (no doubt very reluctantly) on the three having their cases diverted and therefore they are released without conviction and a good behaviour bond of 12 months.

The apology provides:

In November 2010, while researching a story for The Age newspaper, we the undersigned journalists accessed the ALP’s Electrac database without authorisation.

The focus of the story, published on 23 November 2010, was upon databases maintained by political parties, which contain private information concerning voters, and how that information is used for election campaigning. The Electrac database is such a database. Other political parties have similar databases.

We were able to access Electrac through the use of passwords provided to one of the undersigned. We accept that we did not have authorisation Read the rest of this entry »

The Federal Trade Commission in Federal Trade Commission, Plaintiff v. Asset & Capital Management Group & ors  obtained a restraining order against defendants using illegal practices against consumers, including interfering with their privacy.  The orders are found here.

The Federal Trade Commission’s press release, At FTC’s Request, Court Orders Halt to Debt Collector’s Illegal Practices, Freezes Assets, relevantly provides:

At the request of the Federal Trade Commission, a U.S. district court has halted a debt collection operation that allegedly extorted payments from consumers by using false threats of lawsuits and calculated campaigns to embarrass consumers by unlawfully communicating with family members, friends, and coworkers.  The court order stops the illegal conduct, freezes the operation’s assets, and appoints a temporary receiver to take over the defendants’ business while the FTC moves forward with the case.

The lawsuit Read the rest of this entry »

Last week was the scheduled final sitting week of this Parliament.  It is due to be prorogued in either August or September.

As such any bills not passed by both Houses of Parliament will lapse.  That seems to be the fate of the Privacy Amendment (Privacy Alerts) Bill 3023.  The political drama took effect upon the legislative schedule.

It will be for the next Parliament to introduce this Bill or a facsimile of it.  If it is so minded to do.  A new Parliament is a legislative Tabula Rasa.

Data storage the cloud in is ubiquitous.  Proper protection of that data is less so.

According to research (see report here)conducted by the Ponemon Institute,based on a survey of 4,205 business and IT managers in the US, UK, Germany, France, Australia, Japan and Brazil, 53% of businesses transfer sensitive or confidential data to the cloud.

The Victorian Court of Appeal in Lysaght Building Solutions Pty Ltd v Blanalko Pty Ltd [2013] VSCA 158 considered the test for summary judgment under section 63 of the Civil Procedure Act 2010.

At [35] the Majority (Warren CJ and Nettle JA) stated the test as:

a) the test for summary judgment under s 63 of the Civil Procedure Act 2010 is Read the rest of this entry »

The Senate Standing Committees on Legal and Constitutional Affairs has reported on the Privacy Amendment (Privacy Alerts) Bill 2013.  The Committee endorsed the Bill.

The report relevantly provides (absent footnotes, introduction and appendices)

RECOMMENDATION
Recommendation 1
2.30 The committee recommends that the Senate pass the Bill.

CHAPTER 1
INTRODUCTION
1.1 On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) was introduced into the House of Representatives by the Attorney-General, the Hon. Mark Dreyfus QC MP.1 On 17 June 2013, the Bill was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee (committee) for inquiry and report by 24 June 2013.
Background to the Bill
1.2 In his second reading speech, the Attorney-General Read the rest of this entry »

The Parliamentary Library has prepared a Bills Digest on the Privacy Amendment (Privacy Alerts) Bill 2013.  It is found here.

As usual it is an excellent resource. It provides:

Structure of the Bill

The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 4 which inserts a new Part IIIC, titled ‘Data breach notification’, into the Privacy Act following existing Part IIIB. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.

The new Part IIIC is divided into three Divisions. Broadly, the first Division sets out when a ‘serious data breach’ will have occurred, the second Division contains obligations for entities to notify of that serious data breach, subject to certain exceptions. The third Division concerns general matters including relevant definitions specific to Part IIIC and application provisions.

Background

Data breach notifications

As the Explanatory Memorandum notes, mandatory data breach notification commonly refers to:

… a legal requirement to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons. Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information (e.g. a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.

Data breach notification is Read the rest of this entry »

The Committee has received 20 submissions to the Bill.  That is impressive given there was effectively 2 days from referral to cut off period to lodge submissions.

The submissions are:

Fundraising Institute Australia.

Opposed. It says, in part:

.. the Fundraising Institute Australia believes that insufficient consideration has been given to the effect which mandatory data breach notification would have on charities and not-for-profit organisations. Government decision­ makers seem unaware that fundraisers use extensive donor databases in the same way as business organisations do.

………

The additional burden and cost of Read the rest of this entry »