Peter A Clarke

The Department of Home Affairs is partly responsible for the Governments handling and regulation of cyber security. It has developed the 2023-2030 Australian Cyber Security Strategy. So it is all the more galling that it has reportedly suffered a data breach which has exposed visa and passport details. But there should not be too much surprise.  The Information Commissioner identified a trend of increasing attacks on a Government websites.  Government departments rely on and enjoy collecting masses of information.

The Australian article on the breach provides:

Cyber criminals have accessed sensitive visa and passport details, drivers’ licences and other personal information held by a data firm contracted by the ­Department of Home Affairs, which oversees Australia’s cyber security architecture and policy.

Visa-holders using the department’s Free Translating Service have been warned their visa application, grant and subclass numbers, full names, dates of birth, mobile numbers, email addresses, drivers licences and passports are compromised. Read the rest of this entry »

The Australian Information Commissioner has issued updated guidances of charities and other not for profit organisations,  Guidances are not regulations but they are very important.  Organisations which comply with the guidances and somehow still have a data breach or other form of interference with privacy may be able to argue that they have done all that was required of them.  The reality is that if more organisations focused on complying with guidances and standards there would be far fewer data breaches.  Clearly all investigations are fact specific and compliance with a guideline does not provide any sort of immunity.

The statement from the Commissioner provides:

The updated guidance includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

In particular, the updated guidance includes discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. This area is particularly topical in the wake of high-profile data breaches affecting charities and NFPs.

Privacy Commissioner Carly Kind said the guidelines aim to help charities navigate their privacy responsibilities when collecting and handling personal information, and understand their obligations under the Privacy Act.

“We know how critical trust is to the work of not-for-profits and charities, and how important good privacy practices are to that trust”. Read the rest of this entry »

The Personal Data Protection Commission of Singapore issued three undertakings on Orchid Hotel Pte Ltd, Absolute Telecom Pte Ltd and Hiap Seng Engineering Ltd stemming from ransomware attacks involving each of the companies.  The cause of those data breaches were due to insufficient IT security measures.  The attacks affected the personal data of over 690,000 individuals.

The Commission requires affected organisations to implement remediation plans to rectify the immediate breach and address any systemic shortcomings to ensure compliance with the PDPA on a continual basis, such as:

• Enforce a stricter password policy requiring strong and unique passwords for all accounts
• Implementing Multi-Factor Authentication (MFA)
• Engaging a DPE service provider to implement basic data protection and cybersecurity measures
• Conduct training sessions for employees to raise their awareness on data protection and cybersecurity best practices

On Monday the NAIC released its 29 page guide for ESG practitioners. to assist them in understanding and integrating artificial intelligence (AI) into their work. The guide advises on responsible AI use aligned with ethical goals and introduces a framework by CSIRO’s Data and Alphinity Investment Management for assessing AI’s impact on ESG and details 27 sector-specific AI use cases and highlights AI’s role in driving positive ESG solutions, including enhancing accessibility and reducing Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has released a public draft of for the use of cryptography and transitioning to stronger cryptographic keys and algorithms.

The abstract provides:

NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms.

Interesting points Read the rest of this entry »

One of the key challenges with regulation of the internet is how to protect the interests, including privacy, of children which is effective. Protecting children covers a very broad spectrum of activities; protecting their personal information, shielding them from damaging images, minimising the adverse effects of social media on children’s mental and physical health, eradicating the transmission of explicit images from adults to children or children to children and stopping child pornography. It is difficult enough to regulate within a country let alone deal with extra territoriality. South Australia is considering banning social media for children. The report by ex Chief Justice French proposes a Children (Social Media Safety) Bill 2024 which imposes a positive obligation on social media platforms to prevent access to children under the age of 14. It is complex.

The UK – US has issued a statement on the protection of children on line.

The statement provides:

The United Kingdom and the United States share fundamental values and a commitment to democracy and human rights, including privacy and freedom of expression. Both the United Kingdom and the United States, alongside our international partners, are taking steps to support children’s online safety.

To make the internet safer for children, we should aim to ensure all users have the skills and resources they need to make safe and informed choices online and advance stronger protections for children. The United States and the United Kingdom intend to work with our national institutions and organisations to support these goals and shared values. To help further these aims, both countries plan to establish a joint children’s online safety working group to advance the aims and principles of this statement. Read the rest of this entry »

When it comes to poor data security practices and serious data breaches the police and health service providers are generally amongst the worst performers. Both have serious cultural problems in properly treating personal information confidential. Both often have serious system problems, especially with their IT. The UK Information Commissioner’s fine of 750,000 of the Police Service of Northern Ireland is the most recent example. Here the breach was the very common human error of uploading a document onto a webpage.  That happens quite regularly.  Here the document contained the personal information of all employees of the Northern Ireland Police Service.  The consequences were baleful.  The quality assurance processes failed.  While the personal information was viewable for only 3 hours the Police Service are working on the assumption that the information was accessed by dissident republications who would use to intimidate.

The media release provides 

We have fined Police Service of Northern Ireland (PSNI) £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety.
Our investigation found that simple-to-implement procedures could have prevented the serious breach, in which hidden data on a spreadsheet released as part of a freedom of information request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.
Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.

Summary of the breach

On 3 August 2023, PSNI received two freedom of information requests from the same person via WhatDoTheyKnow (WDTK). The first asked for “… the number of officers at each rank and number of staff at each grade …”, the second asking for a distinction between “how many are substantive / temporary / acting …”.
The information was downloaded as an Excel file with a single worksheet from PSNI’s human resources management system (SAP). The data included: surnames and first name initials, job role, rank, grade, department, location of post, contract type, gender and PSNI service and staff number.

As the information was analysed for disclosure, multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file. The original worksheet, containing the personal details, remained unnoticed and this was also not picked up despite quality assurance. The file was subsequently uploaded to the WDTK website at 14:31 hours on 8 August.
PSNI was alerted to the breach by its own officers at approximately 16:10 hours the same day. The file was hidden from view by WDTK at 16:51 hours and deleted from the website at 17:27 hours.
Six days later, PSNI announced they were working on the assumption that the file was in the hands of dissident republicans and that it would be used to create fear and uncertainty and for intimidation.
John Edwards, UK Information Commissioner said: Read the rest of this entry »

AI presents a major regulatory challenge across a range of governmental and private activities. And that is especially the case with privacy. The UK Information Commissioner’s Office has issued detailed guidance and other resources on Artificial Intelligence. The US Federal Trade Commission raised issues on AI, by way of a Big Data report in 2016, by post in 2017, issued a guidance by way of Q & A in 2020 and a finding on the use of Artificial Intelligence In the Matter of DoNotPay, Inc. Matter Number 2323042 September 25, 2024. Which brings us to the Australian Information Commissioner’s release of AI guidance today. There are actually 2 guides, one on the use of commercially available AI products.  The second relates to developers using personal information to great AI models.

AI needs personal information to properly work.  Lots of it.  Each of the guides and highlight the care that needs to be taken in considering the operation of the Privacy Act when using and developing Artificial Intelligence.  

The media release provides:

The first guide Read the rest of this entry »

NIne News reports in ‘Am I justified?’: Homeowner installs CCTV camera pointing straight into neighbour’s backyard one homeowner installing a camera pointing into a neighbour’s yard. At the moment the legal options are cumbersome and generally ineffective. There is no tort of harassment and it would be difficult to successfully argue nuisance and not possible to argue trespass. A tort of interference with privacy would however deal with such egregious conduct. As the story makes clear the Privacy Act does not apply. No so in the UK where the Information Commissioner does have powers and has issued a guidance as to the placement of CCTVs. The Commissioner has stated in summary that:

Where possible owners should position their cameras to only capture their own property. However, if this isn’t possible and the CCTV captures someone else’s property, a public area or communal space, then data protection law applies. This is because CCTV can capture images and voices of other people, and this counts as their personal information.

It is not theoretical.  In 2021 the UK in Dr Mary Fairhurst -v- Mr Jon Woodard an Oxford County Court ordered the defendant to pay 100,000 pounds for breach of the Data Protection Act in collecting Read the rest of this entry »

In the digital age the common belief is that data breaches involve a cyber attack, disclosure of information on a web site or by an errant email. As the ABC reports in Documents containing personal information of NT residents found dumped in bushland in Darwin rural area data breaches can, and often does, occur through documents being left in public. There have been many instances of records being left in filing cabinets that are then offered for sale, medical records being stored and forgotten or documents being left in public.

In the most recent example the documents left in the bush contained personal information including medical and bank records and phone numbers.  This may constitute a breach of the Privacy Act 1988 by the entity that collected then didn’t dispose of the documents properly.  In this case it involved records created by the Northern Territory Government.

Document management, either in hard or soft copy form, is critically important and quite straightforward if there is decent training and a workable system.  Businesses often do not regularly review what documents they have and ask themselves why they still have personal information that they don’t need.  Medical practices are notorious for holding records of long since deceased patients or individuals who have moved to other doctors or left the Read the rest of this entry »