Australian Government publishes policy for responsible use of Artificial Intelligence. Comes into force on 1 September 2024

August 17, 2024

The Australian Government has published a 19 page policy for the responsible use of AI. It comes into force on 1 September 2024.

The recommended actions include:

  • training staff on AI fundamentals taking into account roles and responsibilities such as employees involved in procurement, development, training, and deployment of AI;
  • make publicly available a statement outlining their approach to AI adoption, including information on compliance with the policy, measures to monitor the effectiveness of deployed AI systems, and efforts to protect the public against negative impacts; and
  • designate accountable officials for implementation of the policy within their organization, who:
    • are the contact point for whole-of-government AI coordination;
    • must engage in whole-of-government AI forums and processes; and
    • must keep up to date with changing requirements as they evolve over time.

The key principles of the policy are aimed at :

  • Australians are protected from harm;
  • AI risk mitigation is proportionate and targeted; and
  • AI use is ethical, responsible, transparent and explainable to the public.

The the press release is found here and the policy here.

The press release provides:

The Australian Government needs a coordinated approach if it’s to embrace the opportunities of AI. The Digital Transformation Agency has released the Policy for the responsible use of AI in government, an important step to achieve this goal while building public trust.

Coming into effect 1 September 2024, the Policy for the responsible use of AI in government positions the Australian Government to be an exemplar of safe, responsible use of AI.

Designed to evolve with technology and community expectations, it sets out how the Australian Public Service (APS) will:

  • embrace the benefits of AI by engaging with it confidently, safely and responsibly
  • strengthen public trust through enhanced transparency, governance and risk assurance
  • adapt over time by embedding a forward-learning approach to changes in both technology and policy environments.

‘This policy will ensure the Australian Government demonstrates leadership in embracing AI to benefit Australians,’ states Lucy Poole, General Manager for Strategy, Planning, and Performance.

‘Engaging with AI in a safe, ethical and responsible way is how we will meet community expectations and build public trust.’

Enable, engage and evolve

The policy is driven by the ‘enable, engage and evolve’ framework to introduce principles, mandatory requirements and recommended actions.

Enable and prepare

Agencies will safely engage with AI to enhance productivity, decision-making, policy outcomes and government service delivery by establishing clear accountabilities for its adoption and use.

Every agency will need to identify accountable officials and provide them to the DTA within 90 days of the policy effect date.

Engage responsibly

To protect Australians from harm, agencies will use proportional, targeted risk mitigation and ensure their use of AI is transparent and explainable to the public.

Agencies will need to publish a public transparency statement outlining their approach to adopting and using AI within 6 months of the policy effect date.

Evolve and integrate

Flexibility and adaptability are necessary to accommodate technological advances, requiring ongoing review and evaluation of AI uses, and embedding feedback mechanisms throughout government.

Supporting agencies standards and guidance

To help implement the policy, the DTA has published a standard for accountable officials (AOs) to lead their agency to:

  • uplift its governance of AI adoption
  • embed a culture that fairly balances risk management and innovation
  • enhance its response and adaptation to AI policy changes
  • be involved in cross-government coordination and collaboration.

‘We’re encouraging AOs to be the primary point of partnership and cooperation inside their agency and between others,’ outlines Ms Poole.

‘They connect the appropriate internal areas to responsibilities under the policy, collect information and drive agency participation in cross-government activities.’

‘Whole-of-government forums will continue to support a coordinated integration of AI into our workplaces and track current and emerging issues.’

The DTA will also soon release a standard for AI transparency statements, setting out the information agencies should make publicly available such as the agency’s:

  • intentions for why it uses or is considering adoption of AI
  • categories of use where there may be direct public interaction without a human intermediary
  • governance, processes or other measures to monitor the effectiveness of deployed AI systems
  • compliance with applicable legislation and regulation
  • efforts to protect the public against negative impacts.

‘Statements must use clear, plain language and avoid technical jargon,’ stresses Ms Poole.

Further guidance on additional opportunities and measures will be issued over the coming months.

Continuing our significant work on responsible AI

The last 12 months saw important work to better posture the APS for emerging AI technologies including the AI in Government Taskforce, co-led by the DTA and Department of Industry, Science and Resources (DISR), which concluded on 30 June 2024. 

The taskforce brought together secondees and stakeholders from across the APS for an unprecedented level of consultation, collaboration and knowledge-sharing. Its outputs directly informed this new policy and even more, continuing work to ensure a consistent, responsible approach to AI by government.

‘Our AI in Government Taskforce was crucial in demonstrating that we need a centralised approach to how government embraces AI, if it wishes to mitigate risks and increase public trust,’ states Ms Poole.

Victorian Information Commissioner launches an investigation into the University of Melbourne for using surveillance technology against students who were involved in a campus sit in

August 15, 2024

Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that “Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that it ” University of Melbourne”.. is a diverse, multi-cultural and multi-faith community..”, it “has a duty to uphold the principles of academic freedom and freedom of speech, and respect for legitimate and peaceful protest is core to our university’s values, as well as an activity protected by law”, it “operates fairly and in accordance with the law. Our policies also provide the basis for addressing actions or behaviours that adversely affect other members of the University community” and “to understand and implement appropriate support for students and graduate researchers during this time, with an increase in provisions for health and wellbeing, assessments, and safety on our campuses.” Waffly boilerplate that many organisations cobble together to cover and justify other activities and mask other behaviours not so consistent with the principles of the Enlightment which Universities should use as a touchstone. Such as using surveillance technology to bring action against students for conducting a sit in. As a result of disciplinary hearings 21 students received warnings. OVIC has now confirmed that it will launch an investigation into the University of Melbourne under the Privacy and Data Protection Act 2014.

The confirmation was reported by the Australian in “OVIC to probe Melbourne Uni over student surveillance” which provides:

The Office of the Victorian Information Commissioner will launch an investigation into the University of Melbourne after the academic institution used surveillance technology to gather evidence against students involved in a sit-in at a campus building.
Last month OVIC confirmed it was conducting preliminary enquiries with the university.
Victorian Information Commissioner Sean Morrison on Thursday confirmed the office has now decided to escalate the matter.
“Following conducting preliminary inquiries, the Privacy and Data Protection Deputy Commissioner has decided to commence an investigation under the Privacy and Data Protection Act 2014,” he said in a statement to The Australian.
“Given this is an active matter OVIC is unable to comment further until the investigation has concluded.”
In July, 21 students faced misconduct hearings before senior university representatives.
The students were notified of the disciplinary proceedings when the university sent them an email informing them they had breached its code of conduct during demonstrations and cited evidence from CCTV footage and Wi-Fi data obtained from the university’s network tracking their movements within the Arts West building during the 10-day sit in. Read the rest of this entry »

The UK Information Commissioner fines Advanced Computer Software Group Ltd (Advance) 6 million pound fine after 2022 ransomware attack that disrupted NHS

August 10, 2024

Cyber attacks on service providers working for large institutions, especially in the health sector, are common. Health Services often contract out IT services, as they did with Advanced Computer Software Group Ltd (Advanced). Unfortunately organisations and agencies spend insufficient time in ensuring that those contractors maintain adequate cyber protections and proper training regimes for their staff. Advanced provided IT services and handled personal information collected by the UK National Health Service in its capacity as a data processor. In August 2022 Advanced was hit with a ransomware attack which also involved personal information of 82,946 people being exfiltrated. NHS was impacted in not being able to access patient records. The ICO has announced that it will fine Advanced 6.09 million pounds.

The announcement provides:

We have provisionally decided to fine Advanced Computer Software Group Ltd (Advanced) £6.09m, following an initial finding that the provider failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.  

Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. Read the rest of this entry »

FTC commences an action against Tik Tok and Byte Dance for violating Children’s Privacy Law and against Tik Tok for infringing an existing consent order

August 6, 2024

The FTC, through the Department of Justice, has commenced an action against the video-sharing platform TikTok, and its parent company ByteDance,alleging that they flagrantly violating Children’s Online Privacy Protection Act.  The FTC also alleges Tick Tok infringed an existing FTC 2019 consent order against TikTok for violating COPPA shortly after it went into effect. The FTC also allege that two TikTok entities (previously Musical.ly and Musical.ly Inc., which ByteDance acquired in 2017 and renamed) agreed to the terms of the order to settle allegations that they violated the COPPA Rule by unlawfully collecting personal information from children under the age of 13.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

The Press Release provides:

On behalf of the Federal Trade Commission, the Department of Justice sued video-sharing platform TikTok, its parent company ByteDance, as well as its affiliated companies, with flagrantly violating a children’s privacy law—the Children’s Online Privacy Protection Act—and also alleged they infringed an existing FTC 2019 consent order against TikTok for violating COPPA.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina M. Khan. “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.” Read the rest of this entry »

Texas Attorney General secures 1.4 billion dollar settlement over unauthorised collecting of personal biometric data

On July 30, 2024, the Office of the Attorney General of Texas (AG) announced that Texas has obtained a $1.4 billion settlement, payable over 5 years, with Meta Platform Inc. over the unauthorized capture and use of personal biometric data of Texans under the Texas Capture or Use of Biometric Identifier Act (CUBI). In 2011, Meta released and automatically activated a feature allowing users to ‘tag’ photographs with the names of people on the photo, as well as ran facial recognition software on every face in the photographs uploaded to Facebook, capturing records of the facial geometry of anindividual. In February 2022, the AG sued Meta for unlawfully capturing the biometric data of millions of Texans without obtaining their informed consent. The story has been reported by Reuters

The press release Read the rest of this entry »

Global privacy sweep finds that nearly all of 1,000 websites and mobile apps tested use deceptive design patterns

July 20, 2024

The Privacy Commissioner in GPEN Sweep finds majority of websites and mobile apps use deceptive design to influence privacy choices to highlight the results of annual Global Privacy Enforcement Network. The GPEN issued a press release on this with 2024 GPEN Sweep on deceptive design patterns. The sweep highlights the poor design, intentional or not, which frustrates users in either finding out what happens to their personal information or determining their rights via privacy policies.  Unfortunately regulators do not take a strong enough position on incomprehensible privacy policies or complex processes designed to thwart individuals which organisations comply with legislation. 

The GPEN media statement provides:

A global privacy sweep that examined more than 1,000 websites and mobile applications (apps) has found that nearly all of them employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions. Read the rest of this entry »

Medisecure reveals that data breach earlier this year resulted in the theft of personal information of 12.9 million Australians. That makes the need for proper reform of the Privacy Act even more urgent

July 19, 2024

The numbers used to be staggering. Thousands, then hundreds of thousands of records taken in this or that cyber attack. Now the administrator of Medisecure Ltd and the liquidators of Operations MDS Pty Ltd made a statement that the personal information of 12.9 million Australians has been compromised (fancy word for stolen). This prompted the Department of Home Affairs curating that statement into its own press release. This has been followed by reports on the ABC and the Guardian. As with many health related services the personal information collected is both voluminuous and comprensive.  It included individuals:

  • full name;
  • title;
  • date of birth;
  • gender;
  • email address;
  • address;
  • phone number;
  • individual healthcare identifier (IHI);
  • Medicare card number, including individual identifier, and expiry;
  • Pensioner Concession card number and expiry;
  • Commonwealth Seniors card number and expiry;
  • Healthcare Concession card number and expiry;
  • Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
  • prescription medication, including name of drug, strength, quantity and repeats; and
  • reason for prescription and instructions.

The administrator and liquidator’s statement relevantly Read the rest of this entry »

AT & T lose 109 million US customer accounts from illegal download

July 15, 2024

Another telco has suffered a data breach according to Itnews reports in AT&T says data from 109 million US customer accounts illegally downloaded.  The pattern is very familiar, exfiltration of files via a weakness in the system over a few days.  What is also Read the rest of this entry »

AI Models using images of Australian children without their consent (meaning parent’s) consent

July 6, 2024

AI models and programs needing vast data on individuals, such as facial recognition technology, needs vast troves of data to be effective. Hoovering up that data has been the business model of companies in those fields. The level of discrimination has been low and respect for the privacy of those whose data is used has generally been non existent. This is highlighted in an ABC piece The world’s biggest AI models were trained using images of Australian kids, and their families had no idea.

The genesis of the ABC story is a report by Human Rights Watch titled Australia: Children’s Personal Photos Misused to Power AI Tools.

The article provides:

In short:

Images of Australian children were found in a dataset called LAION-5B, which is used to train AI.

The images have since been removed from the dataset, but AI models are unable to forget the material they’re trained on, so it’s still possible for them to reproduce elements of those images, including faces, in their outputs.

What’s next?

The federal government is expected to unveil proposed changes to the privacy act next month, including specific protections for children online.

Read the rest of this entry »

Australian Government signals that small business exemption will be retained in any Privacy Act amendment

July 3, 2024

Privacy reform is no easy task in Australia. Even when the need is clear. The Australian in Privacy relief set for small business reports that the small business exemption will likely be retained in any amendments to the Privacy Act. The Government says it will introduce a Bill in the August session of Parliament. The story relies on “sources” informing the reporter. The story is a classic informal signalling of intention by the Government without it making any announcement. It is a tried and true way method of setting the agenda and dealing with possible unwelcome commentary prior to the bill being introduced. It is all about politics, nothing about policy.

The retention of the small business exemption is a retrograde step. It makes little legal and policy sense.  The collection of data and the impact of a data breach or other interferences with privacy is not related to the size of an organsiation.  An arbitrary cut off of a $3 million dollar turnover determining whether an an organisation is required to comply with the Privacy Act or not never made much sense when introduced.  It makes less sense now given that a “small business” can collect and use more  data than an organisation covered by the Act.  It is more dependent on the type of business and its emphasis on data collection. 

In its massive 3 volume report, For your Information, the Australian Law Reform Commission specifically recommended removing the small business exemption.  In its executive report it stated:

The ALRC recommends that the number of exemptions be reduced—in particular, the existing exemptions for small business, employee records and registered political parties should be removed.

and

The small business exemption

When the provisions of the Privacy Act were extended to cover the private sector in December 2000, an exemption was granted to small businesses (including not-for-profit organisations) with an annual turnover of $3 million or less.[11] The exemption was explained, at that time, by the desire to achieve widespread acceptance for privacy regulation from the private sector, and a reluctance to impose additional compliance burdens on small businesses.

No other comparable jurisdiction in the world exempts small businesses from the general privacy law—and the European Union specifically has cited this unusual exemption as a major obstacle to Australia being granted ‘adequacy’ status under the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the EU Directive).[12]

The business community argued strongly for the retention of the exemption, primarily on the basis of the cost of compliance. However, almost all other stakeholders supported removal of the exemption arguing that there is no compelling justification for a blanket exemption for small businesses, as consumers have the right to expect that their personal information will be treated in accordance with the privacy principles.

The ALRC recommends that this exemption be removed. This would bring Australian privacy laws into line with laws in similar jurisdictions, such as the United Kingdom (UK), Canada and New Zealand, and could facilitate trade by helping to ensure that Australia’s privacy laws are recognised as ‘adequate’ by the European Union. The removal of the small business exemption would have the additional benefits of simplifying the law and removing uncertainty for many small businesses that have difficulty establishing whether they are required to comply with the Privacy Act.

The ALRC appreciates that the removal of the small business exemption will have cost implications for the sector—although nowhere near as great as is sometimes predicted.[13] An independent research study commissioned by the ALRC indicated that a lower proportion of organisations will be affected—since not all small businesses collect personal information from customers—and the costs should be considerably more modest—about $225 in start-up costs and $301 per year thereafter for each small business—than the predicted $842 and $924 per year respectively cited in the Office of Small Business costing.[14] Further, the ALRC is confident that additional savings will be achieved by the substantial simplification and harmonisation of privacy laws recommended in this Report.

Nevertheless, the ALRC remains attentive to the economic concerns of small business owners, and recommends a number of other initiatives aimed at supporting small businesses and minimising the compliance burden. Before the exemption is removed, the OPC should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Privacy Act. This should include a national hotline for small businesses, education materials and templates to assist in preparing privacy policies.

If anything the need to remove the exemption now is greater than it was Read the rest of this entry »