Chapter 7 of the Attorney Generals’ Report into the Privacy Act 1988 considers the employee records exemption in the Privacy Act 1988. The employee records exemptionwas considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information).  The Australian Law Reform Commission unequivocally recommended that the it be removed by the repeal of section 7B(3) of the Privacy Act.  Unfortunately this Report has ummed and ahhed in face of vociferous and largely spurious objections by employer bodies who wish to retain the exemption come what may.  As a result the Proposal is far from unequivocal and seeks to find a half way house of improving privacy protections of those records but not entirely removing the exemption.  It also wants further consultation. Because years and years of consultation is not enough.  It is a very disappointing chapter.  Not as poorly analysed as the small business exemption but not good nevertheless.

The exemption applies to an act or practice of an organisation that is or was an employer as it directly related to its employment relationship with an individual.  In that circumstance an employee record it holds relating to the individual is exempt.  As the exemption applies to acts or practices of ‘organisations’ it covers non-public sector entities in their capacity as employers or former employers.  It does not extend to ‘agencies’.

As with the small business exemption the basis for this exemption is based on flawed assumptions and poor public policy.  Here the rationale was that the ‘handling of employee records is a matter better dealt with under workplace relations legislation.’

The exemption has led to anomolous outcomes.  The exemption applies even in relation to  the National Data Breach Notification scheme;.  As such any data breach involving personal information of employees in an employee record  is not subject to the scheme’s reporting requirements.

The Discussion Paper questioned Read the rest of this entry »

Any opportunity to highlight the need to take privacy seriously and comply with the law should be embraced.  Privacy Awareness Week has been a feature of the privacy calendar for many years now.  It is low key but has been known to get some press from time to time.  It provides little insight to lawyers or privacy practitioners.

The message from the Commonwealth Information Commission Read the rest of this entry »

Enforcement of breaches of the GDPR should be of interest to Australian practitioners if the mooted reforms to the Privacy Act occur.  If the Commissioner is properly funded and changes temperament there could be real enforcement activity.  The European Data Protection Supervisor recently responded to the European Commission’s initiative to further specify procedural rules for enforcement of the GDPR.

The amended rules highlights that the need for effective and efficient cooperation exists in cases where personal data moves from EU institutions, bodies, offices, and agencies (‘EUIs’) to public bodies or private entities, and vice-versa. The focus is Read the rest of this entry »

Chapter 6 of the Attorney Generals’ Report into the Privacy Act 1988 considers the small business exemption of the Act. The small business exemption was considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information).  The Commission was quite explicit then about the small business exemption, that the small business exemption was not necessary or justifiable. The Information Commissioner and a majority of submitters called for the removal of the exemption.

The Report recommends against removing the small business exemption until a long and convoluted process of analysis and consultation with small business, who have been adamantly resistant to any removal of said exemption.  All of this would happen after the other reforms proposed are implemented.  So there will be a second act to this ongoing drama except it has no end date.  It is hard to come to any other conclusion that this part of the Report is the product of poor analysis which may potentially result in a failure of public policy if it is implemented.  How could the authors of this report get it so wrong given the previous analysis by the Law Reform Commission, the overwhelming weight of submissions and cold hard logic?  It may be that there is more politics than law in the drafting of this Chapter and its recommendations.

Australian Law Reform Commission stated, absent footnotes:

39.181 After carefully reviewing stakeholder views, international experience, and the commissioned research, the ALRC concludes that the exemption for small business is neither necessary nor justifiable.

39.182 Associate Professor Moira Paterson has offered a counter to the argument that the requirement to comply with the Privacy Act constitutes a substantial compliance burden. She noted that the costs of compliance on businesses are likely to be significant only where businesses have poor record-keeping practices—citing evidence from Quebec that implementing data protection measures may in fact result in cost reduction or increased productivity due to improved information-handling practices. Furthermore, Paterson observed that, in New Zealand,

the limited information available to date does not suggest that the cost of implementation has been a major problem. For example, the New Zealand Real Estate Institute commented in 1994 that, while the passing of the Privacy Act 1993 (NZ) would have a considerable impact on the manner in which the industry might deal with personal information, it did not expect that there would be any significant cost of compliance; what was required was common sense and fair dealing.

39.183 While cost of compliance with the Privacy Act is an important consideration, this factor alone does not provide a sufficient policy basis to support the small business exemption. The fact that no comparable overseas jurisdictions—including the United Kingdom, Canada and New Zealand—have an exemption for small businesses is indicative. Read the rest of this entry »

A data breach is just the start of an organisation’s problem. Regulators become involved, there is a need for a major organisational review, new hires of experts and a few fires of those who did not do their job properly. And then there is the litigation., In 2022 IBM released a very influential report titled Cost of a data breach 2022.

Some of the findings were:

• 83% of organizations studied have had more than one data breach
• 60% of organizations’ breaches led to increases in prices passed on to customers
• 79% of critical infrastructure organizations didn’t deploy a zero trust architecture.
• 19% of breaches occurred because of a compromise at a business partner
• the average total cost of a data breach was USD 4.35 million
• Average cost of a ransomware attack, not including the cost of the ransom itself is USD 4.54 million
• Average difference in cost where remote work was a factor in causing the breach versus when it wasn’t a factor is $1 million
• healthcare cost industry for data breaches. This was followed by the financial , pharmaceutical, technology and energy industries. The average cost was to USD 10.10 million
• the average time to identify and contain a data breach was 277 days.
• Average cost of a breach for organizations with high levels of compliance failures was USD 5.57 million
• Average total cost for breaches of 50 million to 60 million records was USD 387 million
• with data breaches involving  20 million to 30 million records was USD 241 million.

Today Medibank advised via a media release titled Cybercrime update – Deloitte incident review

The release Read the rest of this entry »

The Victorian Supreme Court in Re Lifestyle Residences Hobsons Bay Pty Ltd (recs & mgrs apptd) [2023] VSC 179 considered a range of issues; whether a director can bring an application when receivers appointed, the operation of section 109X(1)(a) of the Act and the calculation of service. it makes it clear that there is an immutability of filing an application out of time making the application is a nullity.

FACTS

The facts relating to service were:

• on 22 November 2022, Ms Celia Luki, the solicitor with carriage of the matter for the defendant, ascertained the registered office address of the Company from an Australian Securities and Investments Commission (‘ASIC’) company search [35].
• Luki requested the Office Services Clerk in her firm in Redfern, New South Wales, to organise for the documents to be couriered to Melbourne for delivery to the registered office address.
• a Client Services Assistant at McCullough Robertson received Luki’s instructions on the service of the statutory demand in the sum of $213,166.89 in an email forwarded to her by the Office Services Clerk, who also provided the statutory demand and accompanying affidavit.
• the assistant logged into the Toll Priority (Aus) system and inputted those details, recording Luki’s email address as the contact person to receive email updates on the progress of the delivery of the demand. She printed a label from the Toll system, which included all of the recipient’s details which she affixed the label onto a Toll Express Services priority satchel and obtained a tracking number and manifest document.
• in the afternoon of 22 November 2022, a courier from Toll attended the McCullough Robertson office and collected the sealed envelope and two copies of the manifest document [35]
• on 16 December 2022 the tracking log records the documents were delivered to the company at the registered office address on 23 November 2022 at 9:46am. The proof of delivery document clearly records the registered office at which delivery occurred and the signature of Paula accepting delivery of the envelope [36]. Paula was a receptionist an accounting firm engaged by the company, whose business address is the registered office address of the company.
• Paula was unsure who to forward the demand to and sought confirmation from her principal, Mr Sam Cimino. However, because Cimino was extremely busy that day, she was only able to email him and unable to speak to him in person [37].
• on 24 November 2022, Paula had a discussion with Cimino, who instructed her to immediately send the statutory demand to Mr Burgess, Mr Dale Harrison and Mr Peter Van De Steeg, who are nominated contact people at the company. 
• Paula emailed the nominated people at the company, attaching an electronic copy of the statutory demand but erroneously stated the demand had arrived by courier at the registered office address on 24 November 2022 when, in fact, it was delivered by courier the day prior [38]. 

Read the rest of this entry »

In the United States statutory protections of privacy tend to be state based. There have been attempts to pass Federal privacy legislation. The latest attempt is the reintroduction of the Online Privacy Act by Californian Democratic Representatives Anna G Eshoo and Zoe Lofgren. Given Republications control the House of Representatives it will be interesting to see whether it is passed in the House of Representatives. Even if it is not successful it is but the latest in a series of attempts to provide proper nationwide privacy coverage.

The Bill was introduced as part of House Resolution 2701 and described as the Online Privacy Act of 2023 (‘OPA’).  The stated intention is to:

• provide for individual rights relating to privacy of personal information, 
• establish privacy and security requirements for covered entities relating to personal information,
• establish an agency to be known as the Digital Privacy Agency to enforce such rights and requirements.

The Act would:

• regulate any entity, including non-profits and common carriers, that intentionally collects, processes, or maintains personal information and transmits personal information over an electronic network.
• provide several data subject rights, primarily the right:
  • of:
    • access,
    • rectification,
    • deletion,
    • portability,
    • impermanence which would mandate that organisations may not maintain a category of personal information for longer than expressly consented to by the individual
  • to:
    • human review of automated decisions,
    • to be informed, .
• impose obligations on organisations being to:
  • articulate the need for and minimise the user data they collect, process, disclose, and maintain;
  • minimise employee and contractor access to user data;
  • not disclose or sell personal information without explicit consent;
  • not use third-party data to re-identify individuals;
  • not use private communications (e.g. emails and web traffic) for ads or other invasive purposes;
  • not process data in a way that violates civil rights (e.g. employment discrimination);
  • use objectively understandable privacy policies and consent processes, and not use dark patterns to obtain consent; and
  • employ reasonable cybersecurity policies to protect user data.
• create the Digital Privacy Agency (‘DPA’), a federal office.  It would have the power to issue regulations and to impose fines of up to $443,792 for each violation.
• also empower State Attorneys General to enforce violations and grant individuals a private right of action.

Read the rest of this entry »

It is hardly surprising that a class action against Optus would be issued. Yesterday Slater and Gordon made that announcement. This follows from the Medibank Data Breach Class Action which is being funded by Omni Bridgeway. Baker and McKenzie is acting for the claimants. Maurice Blackburn, Centennial Lawyers and Bannister Legal opted for the Privacy Act route making a complaint to the Information Commissioner. The Commission has advised those firms that it won’t be investigating the complaints because the class action on foot would provide the appropriate remedies. It is not surprising that Andrew Watson of Maurice Blackburn is not best pleased given the Commissioner is continuing to investigate the Optus breach. He was reported as saying “They’re proposing to conduct an investigation as to whether there’s a breach, but not deal with compensation. If they’re not going to do it on this one, what are they there for?”. A fair point. At the moment to seek remedies through the Privacy Act is do deal with incoherent processes, given to exercises of discretion by the Commissioner that could bring matters to a sudden stop. I could have said that because I practice in this area. Maurice Blackburn clearly does not. It was always better to go the class action route in the Federal Court. One can only hope that the review of the Review of the Privacy Act and the resulting legislation will provide clearer and more coherent enforcement and compensatory process.

The Slater and Gordon statement Read the rest of this entry »

There are no shortage of discussion papers involving Cyber Security/privacy/data management at the moment.  One of the most recent is the the Department of Home Affairs 2023-2030 Australian Cyber Security Strategy Discussion Paper. It is not particularly long or detailed. Being a Strategy it focuses on high policy and directions rather than detailed amendment and analysis. The Information Commissioner has published Submission to 2023–2030 Cyber Security Strategy Discussion Paper.

The Commissioner’s submissions are consistent with one agency commenting on power arrangements of other agencies, strong on administrative analysis and recommendations The Commissioner’s recommendation that the Strategy.  The Commissioner’s key recommendation is that any strategy has to sync carefully with the amendments to the Privacy Act.  The Commissioner also identifies the need for regulatory frameworks to work cohesively.  Unfortunately in this area matters have gone rapidly from weak regulation to multiple Acts and agencies.  It has been entirely responsive, after years of ignoring the threat of cyber attacks and failing to keep up with regulation.  The Commissioner is right to be concerned that even with multiple agencies and legislation they should cohere and avoid regulatory gaps.  Better to have overlap than gaps.  The Commissioner’s recommendation that she be permitted access to protected information in relation to matters involving data breaches is sensible as is the recommendation to ensure that reporting of breaches be consistent across the board. 

The key with any strategy is enforcement.  There is little point having comprehensive regulation and the affected organisations and agencies ignoring it because they know the regulators are timid and the penalties small.  There has long been a cultural problem in Australia in putting time, effort and money into maintaining proper data protection, of both the analog and digital kind.

The Submission provides, Read the rest of this entry »

Chapter 5 of the Report is devoted to amending the powers in the Privacy Act relating to developing APP Codes and Emergency Declarations. The focus is quite narrow and technical. The amendments should not be controversial given the nature of the changes are build on what is already in the Privacy Act. There are relatively few APP Codes and the Emergency Declarations thankfully do not commonly arise.

The Act sets out a process for making APP codes in which the Commissioner identifies code developers and registers codes developed by them.  An ‘APP code developer’ is any of an APP entity, a group of APP entities, or an association or body representing one or more APP entities.  Currently the Commissioner is only permitted to make an APP code if a code developer has been requested to make a code by the Commissioner and has not complied with the request/  the Commissioner does not to register a proposed code.

The Report proposes to give the Commissioner more power and flexibility in developing Codes.  To that end the Report recommends that the Commissioner be given  additional power to make an APP code on the direction or approval of the Attorney?General:

• where it is in the public interest for a code to be developed, and
• where there is unlikely to be an appropriate industry representative to develop the code.

An APP code could be made in the absence of a suitable industry code developer.

The process would not be unfettered. A code Read the rest of this entry »