Peter A Clarke

In Privacy and Data Protection Commissioner has found that the University of Melbourne breached Information Privacy Principle (IPP) 1.3 in tracking its students who were engaged in a sit in protest in May 2024 and a direction by the Vice Chancellor to leave on 20 May 2024.

The investigation is a useful consideration of IPP 1.3 and 2.1 of the Privacy and Data Protection Act (Vic). The analysis and principles are applicable in relation to the extent to which the collector of personal information informs those who own that information what it will be used for.  It is considered whether the use was consistent with the purpose of gathering the information or a permissible secondary purpose.

Beyond making a finding against the University the Information Commissioner’s Office could take no action against the University notwithstanding an egregrious and serious breach of the Act.  The only action that could be taken is a Compliance Notice which is little more than a notice saying one should fix problems.  That’s it.  That highlights the fundamental weakness in the legislation. In the United Kingdom the Information Commissioner has the power to impose monetary penalties on agencies. 

Notwithstanding the lack of meaningful action taken against the University by the regulator that does not mean those whose privacy was interfered with don’t have causes of action in the courts.  

The Report is 31 pages long but some relevant points made include:

Regarding Function creep

Foreword

Social licence and function creep are two important concepts in interpretation of the relationship between human rights and technology. When governments or other official bodies implement technology, society expects them to respect human rights, including the right to privacy. This is usually achieved through the preparation of a Privacy Impact Assessment, and through communication with affected stakeholders about the purpose of the technology and the ways in which its use will be governed.

The University engaged in function creep by using surveillance of users of on-campus Wi-Fi in disciplinary proceedings it began after a protest. The University introduced the Wi-Fi tracking capability some years ago, for the purpose of network management, with a reassurance that it would not be used to surveil individuals. The University subsequently used the capability for disciplinary purposes, because it was already in place, without substantially considering the human rights or privacy impacts of doing so. In failing to consult with stakeholders about the policy change, the University failed to obtain a social licence for the use of this technology.

and 

The delivery method for the Notices related to Wi-Fi use – an on-screen pop-up – was also not an effective mechanism for explaining complex terms and conditions.

and 

…the governance and authorising processes the University used to authorise access to staff email accounts fell below the standard the Deputy Commissioner expects. This access occurred after the urgency of protest had passed, and could have been dealt with more carefully Read the rest of this entry »

Data breaches often bring on multiple levels of pain and repeated expense. The initial data breach involves the affected company bringing in technical experts to figure out where the breach occurred and undertake remedial action. Often cyber attackers leave compromised or wrecked systems in their weight, requiring reprogramming. Then there is the expense of dealing with the regulator or regulators for a prolonged period. In Australia, the regulator moves slowly so the process can be excruciating for companies. To that extent the recent comments by Malcolm Turnbull that companies regard data breaches as the cost of doing business is a little glib and a major generalisation. That said his comments about complacency is spot on. In the United States the cost of data breaches include civil claims by governments, usually through Attorneys General and Government departments. Last week the Department of Financial Services settled a claim with Healthplex for $2 million arising out of a data breach which violated state cyber security regulation. The settlement requires Healthplex to hire an auditor to examine the multi factor authentication controls.

The statement by the Department of the Financial Services provides:

Read the rest of this entry »

The National Institute of Science and Technology (“NIST”) has published a very valuable lightweight cryptography standard to protect information created and transmitted by the Internet of Things as well as other small electronics. It is very important for those developing small devices which require protection from cyber attack, which is pretty much all small internet connected devices. 

The NIST has published a page on Lightweight Cryptography. 

The Read the rest of this entry »

Another day, another data breach in Australia. This time iiNet has announced that it has suffered a data breach. Mode of entry, use of employee credentials to get into iiNet’s order management system. The breach is reported by the Australian in iiNet latest Aussie company to be hit by hackers. iiNet released a media release earlier today titled Cyber incident involving iiNet customers. As is the way the story has been covered across the media with News.com.au, Information Age, Australian Cyber Security Magazine, AFR, Cyber Daily amongst others.

This data breach will be hugely embarrassing for iiNet.  It’s whole image is based around being more accessible (not in that way) and different from other telco providers.  And better in a geekier more friendly but more efficient sort of way.  Now it finds itself suffering the sort of data breach other big organisations suffer.  

iiNet’s media statement is quite good.   For Australia.  It provides some detail of what happened and how though much is not revealed.  That will be revealed if the Privacy Commissioner takes action or there is a class action.  But being as transparent as possible is preferable to saying virtually nothing as Genea has done with its much more serious data breach.  iiNet provided detail of the nature of the personal information stolen; emails (280,000), phone numbers (20,000) and user names, streeet addresses (10,000) and modem set up passwords (1,700).  Distressing and damaging as that may be it did not involve financial information, dates of birth and any other personal information.  iiNet has been more specific than most in how it responded.  It can’t help itself in advising how it is liasing with the ACSC, the NOCS and the OAIC.  On a more relevant note it has set up a dedicated hotline.  That is an excellent initiative.  By contrast Genea has been very difficult to contact and responses have been wholly unhelpful, enraging patients.   It provided some preliminary advice on what to do and answering frequently asked questions.  Interestingly iiNet responds to the question as to why it was holding information on people who are no longer customers of iiNet.  The answer is somewhat mealy mouthed including being due “to legal, regulatory, or operational requirements.” Mmmm.  

The statement provides:

iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.

The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections. The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.

What we are doing

Upon confirmation of this incident on Saturday, 16 August 2025, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our investigation. Read the rest of this entry »

Australian Privacy Principles 12 and 13 of the Privacy Act 1988 permits individuals to have access to their personal information and correct that personal information respectively. Exercising those rights can be more complicated than it should be. Given companies engage in the over collection of personal information and are reluctant to remove personal information once they have no legitimate need for it this poses a real problem.  It is not an Australian only problem.  It is a worldwide problem where many companies wrongly take the view that personal information is to do with as they see fit. That explains their common resistence to requests to delete personal information.   This is explained in the excellent piece by The Markup with We caught companies making it harder to delete your personal data online.

There is nothing quite like an ex politician complaining about this or that aspect of the country when he/she did nothing about the problem when in power. It is even more galling when it is an ex Prime Minister. And so it is quite extraordinary that Malcolm Turnbull complains about the complacency in the market to cyber attacks in the Australian’s Malcolm Turnbull warns of alarming pattern in cyber attacks on Australian companies.  What needs to be understood is that the poor privacy culture has been an endemic problem for decades.  Successive Federal Governments have either ignored the issue or did the bare minimum.  Turnbull was a minister in the Howard Government, which did as little as possible to reform the Privacy Act and did nothing to enervate the Information Commissioner.  The Abbott Government, where Turnbull was also a minister, reduced funding to the Information Commissioner and removed the Privacy Commissioner as a position.  Turnbull was the Australian Prime MInister from 2015 – 2018.  No privacy reform took place then even though the Australian Law Reform Commission had published Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  it recommended comprehensive privacy reform.  His Government also had in its possession For Your Information: Australian Privacy Law and Practice (ALRC Report 108), an even more comprehensive 2008 report recommending privacy reform. If those reports had been properly acted upon, the regulator had been properly funded, a  more assertive person was at the helm of the regulator and the government had given a focus given to cyber protection things may have been different.  If there had been proper prosecutions with real consequences for malefactors the price of complacency may have been too high. But none of that happened and there is widespread complacency.

The article (in red), with a few of my comments (in black), provides:

New data from cyber security firm Semperis has revealed almost half of all attacks are on understaffed weekends, with hackers repeatedly targeting the same businesses in the past year.

Despite the strikes, politicians and business leaders aren’t taking the breaches seriously enough, with Mr Turnbull – who advises Semperis – saying many are “treating ransomware attacks as just a cost of doing business”. Read the rest of this entry »

It is common that Australian companies and organisations refer to liaising with the Australian Cyber SecuSecurity Centre amongst other authorities and agencies after a data breach. It is so common that it is now boilerplate. All of that relates to damage mitigation. What is less common is organisations using the guides prepared by the ACSC to improve cyber security so as to prevent data breaches. The ACSC publishes quite good guides, as does the Information Commissioner even if they tend to the general. Other resources include standards prepared by the NIST and the ISO series. The NIST guides while highly technical are the most useful. The UK Information Commissioner publishes guidelines which cover general issues as well as guides relating to UK legislation. Guidelines are already important but will take on greater significance as privacy related litigation grows. The question of whether a defendant acted reasonably and proportionately is likely to be determined on the facts having regard to appropriate standards and best practice. On 13 August 2025 the ACSC released Foundations for OT cybersecurity: Asset inventory guidance for owners and operators.  For practitioners whose clients manage critical infrastructure it is an important document.  It is generally useful in setting out the methodology when ordering and prioratising assets which may be the subject of internet access.   

The Executive Summary provides:

When building a modern defensible architecture, it is essential for operational technology (OT) owners and operators across all critical infrastructure sectors to create an OT asset inventory supplemented by an OT taxonomy. Using these tools helps owners and operators identify which assets in their environment should be secured and protected, and structure their defenses accordingly to reduce the risk a cybersecurity incident poses to the organization’s mission and service continuity. Read the rest of this entry »

Hackers have attacked the hallowed halls of Scotch College, one of the elite private schools in Melbourne by hacking its IT system.  Educational institutions are regular targets for cyber attacks.  Universities are often hacked. They have lots of challenges, numerous entreports, constantly changing authorisations which can be stolen and used for a cyber attack, legacy systems which have inbuilt weaknesses and a huge amount of data that make attacks worthwhile.  At the school level often IT systems are basic and not well maintained.  In my experience school administrations do not give sufficient attention to privacy training, making phishing and spear phishing quite easy.  Scotch College would have a wealth of information that Read the rest of this entry »

Universities are prime targets for data breaches. They offer so many opportunities for entrance, often through stolen or easily discerned authorisations. They also have legacy issues with ill fitting computer systems cobbled together with mergers and patch ups. The latest victim is the University of Western Australia whose data breach has been reported by the ABC in University of Western Australia suffers major data breach, staff and students locked out.  The method of attack was through unauthorised access to password information.  The UWA’s response was to lock out and reset passwords of students, staff and visitors.  At this stage the UWA admits to no data being stolen or ransomware being installed.  

The data breach has also been reported by News.com.au, iTnews and cyber daily.

The statement from UWA is cryptic to say the least. It provides:

The ABC article Read the rest of this entry »

Given the scope and sensitivity of the personal information lost in the Genea data breach it is hardly surprising that a number of firms, 3 at last count, are considering class actions. This looming herd/charge of class actions is covered by Nine with ‘Reopened those wounds’: IVF patients to sue clinic over data breach and the Sydney Morning Herald with ‘Emotionally devastating’: Victims of IVF data breach seeking class action. It is always difficult to predict what will or won’t be pleaded in class actions but the issues that are clearly relevant revolve around obligation to keep confidential material safe and secure and what steps were taken to keep the personal information secure. There may be issues relating to misrepresentations and perhaps breach of contract.  

The SMH article provide:

Read the rest of this entry »