Peter A Clarke

The impact of data breaches cannot be underestimated.  Many, if not most, businesses and organisations store their data on computers which are connected with the internet.  For the service industry that usually means personal information.  Masses of it.  And the health sector is a prime target for cyber attacks because health service providers collect a vast amount of personal information and types of information which may be used for identity theft and other forms of fraud.  Unfortunately the health sector is also prone to poor cyber security practices. This is highlighted in Cyber Incident Cost $100 Million, Tenet Healthcare Reports.  That is a significant cost but not a record by current standards. 

Tenet’s data breach is not an isolated incident by any stretch.  In June and July there have been the following breaches of health care providers:

• Avamere Health Services suffered intermittent unauthorized network access between January 19, 2022 and March 17, 2022. A total of 380,984 patient records were affected and notified. The personal information involved were names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.
• The City of Newport suffered a data breach on June 8, 2022 and June 9, 2022 involving records of city employees.
• in the Canadian province of Newfoundland and Labrador Eastern Health suffered a data breach  resulting in a privacy breach notification sent to 37,800.  That equates to one out of every 13 people in the province.

• Feelyou a journaling and social mood tracking app had a flaw whereby anyone could obtain the personal email addresses of users and link them to anonymous posts by simply accessing the app’s GraphQL application programming interface (API), which did not require any authentication to do so. This affected 70,000 personal emails.

Read the rest of this entry »

The Australian Information Commissioner (the “Commissioner”) has released a brief but quite specific and detailed guidance on the retention and deletion of personal information. It is entirely reasonable to release a guidance now given restrictions throughout the country have largely been removed and there is no longer a requirement to collect masses of personal information. 

But now organisations and agencies have an enormous amount of personal information which was collected for the purpose of complying with various Public Health Orders and which was to be used for specific, narrow and defined purposes, such as contact tracing and vaccine status.  As the guidance makes clear there is now an obligation on organisations to delete much of that personal information.  With the orders no longer in place there is a real question of whether Read the rest of this entry »

There is increasing concern about personal information of children being scraped from the net or collected through websites and apps.  In May the US Federal Trade Commission announced that it was cracking down on companies that illegally surveil children on line.  Earlier this year the FTC took action against Weight Watchers for illegally collecting children’s health information. In March the US District Court for the Northern District of Illinois a $1.1 million to resolve an action where Tik Tok was alleged to have collected children’s data and sold it third parties. In the United States it has been estimated that by a child is 13 on line advertising firms have collected an average of 72 million data points about that person.  In the USA the gaps and loopholes in the privacy laws allowed apps to track kids phones.

The organisation Children and Media Australia has released a report highlighting how many games apps collect childrens’ data.  That has been covered by the ABC in How some of the most-popular children’s apps are sharing data in ‘troubling’ ways , 

The ABC article Read the rest of this entry »

The Australian Information Commissioner has made submissions to the Department of Prime Minister and Cabinet’s Australian Data Strategy.  

It is a more assertive submission than usually produced by the Information Commissioner. That may be because of the increased muscularity of other regulators who have an interest in data security and privacy, such as the ACCC.  Possibly also because there is a review of the Privacy Act 1988 with a government that has stated a greater interest in significant reform in the handling of data than its predecessor. 

It provides, absent footnotes:

Introduction

1. 1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Department of Prime Minister and Cabinet’s (the Department) Australian Data Strategy (the Strategy).
   2. The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).
   3. We welcome the Strategy’s focus on aligning with the range of existing legislation, strategies, policies, and reviews which regulate the use of data and the protection of personal information. The Strategy broadly intersects with the OAIC’s existing regulatory role and responsibilities under several laws and whole-of-government initiatives, including the Privacy Act (and its ongoing review), the FOI Act, the Consumer Data Right, the Data Availability and Transparency Act 2022, the Australian Cyber Security Strategy, the National Data Security Action Plan, and the Digital Identity scheme.
   4. Promoting and upholding privacy, information access rights and supporting the proactive release of government-held information are key strategic priorities for the OAIC. This recognises that data held by the Australian Government is a national resource which can yield significant benefits of the Australian people when handled appropriately, and in the public interest.
   5. The Strategy sets out a vision for the creation of a national ecosystem of data that is accessible, reliable, relevant and easily used to power Australia’s national endeavour towards a modern data-driven society.[2] The Strategy focuses on three key themes: maximising the value of data, trust and protection, and enabling data use.
   6. The Strategy acknowledges the importance of keeping data safe and secure and using and managing it in appropriate ways to earn and maintain public trust. This is particularly important in relation to data containing personal information, which is subject to specific statutory protection. Privacy issues that are not properly addressed can impact the community’s trust in an entity and undermine the success of new data initiatives. When people have confidence in how their data is handled, they are more likely to support the use of that information to provide the services and value promised by innovative data initiatives.
   7. The Privacy Act provides a well-established framework to minimise the privacy risks associated with personal-information handling activities and facilitate community trust and confidence in new data initiatives. It contains 13 Australian Privacy Principles (APPs), which are technology-neutral and applicable to changing and emerging technologies and data practices. This submission focusses on the role that privacy will play in achieving the Strategy’s vision and objectives, and our views on measures that can further support the Strategy’s ambitions by strengthening the existing privacy framework through the ongoing Privacy Act Review. It is also important to acknowledge the important role the FOI Act will play as part of a comprehensive Australian Data Strategy.

Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) is updating the Controlled Unclassified Information (CUI) series of publications, being, firstly:

•  Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
• publication SP 800-171A,
• publicationSP 800-172, and
• SP 800-172A.

The topics the NIST is looking to consider in any review are:

Use of the CUI Series

1. 1. How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A)
   2. How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.)
   3. How to improve the alignment between the CUI series and other frameworks
   4. Benefits of using the CUI series
   5. Challenges in using the CUI series

Updates for consistency with SP 800-53 Revision 5 and SP 800-53B Read the rest of this entry »

By   ministerial statement made by Minister for Media, Data and Digital Infrastructure, Matt Warman, on 18 July 2022,  the Government announced that it will introduce the Data Protection and Digital Information Bill to the House of Commons.  The Government has also published proposed AI regulation for consultation. 

The proposed Data Protection and Digital Information Bill will mark a departure from the EU GDPR.  The Government states that countries are not required to have the same rules in order to be granted adequacy and they will be compatible with maintaining free flow of personal data from the European Economic Area. How much of a departure will become apparent when the Bill is introduced.

The statement provides:

Today, the Government is introducing the Data Protection and Digital Information Bill in the House of Commons. The Bill is being introduced after the Government published its response to the Data: A New Direction consultation on 17th June 2022.

We now have the opportunity to seize the benefits of Brexit and transform the UK’s independent data laws. We have designed these new updates to our data protection framework so it works in our interests, protects our citizens, and unburdens our businesses.. Read the rest of this entry »

Internet 2.0 has published It’s their word against their source code – TikTok report regarding Tik Tok’s appalling privacy practices and prodigious data harvesting practices.  It is a comprehensive and definitive report.  While it may highlight specific details of how Tik Tok harvests data from users using its app on Android phones Tik Tok’s privacy intrusive conduct has been known for years.  The problem is the will to do something about it.  Tik Tok argues that data it collects is not stored in China, such as Singapore and that there are protocols prevening Chinese based personnel accessing it.  Those protocols are weak and more window dressing than reality. 

The Executive Summary of the report relevantly Read the rest of this entry »

The ABC’s quite lengthy piece Drone regulation ‘not keeping up with technology’, lawyers concerned about stalking risks highlights the capability of drones to be used to invade privacy, be used for overt and covert surveillance and be used as an instrument of stalking.  The problem has been present for many years and nothing meaningful has been done to address it.  On 14 July 2014 the House of Representatives Standing Committee on Social Policy and Legal Affairs tabled a report Eyes in the Sky about drone technology with:

• Chapter 2 titled Our Drone Future
• Chapter 2 – Safety in the air
• Chapter 4 – Drones and Privacy

I did a post, House of Representatives hands down report on drones, “Eyes in the Sky”, on the day it was tabled. 

That was 6 years ago to the day plus one.  The recommendations to enhance privacy protection were ignored.  Recommendations 3 – 6  (at pages 48 – 50 of the Report) recommended:

Recommendation 3
The Committee recommends that the Australian Government consider introducing legislation by July 2015 which provides protection against privacy-invasive technologies (including remotely piloted aircraft), with particular emphasis on protecting against intrusions on a person’s seclusion or private affairs.
The Committee recommends that in considering the type and extent of protection to be afforded, the Government consider giving effect to the Australian Law Reform Commission’s proposal for the creation of a tort of serious invasion of privacy, or include alternate measures to achieve similar outcomes, with respect to invasive technologies including remotely piloted aircraft.

Recommendation 4
The Committee recommends that, at the late-2014 meeting of COAG’s Law, Crime and Community Safety Council, the Australian Government initiate action to simplify Australia’s privacy regime by introducing harmonised Australia-wide surveillance laws that cover the use of:
? listening devices
? optical surveillance devices
? data surveillance devices, and
? tracking devices
The unified regime should contain technology neutral definitions of the kinds of surveillance devices, and should not provide fewer protections in any state or territory than presently exist.

Recommendation 5
The Committee recommends that the Australian Government consider the measures operating to regulate the use or potential use of RPAs by Commonwealth law enforcement agencies for surveillance purposes in circumstances where that use may give rise to issues regarding a person’s seclusion or private affairs. This consideration should involve both assessment of the adequacy of presently existing internal practices and procedures of relevant Commonwealth law enforcement agencies, as well as the adequacy of relevant provisions of the Surveillance Devices Act 2004 (Cth) relating but not limited to warrant provisions.
Further, the Committee recommends that the Australian Government initiate action at COAG’s Law, Crime and Community Safety Council to harmonise what may be determined to be an appropriate and approved
use of RPAs by law enforcement agencies across jurisdictions.

Recommendation 6
The Committee recommends that the Australian Government coordinate with the Civil Aviation Safety Authority and the Australian Privacy Commissioner to review the adequacy of the privacy and air safety regimes in relation to remotely piloted aircraft, highlighting any regulatory issues and future areas of action. This review should be
publicly released by June 2016.

The recommendations couldn’t be clearer.  Recommendation 3 specifically called for a tort of serious invasion of privacy.  That is consistent with 2 Australian Law Reform Commission reports since Read the rest of this entry »

Two recent stories highlight the inadequate privacy protections we have in Australia and how technology is making this situation worse.  In  Former model Tziporah Malkah breaks down over nude photos  the Age reports that Tziporah Atarah Malkah, formerly known as Kate Fischer complained of her naked and hardly blurred image being televised without her consent.  The image was secretly filmed by a man she has been in a relationship with.  Her privacy was clearly breached but she had little civil recourse. 

In the second case, as reported by the ABC in Melbourne woman featured in viral TikTok video without consent says she feels ‘dehumanised’ and the Guardian in Melbourne woman ‘dehumanised’ by viral TikTok filmed without her consent  a woman, who gave her name as Maree, was used as a prop for a tik tok video by a Harrison Pawluk.  Harrison approached Maree who was minding her own business at a public shopping centre and asked her to hold a bunch of flowers while he put on his jacket. Then he wished her a good day and walked away, leaving her with the flowers.  She was visibly shocked by the approach and the conclusion.  Harrison had the exchange videotaped and posted it onto tik tok where it has had 57 million views to date.  He posted the video with the line “I hope this made her day better.”  It was a smug and cynical gesture with no shortage of dishonesty attached. It was done to get a post on tik tok, not make a person happy.  Maree was used from start to finish.  She wasn’t Read the rest of this entry »

The Canadian government has introduced a bill titled “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts” which establishes ten principles of a Digital Charter.

It will be interesting to see whether this proposed reform influences the Australian Government’s review of Read the rest of this entry »