There is controversy surrounding the Victorian Government’s tabling of 80,000 documents relating to the actions of the now Opposition Leader, Matthew Guy, when he was Planning Minister.  The underlying motive for the release seems to be more about politics than law which is of little interest to this blog.  What is interesting is that in tabling these documents there is a likelihood that it disclosed personal information relating to individuals, including health information. The nature of the personal information included the name of a lawyer, her mental health, her financial and familial details .  Initially published on line they have now been removed. That of course does not mean that personal information was not downloaded, copied or reproduced elsewhere during the time in which it was on line. And it appears that the rash action has resulted in significant scrambling by the Government in terms of apologies and the like.  That of course only goes so far, as in nowhere, in terms of liability. It claimed that the privacy breach was inadvertent.  That will cut very little mustard if put under forensic scrutiny in a court.  The tabling of a document in Parliament is as advertent as one can get.

That may be a breach Read the rest of this entry »

Phishing and spear phishing have been mainstay tools in the armaments of hackers and cyber criminals.  With proper privacy and data protection training they should not be particularly effective.  However they are because many organisations and agencies pay scant regard to training staff properly which is paradoxical given they generally spend a fortune on physical security and usually have reasonable to very good cyber security programs.  None of that helps if a hacker obtains a password and log in details.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money) by often impersonating a  trustworthy entity such as a fellow staff member or through a well disguised electronic communication.  Phishing often involves the use of psychological techniques to build trust and confidence.  Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.  

The Australian Competition and Consumer Commission last week released a media report highlighting the new development used by phishers to get access to computer and bank accounts.  The twist is that the scams involve impersonation of police or business people who are supposedly trying to stop a scam.  In 2018 alone that Read the rest of this entry »

There is something of a myth propogated by those who would prefer less not more privacy protections, that there is no need for improved privacy protections and the community is not clamouring for more protections.  It is an entirely paternalistic approach to public policy that rarely squares with the evidence.  When surveyed there is a concern about lack of privacy protections and use/sharing of personal information.  For example the Pew Research Center in 2014 found that 91% of Americans agreed or strongly agreed that people have lost control over how personal information is collected.  Last year Pew found Read the rest of this entry »

Staff accessing personal information is a chronic problem in the health, police and financial services sector.  In Victoria the Victoria Police’s Leap data base, which contains personal information of most Victorians, has been misused on a depressingly regular basis with inadequate sanction for those breaches.  Only in the financial services sector does enforcement action tend to be swift and decisive.

In the health sector the culture is poor and breaches tend not to result in significant sanction.  And the private health sector is most vulnerable to data breaches.  And there are so many ways that those in the health sector can cause data breaches including in the last week a mailing error which resulted in releasing children’s health information in Missouri,  in the UK a hospital worker accessed the medical records of her boyfriend’s ex partner.  She used the details obtained to text obscenities to the victim of this privacy breach.  Given the nature of the breach and the subsequent misuse of the information it is not surprising that the health worker is no longer employed by the NHS. And a nurse at the Texas Children’s hospital was fired after posting on social media information about a rare measles case involving a boy aged between 1 – 3 years of age.  All of these cases involved human error at increasing levels of stupidity and incompetence.

Today there is another confirmation that the problem in the health sector continues unabated in Australia is a report from Perth Now that between 2014/15 and 2016/17 there were 40 breaches of patient confidentiality under West Australia’s health Act.  The actual number of data breaches are likely to be greater given Read the rest of this entry »

The High Court in Trkulja v Google LLC [2018] HCA 25 upheld an appeal from the Victorian Court of Appeal regarding a summary judgment application. It is a very significant decision in relation to pleading the of defamation when the imputations arise from search engine results.

FACTS

While not enamoured of the drafting the Court noted that the Appellant’s (Trkulja”) Amended Statement of Claim was  sufficiently comprehensible to convey that Trkulja alleged that:

• Google defamed him by publishing images which convey imputations that he:
  • “is a hardened and serious criminal in Melbourne”, in the same league as figures such as “convicted murderer” Carl Williams, “underworld killer” Andrew “Benji” Veniamin, “notorious murderer” Tony Mokbel and “Mafia Boss” Mario Rocco Condello;
  • is an associate of Veniamin, Williams and Mokbel; and
  • is “such a significant figure in the Melbourne criminal underworld that events involving him are recorded on a website that chronicles crime in [the] Melbourne criminal underworld”[3].
• Google published the defamatory images between 1 December 2012 and 3 March 2014 to persons in Victoria, including several named persons, upon those persons accessing the Google website, searching for  Trkulja’s name or alias (Michael Trkulja and Milorad Trkulja), and then viewing and perceiving the images presented on-screen in response to the search [4].
• the allegedly defamatory matters  comprising two groups:
  • “the Google Images matter” and
  • “the Google Web matter” [5]
• some of the pages include an image that contains text stating, inter alia, “Google lawsuit in court”, “COLOURFUL Melbourne identity Michael Trkulja” and “Mr Trkulja an associate of Mick Gatto” [7]
•  the images matter and the web matter are defamatory of  Trkulja in their natural and ordinary meaning and  carry the following defamatory imputations:

Read the rest of this entry »

The Victorian Supreme Court in A G Coombs Pty Ltd v M & V Consultants Pty Ltd (in liq) [2018] VSC 468 considered and dismissed a plaintiffs’ application for injunctive relief to prevent an application under section 459 of the Corporations Act 2001 being made.

FACTS

On Friday 15 June 2018, the plaintiffs sought urgent interlocutory relief and final relief by way of an injunction to enjoin the defendant from making an application under s 459P of the Corporations Act 2001 (Cth) to wind up each of the plaintiffs in insolvency in connection with statutory demands Read the rest of this entry »

Universities and institutes of higher learning hold enormous amounts of intellectual property that is valued by foreign governments or those wanting to obtain financial advantage without the effort.  They are prime targets for cyber attacks.  As are law firms which often have data relating to intellectual property claims or litigation.

In March 2018 the United States filed indictments against Iranian Revolutionary Guards for hacking computers of 7,998 professors at 320 computers involving 144 universities as well as other institutions  over the last 5 years.  In early July 2018 the Guardian reported that the Australian National University was hit by Chinese hackers.  As did the Australian.

This week ARN reports in Seven Australian universities targeted in global hacking campaign reports that 7 Australian Universities as part of a global action targeting Read the rest of this entry »

Privacy breaches in the health industry are depressingly common.  Almost commonplace in hospitals.  The reasons are not hard to find; many access points to information from clip boards at a patients bed or in a rack at a counter to a click of a button at a computer accessed by many staff, a large number of staff and high turnover and a generally poor privacy culture by senior medical staff.   That is compounded by generally poor privacy protocols, inadequate training and an implied preference to be criticised for inevitable breaches rather than a root and branch change in policy and practice.  It helps not one bit that the State and Federal regulators are lackluster operators.

So it is not at all surprising to Read the rest of this entry »

Yesterday there was a very significant privacy breach at a Victorian school, Strathmore Secondary College, involving the release of health information of students including mental health conditions, medications and learning and behavioural difficulties.  It is reported in the Guardian and SBS, among others.  The exposure of 300 school student’s records on the school’s intranet was likely the result of human error.  That bespeaks a very ordinary privacy training and controls.  Which is not uncommon.

These events provide a useful application of how the privacy legislation in Victoria may work for those who are affected by the breach.  Under the Privacy and Data Protection Act 2014 those affected by Read the rest of this entry »

The Government has amended the Broadcasting and Enhancing Online Safety Act 2015 by giving the eSafety Commissioner with powers to seek civil and criminal penalties to deal with image based abuse, mainly revenge porn in practical terms.  The civil penalties apply for failing to remove images and criminal penalties for transmitting private sexual material or a if there has been 3 civil penalty orders made against a person.

In principle the laws are welcome.  In practice it really depends on the vigour of the eSafety Commissioner.  Australia has a poor reputation in regulating privacy infringing behaviour.  The amendments themselves highlight a very process laden means of achieving a legislative end. It

What is more than passing strange is that for all of these amendments the Government has not provided individuals with the power to take enforceable action relating to an interference with their privacy, either under the Enhancing Online Safety or the Broadcasting Acts.  Everything must be channeled through the eSafety Commissioner.  That might work for some or many people but others may wish to take steps themselves, such as obtaining compensation as well as taking down the images.  It is a somewhat patronising omission. It is also the triumph of bureaucracy over freedom of the individual to take action in their own right.

A statutory cause of action for interference with privacy is the simple and straightforward way of giving individuals a right to take action.   This has been suggested for many years but most formally by the Australian Law Reform Commission in 2008 and again in 2011.  It has been emphatically rejected by the current government and ignored by the previous government.  In short there has been a bipartisan policy failure in this area. Read the rest of this entry »