August 23, 2018
Privacy breaches in the health industry are depressingly common. Almost commonplace in hospitals. The reasons are not hard to find; many access points to information from clip boards at a patients bed or in a rack at a counter to a click of a button at a computer accessed by many staff, a large number of staff and high turnover and a generally poor privacy culture by senior medical staff. That is compounded by generally poor privacy protocols, inadequate training and an implied preference to be criticised for inevitable breaches rather than a root and branch change in policy and practice. It helps not one bit that the State and Federal regulators are lackluster operators.
So it is not at all surprising to Read the rest of this entry »
Posted in Privacy
|
Post a comment »
Yesterday there was a very significant privacy breach at a Victorian school, Strathmore Secondary College, involving the release of health information of students including mental health conditions, medications and learning and behavioural difficulties. It is reported in the Guardian and SBS, among others. The exposure of 300 school student’s records on the school’s intranet was likely the result of human error. That bespeaks a very ordinary privacy training and controls. Which is not uncommon.
These events provide a useful application of how the privacy legislation in Victoria may work for those who are affected by the breach. Under the Privacy and Data Protection Act 2014 those affected by Read the rest of this entry »
Posted in Privacy
|
Post a comment »
August 22, 2018
The Government has amended the Broadcasting and Enhancing Online Safety Act 2015 by giving the eSafety Commissioner with powers to seek civil and criminal penalties to deal with image based abuse, mainly revenge porn in practical terms. The civil penalties apply for failing to remove images and criminal penalties for transmitting private sexual material or a if there has been 3 civil penalty orders made against a person.
In principle the laws are welcome. In practice it really depends on the vigour of the eSafety Commissioner. Australia has a poor reputation in regulating privacy infringing behaviour. The amendments themselves highlight a very process laden means of achieving a legislative end. It
What is more than passing strange is that for all of these amendments the Government has not provided individuals with the power to take enforceable action relating to an interference with their privacy, either under the Enhancing Online Safety or the Broadcasting Acts. Everything must be channeled through the eSafety Commissioner. That might work for some or many people but others may wish to take steps themselves, such as obtaining compensation as well as taking down the images. It is a somewhat patronising omission. It is also the triumph of bureaucracy over freedom of the individual to take action in their own right.
A statutory cause of action for interference with privacy is the simple and straightforward way of giving individuals a right to take action. This has been suggested for many years but most formally by the Australian Law Reform Commission in 2008 and again in 2011. It has been emphatically rejected by the current government and ignored by the previous government. In short there has been a bipartisan policy failure in this area. Read the rest of this entry »
Posted in General
|
Post a comment »
The Federal Government introduced the My Health Records Amendment (Strengthening Privacy) Bill 2018 today.
It is very much a patch like amendment to the Act, inserting a Read the rest of this entry »
Posted in Privacy
|
Post a comment »
August 19, 2018
The work of the Information and Privacy Commissioner continues to not go on. But the Government has appointed a permanent successor to the previous Commissioner, Timothy Pilgrim. The Interim Information Commissioner and Privacy Commissioner, Angelene Falk, has been appointed Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Privacy
|
Post a comment »
August 12, 2018
The UK Information Commissioner has taken strong action in the form of a Monetary Penalty Notice of £140,000 for on selling personal information of one million people, from Emma’s Diary, which provides advice on pregnancy and childcare, to Experian Marketing Services, which is used by the Labour Party. That information was used as a database which was used to profile new mums for use during the 2017 General Election. The key with data for political parties is to allow them to micro target voters with carefully structured messages.
Under both UK and Australian privacy legislation personal information collected for one purpose can not be disclosed to a third party for another purpose unless one of the exceptions applies.
The actions by Emma’s Diary was particularly cynical given Read the rest of this entry »
Posted in Privacy, UK Information Commissioner's Office
|
Post a comment »
August 5, 2018
A problem which predates the My Health Records Act is the poor state of data security in the Health Sector. It is a chronic problem. The extent of the problem is highlighted in the discovery of 1,000 medical records relating to 400 patients of an Aged Care centre found in a building in South Sydney and 7,000 patient records exposed on line at South Australia’s Women and Children’s hospital.
The Hong Kong Department of Health was recently hit with a ransomware attack. And in Nova Scotia the Privacy Commissioner has investigated a privacy breach by a pharmacist employed by a large pharmacy chain who viewed the private medical records of 46 people who were not that person’s patients, including a child who was a friend of her child, that child’s parents, friends and Read the rest of this entry »
Posted in Privacy
|
Post a comment »
July 31, 2018
The My Health Records Act 2012 is a dreadful piece of legislation. Privacy professionals have known this for some time. They have been saying it for some time. While the system involved voluntary placement of records onto the systems the Government could avoid grumblings from various groups. The Privacy Commissioner was on an extended tea break on the issue. Nothing new there. So the legislation was untouched and the agency responsible for its management, the ADHA, filled forms, ignored complaints and generally kept a low profile.
Then the opt out provisions came into effect and various commentators “discovered” the privacy invasive aspects of the system. Janet Albrechtson took up the cudgels as did Peter Van Onsolen at News Ltd. Similar negative treatment came from Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
The Australian Information Commissioner has released another quarterly report of notified data breaches. It has grown into a 33 page document from its humbler beginnings of a single page. At the outset it is relevant to note that these figures are not the last word on actual data breaches. There is a balancing act organisations go through before deciding to notify. That is a weakness in the legislation. There is also likely to be some non compliance with the legislation. Finally many organisations are not subject to the operation of the Privacy Act and therefore will not notify because they do not have to. That said it is a valuable report.
Putting the issue of data breaches in its broader context itgovernance has calculated that there were data breaches and cyber attacks in July 2018 which resulted in unauthorised access to 139,731,894 records. And health records were a significant percentage of the records affected.
In the quarter there was 242 notifications, compared to 63 in the previous quarter, which were Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Privacy
|
Post a comment »
July 30, 2018
As if the victims hadn’t suffered enough. The Independent Inquiry into Child Sexual Abuse suffered a major data breach. Of the all too common own goal variety. A staff member sent an open email to 90 victims of sexual abuse, thereby allowing each person to identify the emails of others. More than the majority of the email addresses listed the full name of the recipients. Given the nature of the inquiry and the sensitivity of at least some of the recipients it was a dreadful and entirely avoidable error. The Inquiry released personal information without consent.
Under the Monetary Penalty Notice the contravention was Read the rest of this entry »
Posted in Privacy, UK Information Commissioner's Office
|
Post a comment »