The Australian Information and Privacy Commissioner, Timothy Pilgrim, to retire on 24 March 2018

February 20, 2018

According to a report in the Mandarin,Last man standing: information and privacy commissioner Timothy Pilgrim to retire, Timothy Pilgrim, the Privacy and Information Commissioner is to retire on 24 March 2018. It is also reported in itnews, computerworld and zdnet.

Timothy Pilgrim has been one of the better privacy commissioners.  That is a comparative measure only.  His predecessors ranged from ineffective to hopeless.  As a result the privacy and data security culture has been poor.  Pilgrim was far more active than his predecessors both in terms of work rate and general profile.  But objectively measured he was a timid and tentative regulator.  Even with a limited budget from 2014 the Office of the Information Commissioner took a very low profile.  His determinations were excessively conservative and Read the rest of this entry »

Two days to mandatory data breach notification laws comes into effect and the advisory articles (sort of) come out

In two days the Privacy Amendment (Notifiable Data Breaches) Act 2017 becomes law.  Organisations and agencies covered by the Privacy Act will have obligations to notify those impacted by a data breach as well as notifying the Information Commissioner.  What was once good practice is now mandatory.  How mandatory it becomes in practice depends on the regulator.  That is a live question in this area.

It is interesting to see how these changes are being written up.  In today’s Australian under It’s D-Day for privacy breaches the VP of Cisco and chief data privacy officer, Michelle Dennedy, has written a sprightly piece ostensibly about the data protection laws but more a generalised discussion on good privacy practices, sprinkled with the word “Cisco”.  It offers next to no insight on how the legislation will operate.  It is a complex piece Act which requires balancing and some careful decision making.  If one was to Read the rest of this entry »

Mandatory data breach notification legislation comes into effect this week…Thursday

February 18, 2018

The long demanded, often promised and finally enacted mandatory data breach notification legislation comes into effect this week, Thursday 22 February 2018.

The legislation is complex but the failure to comply may result in significant consequences.  Much of the impact of the legislation depends Read the rest of this entry »

The Australian Senate passes a revenge porn Bill ..now onto the House of Representatives

Yesterday the Senate passed the Enhancing Online Safety (Non-consensual Sharing of Intimate Images) Bill 2017.  Or a bill to ban revenge porn. It must now pass through the House of Representatives before it will become law.  It is a complex Bill and one that is a reasonable but not the best response to this growing problem.

The summary is described Read the rest of this entry »

Australian websites attacked by a cryptojacking attack….

February 12, 2018

There is a positive in all of the attacks in cyberspace… the English vocabulary has grown and become enriched by new terms.  Ever heard of cyrpojacking.  It is a form of malware (another gift to the mother tongue to describe malicious software) which forces computers to mine cryptocurrency which generates profits for the hacker.  Australian Government sites have been successfully breached through a browser plug in provided by a third party.  Hackers inserted Coinhive into the plug in which hijacked the processing Third Party vulnerabilities are a chronic problem for businesses and government because their internal controls are not easily supervised and audited but their services are necessary.

The Guardian in Cryptojacking attack hits Australian government websites reports that in Australia the Victorian Parliament website has been compromised as has the Queensland Ombudsman, the City of Casey and the South Australian City of Unley Council. These types of breaches highlight which organisation and agencies have been less diligent with Read the rest of this entry »

Mandatory Data breach notification laws come into effect in 2 weeks, 22 February 2018

February 9, 2018

With the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017  Australia will have a mandatory data breach notification law.  It comes into effect from 22 February 2018 (though some practitioners believe it comes into effect on 23 February).

In summary the scheme as enacted int Part IIIC of the Privacy Act obliges organisations covered by the Privacy Act and agenices  to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. A notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches.

That is the starting point.

It is a complex piece of legislation which requires careful consideration of the exemptions and consideration of what may or may not constitute serious harm.

Cabinet files found in an ex Government filing cabinet…a familiar story of appalling data security practices

February 1, 2018

There is quite a buzz about the ABC’s scoop in obtaining Cabinet documents stretching across a number of recent Australian Governments.  It has resulted in a cornucopia of stories which have found their way into the media in the last few days.  It is a hell of a scoop.  The documents were not “leaked” by government or opposition insiders or a disgruntled public servants.  They were found in an old second hand filing cabinet bought by a punter at an op shop who passed them onto the ABC.  This is hardly a new story.  I Read the rest of this entry »

Former ASIO boss warns that Australia’s cyber defence is weak and uncoordinated…hardly a revelation with weak privacy and data security laws and even weaker regulation of those laws

January 19, 2018

It is enough to make a cat smile how the obvious poor state of cyber defence across the board is breathlessly reported as a revelation, again and again.  And how nothing really changes even though the problem grows worse each year.

The ABC reports in Australia’s cyber defences ‘relatively weak, uncoordinated’, former ASIO boss David Irvine warns in a submission through the Australian Cyber Security Research Institute that that Australia’s ability to counter cyber threats and criminal activity is relevantly week and uncoordinated.  That is not surprising, coming from a former public servant of long standing, the proposal is single Commonwealth led Co operative Agency.  The proposed entity will Read the rest of this entry »

YouTube personality wins revenge porn case in UK relying on breach of confidence, misuse of private information and harassment.

January 18, 2018

There are limits to legislation criminalising revenge porn, the publication of  revealing or sexually explicit images or videos of a person posted on the Internet without the consent of the subject in order to cause them distress or embarrassment, without providing the victim with an actionable cause of action.  The first limitation is that a complaint to the police may not result in a prosecution.  The burden of proof is much higher.  In some cases proving the accused took the image or posted it may be an issue though in the typical revenge porn scenario that is not common problem.  The other potential problem from the point of view of the victim is that how a matter is dealt with is a matter for the prosecution, whether in the form of a plea and the agreed statement of facts and the submissions on penalty. That is not to say the prosecution are less than professional but matters are resolved all the time.  While the victim may be kept informed the call is always the prosecutions to make.   What is required is an actionable civil claim by victims, in the form of either a statutory or common law basis, under the tort of invasion of privacy.  And that is what is missing in Australian law.  Claims in Australia must rely on equity, breach of confidence and misuse of private information, to bring a civil claim.  That was what Ms Chambers did because at the time of the acts giving rise to her action the Supreme Court had not recognised a tort of invasion of privacy, which it did subsequently.  It is a more complicated and unwieldy form of action which is very much a second best option to a tortious claim.  Australia remains one of the few places in the common law world without a specific actionable right to enforce privacy rights.  It remains a significant gap in the law and a ongoing failure of public policy.

The BBC reports that Chrissy Chambers, described as a Youtube celebrity, brought an action against an ex partner who posted 6 videos on a pornographic site after they broke up, from December 2009 until January 2012.  Ms Chambers found out about the posting in June 2013.  Her efforts to bring criminal charges were unsuccessful, primarily because a criminal offence relating to revenge porn had not been enacted at the time of the posting.   She commenced proceedings in the UK High Court and obtained a settlement involving an undisclosed sum of money, her costs, destruction of images held by the defendant and the copyright to the images Read the rest of this entry »

UK Government opts for sensible approach in permitting researchers test anonymisation measures

January 14, 2018

The mantra by regulators that data which is anonymised can be used for research and published has resulted in significant embarrassment when said anonymisation resulted in re identification. It has spawned a busy subset of academic articles on how this happens and generally advising caution, see for example All or Nothing: The False Promise of Anonymity in the Data Science Journal.

 Re identification occurs were there has been insufficient de identification and the methods of re identifying are generally one or both of pseudonym reversal or by combing data sets.

In Australia the Government introduced the Privacy Amendment (Re-identification Offence) Bill 2016.  If enacted it will prohibit the Read the rest of this entry »