Labels: australia, breach notification, privacy

The Australian Law Reform Commission has just released a hefty report calling for reforms to the country's privacy laws: ALRC Discussion Paper 72 Review of Privacy Laws - Contents.

Here's the media release accompanying the report:

ALRC - On-line

Australian Law Reform Commission

Wednesday 12 September 2007

ALRC proposes overhaul of ‘complex and costly’ privacy laws

The Australian Law Reform Commission (ALRC) today released a blueprint with 301 proposals for overhauling Australia’s complex and costly privacy laws and practices.

Releasing Discussion Paper 72, Review of Australian Privacy Law, ALRC President Prof David Weisbrot said it was the product of the largest public consultation process in ALRC history: “We have received over 300 submissions and held over 170 meetings to date, including with business, consumers, young people, health officials, technology experts and privacy advocates and regulators.

“The clearest message from the community is that we must streamline our unnecessarily complex system. The federal Privacy Act sets out different principles for private organisations and for government agencies. On top of that, each state and territory has its own privacy laws or guidelines and some also have separate laws on health privacy.

“The ALRC is proposing there be a single set of privacy principles for information-handling across all sectors, and all levels of government. This will make it easier and less expensive for organisations to comply, and much more simple for people to understand their rights.

“The protection of personal information stored or processed overseas, as is now routine, is another serious concern. The ALRC wants to ensure that such information has at least the same level of protection as is provided domestically. We propose that a government agency or company that transfers personal information overseas without consent should remain accountable for any breach of privacy that occurs as a result of the transfer”, Prof Weisbrot said.

Commissioner in charge of the Inquiry, Prof Les McCrimmon, said that the ALRC also is proposing a new system of data breach notification: “There is currently no requirement to notify individuals when there has been unauthorised access to their information, such as when lists of credit card details are inadvertently published. Where there is a real risk of serious harm to individuals, we say they must be notified.”

Professor McCrimmon said that the ALRC also proposes the removal of the exemption for political parties from the Privacy Act. “Political parties and MPs should be required to take the same level of care when handling personal information as any other agency or organisation.”

Other key proposals include:

• introducing a new statutory cause of action where an individual’s reasonable expectation of privacy has been breached;
• abolishing the fee for ‘silent’ telephone numbers;
• expanding the enforcement powers of the Privacy Commissioner;
• imposing civil penalties for serious breaches of the Act; and
• introducing a more comprehensive system of credit reporting.

Review of Australian Privacy Law is available at no cost from the ALRC website, www.alrc.gov.au. The ALRC is seeking community feedback on these proposals before a final report and recommendations are completed in March 2008. Submissions close on 7 December 2007.

Thanks to Michel-Adrien Sheppard for the link: Library Boy: Review of Australian Privacy Law.

Labels: australia, breach notification, health information, privacy

The Australian Privacy Commissioner is coming out against mandatory breach notification, which is a bit surprising given that the trends elsewhere are clearly in favour of notification. Just last week, the NZ Commissioner introduced breach notification guidelines.

Also of interest in this article is the fear over how pubs and bars use patrons' drivers license information:

Computerworld > 'Name-and-shame' disclosure could backfire

Australian federal privacy commissioner Karen Curtis is warning that calls for Australian companies to be subject to a compulsory name-and-shame data breach regime could backfire and create a compliance nightmare.

The statement is the strongest indication yet that a looming shake-up of the private sector provisions of the Privacy Act in Australia will not take the lead of US regulators, which have compelled corporations and government agencies to publish details of even minor infractions against customer data protection laws.

The warning comes as New Zealand organisations get to grips with our own Privacy Commissioner’s draft data breach disclosure guidelines, unveiled last week. Privacy Commissioner Marie Shroff has indicated she will consider whether breach guidelines should become a mandatory.

Curtis says serious consideration is being given to publicly identifying companies or agencies involved in incidents when there was a tangible risk of harm to consumers.

This is backed by research undertaken by her office over the past nine years that shows consumers favour pragmatism and common sense over onerous bureaucracy.

“The guts of it is that mandatory reporting for breaches should be examined, but you have to find the right threshold,” Curtis says. “We think there is merit, but not in all circumstances. Direct comparisons [with the US] are not ideal.”

...

Curtis says the ALRC review, which will make formal recommendations to Attorney-General Philip Ruddock next year, was needed because there was a mishmash of private, public, federal, state and local privacy regimes that sometimes acted to confuse people as to where they could go to seek advice and justice.

...

Curtis confirms her office is looking at a number of complaints about the alleged circulation of the personal details of pub patrons, who had been forced to provide identification that is electronically scanned and retained. Many licensed pubs and clubs now claim they are required to collect such information under liquor licensing laws. Curtis says she wants to know where the information collected from scans of drivers’ licences or other documents is going and how it is being used. Australia’s Office of the Privacy Commissioner was expected to release new guidelines for pubs last week and will warn establishments that have an annual turnover of more than A$3 million that they are subject to federal privacy protection laws. The pub ID problem has become a serious issue in Queensland. The state’s licensing authority, Queensland Transport, has started to remove addresses from drivers’ licences because they were being used by pub bouncers to find out where female patrons live.

Curtis says she intends to use Privacy Awareness Week, which started in Australia as in New Zealand last weekend, to emphasise the benefits that good privacy protections bring the community at large.

Labels: australia, breach notification, privacy

I've blogged a few times before about the growing practice of bars and nightclubs scanning patrons' ID (see: Canadian Privacy Law Blog: New technologies for scanning IDs, Canadian Privacy Law Blog: Calgary student challenges nightclub over scanning ID, Canadian Privacy Law Blog: Article: Swiping driver's licenses - instant marketing lists?).

It appears to also be a concern for the Privacy Commissioner in Australia.

ID scanners may breach privacy laws - Queensland - brisbanetimes.com.au

...

The Australian Privacy Commissioner Karen Curtis yesterday warned publicans to "seriously consider their obligations" under the Privacy Act.

"If pubs and clubs that scan people's ID fail to heed their obligations under the Privacy Act, they run the risk of breaching their customers' privacy and having a privacy complaint lodged against them," Ms Curtis said.

At least 12 licensed venues in and around Brisbane use the technology to combat what they see as a rise in alcohol-fuelled violence.

...

"People are understandably concerned that having their ID scanned could lead to identity theft or that their details will be used by the pubs or clubs for unrelated purposes, such as direct marketing," she said.

Ms Curtis said her office received its first complaint about the devices in 2001 - but more than 100 phone calls and numerous written complaints had been made in recent months.

Companies should take a close look at their duties under the Privacy Act, she said, which include allowing customers to interact anonymously where possible and only scanning an ID if a business can prove it is totally necessary.....

Labels: australia, identity theft, privacy

This is an interesting development.

An Australian court has awarded damages for breach of privacy following the revelation by the Australian Broadcasting Corporation of the identity of a rape victim. This is important to Australia, but may also have a secondary effect here in the great white north, as Canadian courts are relatively open in citing and following other common law decisions. For the full scoop, check out Open and Shut: Victorian Court awards damages for breach of privacy.

Labels: australia, privacy, tort

Individual countries tend to leave each other alone in the area of law reform, privacy and data protection. So it is rather unusual that the Attorney General of Australia is pushing India's government to strengthen privacy in the outsourcing sector. Currently, NSSCOM (the Indian outsourcing advocacy group) is working on voluntary guidelines for data protection, which the Indian government says may be replaced with legislation if they are not robust enough. See: Australia's Attorney General presses India on privacy data .:. NewKerala.Com, India News Channel.

Labels: australia, outsourcing, privacy

Once again, Australia is in the privacy news. This time, it is the Australian Tax Office, which has recently disciplined two dozen employees over inappropriate perusal of tax records.

Australian IT - Tax office sacks 'spies' (Ben Woodhead, AUGUST 29, 2006):

A SECOND government agency has been forced to sack staff for spying on client records, with the Australian Taxation Office taking action against 27 workers for breaches of privacy.

The tax office took action against 24 employees over inappropriate access to taxpayer files last financial year, with another three cases detected this year.

ATO first assistant commissioner for people and place, Anne Ellison, said 12 of the staff caught spying last year resigned on the spot. Four were sacked, two were fined and six had their salaries reduced or were demoted.

Two were ultimately prosecuted for breaches of the Tax Administration Act, with one sentenced to community service and the other fined.

The revelations come a week after multi-millionaire former actor and producer John Cornell - who is facing allegations that he and Paul Hogan held $40 million in Swiss-administered trusts and offshore companies without declaring it to the ATO - accused the tax office of a campaign of media leaks....

Thanks to Open and Shut for the link: Open and Shut: This time it's the Tax Office named in privacy breach.

Labels: australia, privacy, public sector, workplace

The Government of Queensland in Australia apparently has a procedure for dealing with excess paper: Shred then send to an outsourcer to recycle. Someone forgot the all-important "shred" step and, as a result, birth certificates, blank cheques and other bits of personal information were released into the wild, according to the Australian.

My favourite quote is at the end:

Bungle sees private documents sold | | The Australian:

June 22, 2006

THE Queensland Government is investigating how people's personal documents including birth certificates and wills were sold for paper recycling without being shredded first.

Public Works Minister Robert Schwarten said the Government was investigating reports that sensitive documents had turned up intact in a Brisbane man's workplace.

The documents reportedly came from various Government departments, including the Attorney-General's office, which declined to comment today.

Mr Schwarten said it took privacy breaches seriously.

"Any firm that compromises that will be on a one-way ticket out of business as far as we are concerned," Mr Schwarten said.

"We are not interested in doing business with people who do not honour the very stringent business conditions we set."

The documents, including blank bank cheques and wills, turned up in the workplace of a Brisbane man, whose wife spoke to the Ten Network.

"With the information that I have here, I could go to town," the woman told the network.

"I could assume someone else's identity. There's wills, there's blank bank cheques, there's birth certificates and marriage certificates.

"They are supposed to be shredded and then outsourced and sold as recycled paper but unfortunately, they have just been sold, not shredded."

Queensland Council of Civil Liberties (QCCL) vice-president Terry O'Gorman said the bungle showed the need for updated legislation and a privacy commissioner.

"Until those laws are introduced, this sort of gross invasion of privacy, including victims' details from the Department of Justice, will continue to occur," Mr O'Gorman said.

Opposition Leader Lawrence Springborg said the Government was at fault.

"I'm not sure even a privacy commissioner would be able to fix this, because it's the Government's basic bungling of fundamental issues," he said.

Labels: australia, privacy

The Privacy Commissioner of Australia is poised to investigate a controvertial "reverse directory" in that country. The site, www.boonghunter.com, provides names, addresses and numbers of residents based on partial information, including just the streets they live on. Women in particular are afraid that it'll make a good tool for stalkers.

The Advertiser: Women fear website puts them in danger [23may06].

By MICHAEL OWEN

23may06

AN unauthorised telephone directory website has alarmed women, who fear it will increase the risk of stalking and endanger women and children seeking refuge from domestic violence.

The website - www.boonghunter.com - also has disturbed Telstra, which yesterday described it as "a gross invasion of privacy".

The website and the source of its information was last night under investigation by federal authorities, including the Australian Communications and Media Authority and the Office of the Federal Privacy Commissioner. Sensis, Telstra's online directory division, said it was "appalled" by the website, which provides "reverse search" access to address and telephone numbers of individuals.

"Unlike the White Pages directory, where you need to know the name of the person you are searching for before you can find their details, reverse searching enables people to search for your private details without knowing who you are," Sensis Corporate Affairs Manager Karina White said.

"For example, you can find out someone's personal details just by knowing the street they live on.

"Whoever is behind this website has no regard for Australians' rights to have their personal contact information handled responsibly and with respect."

Karen Barnes, chairperson of the Kilburn-based Women's Housing Association, was concerned for the safety and security of women and children trying to flee abusive situations.

"We will be pursuing a formal inquiry to try and get this website closed down," Ms Barnes said.

Telecommunications industry sources last night said initial inquiries indicated an overseas computer hacker had gained access to the Integrated Public Number Database, which contains the names, addresses, phone numbers and phone location of all residential and business customers in the country. The database is managed by Telstra on behalf of the telecommunications industry.

The INPD is used by telcos to develop their own directories and is also available to authorised members of the Australian police and emergency services.

ACMA last night confirmed it had started investigating the source of the information on the website.

Privacy Commissioner Karen Curtis was last night preparing to launch a formal investigation.

The domain http://www.boonghunter.com is being redirected to http://www.indigenoushunter.com/. I understand the term "boong" (which I must confess I've never heard before) is an offensive term used to refer to aboriginal Australians.

Labels: australia, information breaches

Peter Timmins at Open and Shut, a blog about privacy and access law in Australia, has a comment about a recent case there in which a hospital claimed public interest privilege when it tried to prevent an investigation board from obtaining the records of a woman who had received a late-term abortion in the hospital. The argument was not successful and the Court ordered that the records be provided. See: Open and Shut: Landmark privacy decision in abortion case.

Privacy Privilege Immunity Hosptial Abortion Australia

Labels: australia, information breaches

Welcome to the blogging world, Open and Shut. Peter Timmins of New South Wales in Australia works regularly with the freedom of information and privacy legislation down under. He has just started his new blog, Open and Shut. The blog goes hand in hand with his regular FOI Newsletter of the same name and should keep you up to date on what's happening in this area in Australia. Since the Austrailan experience with privacy and access law is similar to what we find in Canada, it's always worthwhile taking a global pespective. Welcome to blogging, Peter.

Labels: australia, information breaches

Labels: australia, information breaches

The investigation of the recent racial riots in Sydney, Australia, are another reminder that text messages sent by cell phone are logged and are useful for police investigations: Police track text message senders - National - smh.com.au.

Labels: australia, information breaches

In response to the recent arguments raised by Dun and Bradstreet that privacy laws are actually feeding the increase of identity theft, the Australian Broadcasting Corporation is reporting that the government is considering providing the private sector with access to ID verification databases: Radio Australia - News - Australia seeks to combat increase in identity theft cases.

Labels: australia, identity theft, information breaches

I blogged earlier about a story out of Australia in which Dun and Bradstreet claims that privacy laws are feeding identity theft in that country (The Canadian Privacy Law Blog: Credit bureau in Australia blames privacy laws for rise of identity fraud). Here is a transcript of the Australian Broadcasting Corporation's report: PM - Claim privacy laws leaving identity fraud unchecked.

Labels: australia, identity theft, information breaches

The Chartered Secretaries Australia, a corporate governance association, is calling for changes to the law that currently allows anyone to have access to companies shareholder lists. The current state of the law poses a threat to privacy, the CSA says: Call to protect shareholder information.

Labels: australia, information breaches

The Sydney Morning Herald is reporting that Australian doctors are legally selling de-identified patient records to a company that will provide the data to pharmaceutical companies.

Australian doctors sell medical records - Breaking News - National - Breaking News:

"Australian doctors are legally selling confidential medical records to a marketing firm with links to the pharmaceutical industry. GPs are handing over their patients' drug records - with no names attached - and receiving as little as $150 or gift vouchers as payment, a Melbourne newspaper reported on Wednesday.

The federal Privacy Commissioner has approved the deal between doctors and the Cam Group, one of the world's largest pharmaceutical promotions companies, because the information was 'de-identified' and did not breach the Privacy Act, the Herald Sun said.

But, according to the paper, the commissioner warned the government last year that removing a patient's name and address did not guarantee anonymity.

The promotion company collects the data through software used by 16,000 Australian GPs, collates the information and sells it to drug companies.

So far about 200 GPs across Australia have signed up, the paper said.

The Australian Consumers Association complained to Privacy Commissioner about the deal last year, alleging it broke privacy laws and was a threat to the doctor-patient relationship."

It takes much more than removing names and addresses to make medical records anonymous. I recall a study from not long ago in which the owners of "de-identified" medical records were identified with +90% accuracy by matching against public sources.

The more important thing is that patients probably don't care about how anonymous it can be rendered or the finer points of data matching. If they hear that their information is being sold to pharma companies, they will likely lose trust in their physicians.

Labels: australia, information breaches

The Australian Attorney General, Philip Ruddock, has initiated a review of private sector privacy legislation in that country.

Computerworld | Ruddock sets up privacy law review:

"Enterprises handling the personal information of customers are being given a second chance to influence the operation of the federal Privacy Act (1998). Federal Attorney General Philip Ruddock has announced a review of private sector provisions of the law.

According to a statement from Ruddock's office, Federal Privacy Commissioner Karen Curtis has been asked to 'examine the impact of the legislation on the community and the private sector', with the review assessing whether regulation of the private sector has been a success since the introduction of national legislation three years ago.

Specifically, the review will consider whether the laws have achieved a 'comprehensive national scheme for the private sector that regulates how organizations collect, use, store, disclose and transfer individuals' personal information'. "

Interested readers should note that Canada's PIPEDA is subject to mandatory review, which will take place next year.

Labels: australia, information breaches

For other stories on this, see Google News.

Labels: australia, google, information breaches, privacy

From Australia - Oops:

THE federal Government has apologised after the names of naval women who have undergone gynaecological treatment were published on a government website.

In an apparent breach of privacy laws, the personal details of at least six navy women have been listed in gazettes that can be accessed by the public.

The information includes the names of the women and the cost of their gynaecological treatment as well as the naval base at which they work and the name and address of the doctor who treated them.

Labels: australia, information breaches