Privacy Act – Page 3 – Cyber Law Watch

Privacy Commissioner releases a Guide to deal with data breaches

Apr 19 2016

By Cameron Abbott, Rob Pulham and Simon Ly

On 11 April 2016, the Privacy Commissioner released a guide to deal with issues associated with data breaches. This is aimed at entities regulated by the Privacy Act 1988 (Cth) in order to assist them with complying with the Australian Privacy Principles.

When (and it is likely to be a matter of when and not if) your entity is subject to a data breach, whether it be through your system being hacked or if devices are lost or stolen, it is important that you are equipped to deal with it. It is important to get in front of such problems and have pre-prepared action plans given that it is likely that the first 24 hours will be the most crucial in determining your level of success in dealing with a data breach. Data breaches can be expensive, both in a monetary and reputational sense.

In the guide, the Privacy Commissioner highlighted that a written data breach response plan is an important tool to help deal with such issues. Such a plan should include:

actions to be taken if a breach is suspected, discovered or reported by a staff member, including escalation measures;
the members of the data breach response team; and
the actions the team are expected to take.

Such a plan needs to be regularly reviewed and updated, with all relevant staff kept up to date so that they know what actions they are expected to take.

The Privacy Commissioner suggests the following four steps to be taken when a data breach is discovered:

contain the breach and do a preliminary assessment;
evaluate the risks associated with the breach;
develop a plan for notifying affected individuals and consider what information should be in any notification; and
determine steps to be taken to prevent future breaches.

For more information, please feel free to contact us. You can find out more information on practical steps you can take here.

Hold the phone…is “metadata” personal information? Who knows?

Feb 12 2016

By Cameron Abbott, Simon McDonald and Meg Aitken

The ongoing debate surrounding what “metadata” actually is, and how it should be characterised under privacy laws has once again resurfaced. This time, the Federal Court will have a chance to decide on the issue, following a decision by the Privacy Commissioner to appeal a finding that denied a journalist access to metadata on the basis that it was not personal information.

Way back in 2013, a then technology journalist for Fairfax, Ben Grubb, asked Telstra to provide him with metadata and other information held by it in relation to his mobile phone on the basis that it constituted ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) and he was therefore entitled to it.

Telstra did provide some information to Mr Grubb (including his outgoing call records, bills and the customer details they had stored for him), however it submitted that the “metadata” produced from his mobile phone use on Telstra’s network was not personal information, as it was not linked to him in a way that made his identity apparent or reasonably ascertainable.

Unsatisfied with this answer, Mr Grubb lodged a complaint with the Privacy Commissioner. In May 2015, the Commissioner held that Telstra ‘cross-matched’ data across its mobile network in such a way that it was possible to determine a customer’s identity and that Telstra was therefore in breach on NPP 6.1 (as it then was) by refusing to provide Mr Grubb with access to his personal information.

Telstra appealed to the Administrative Appeals Tribunal of Australia (AATA). Taking a strangely narrow approach to the issue, Deputy President Forgie ruled that the mobile network data was not personal information for the purpose of the Privacy Act. Instead, she said that the metadata was actually information about the service provided by Telstra and the delivery of that service, rather than about Mr Grubb and his mobile phone use. On that basis, Telstra was not obliged to provide Mr Grubb with access to the information, despite it being generated directly from his use of Telstra’s services.

Seem contrary to the deliberately broad concept of personal information that is designed to protect individuals? We agree, and so does the Privacy Commissioner. ‘Stay on the line’ to see how the Federal Court approaches the issue.

Access the determination and reasons for determination of Privacy Commissioner Timothy Pilgrim in Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015) here.

Access the AATA decision of Deputy President S A Forgie in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 (18 December 2015) here.

Access the Office of the Australian Information Commissioner’s Press Release here.

Privacy concerns over Westfield’s ticketless parking system

Feb 05 2016

By Cameron Abbott, Meg Aitken and Shirley Chen

Westfield has sidelined the SMS feature of its ticketless parking system this week due to concerns it breached Australian privacy laws.

Westfield’s newfangled ticketless parking system attempted to make parking quicker and easier for shoppers by scanning car number plates on entry and exit of their carparks, and sending an SMS notification to registered parkers recording their entry time and an alert message when their free parking time was nearly up. To register for the service, users were merely required to provide a name, license plate number and phone number (with no verification).

Privacy experts raised the alarm that any person could register false details and track another person’s physical location via the SMS notifications. This was a particular worry for those in domestic violence situations and could also potentially enable stalking or thieves to determine when homeowners had left their houses. The feature’s Terms and Conditions failed to address any of these issues.

The SMS service is currently suspended as internal investigations are conducted, though the rest of the ticketless parking system and app continue to operate.

Learn more about the ticketless parking system here.

Read the ITNews report on the issue here.

Microsoft cuts support for Internet Explorer 8, 9 and 10

Jan 13 2016

By Cameron Abbott and Meg Aitken

Today, Microsoft will initiate the ‘end-of-life’ phase for the company’s older Web browsers, Internet Explorer 8, 9, and 10. Customers using the outdated browsers will be sent an ‘end-of-life upgrade notification’ as technical support and security updates have now ceased.

Microsoft has encouraged the several hundred million users who currently operate the outdated browsers to upgrade to Internet Explorer 11 or Microsoft Edge, which they suggest offers better-quality security and improved performance.

While users currently running Internet Explorer 8, 9 and 10 will still be able to use their browsers, Microsoft has warned there is a significant security risk of continuing to run the outdated versions. Without the periodic security updates and routine technical support, the outdated browsers will be vulnerable to cyber-attacks, malware and other security threats.

Australian Corporations have an obligation to keep materials secure under the Privacy Act 1988 (Cth) and should therefore consider the risk that using the unsupported browsers may not be sufficient to meet this requirement.

Access the Microsoft release here.

Tag:Privacy Act