The Federal Government’s coronavirus tracing app has raised some privacy concerns amongst the Australian public. Even some of our government Ministers have ruled out downloading the app due to such concerns! However, the independent cyber security body tasked with reviewing the app has said that it has found no major concerns with it.Read More
By Cameron Abbott and Keely O’Dowd
Australians now have until 31 January 2019 to decide whether or not to have a My Health Record. The deadline to opt-out of having a My Health Record has been extended again.
Due to privacy and security concerns raised by various stakeholders and medical professionals, the Australian Government has proposed two sets of legislative changes to the My Health Record legislation to strengthen existing privacy protections set out in the legislation and established a Senate Committee inquiry to assess whether the My Health Record system is working and how it can be improved. In July this year, we blogged about the privacy and security concerns raised about the My Health Record system.
During the Senate Committee inquiry, it was revealed by the Office of the Australian Information Commissioner (OAIC) that since the My Health Record system commenced in July 2012, the OAIC has received 88 My Health Records mandatory data breach notifications and 11 mandatory data breach notifications. The data breaches generally involved incorrect information being uploaded to a My Health record.
It is evident to us that the My Health Record system has significant privacy and security issues that should be properly considered before the opt-out period ends. These issues are highlighted in the Senate Committee inquiry final report. In addition, the amending legislation designed to strengthen the privacy protections of the My Health Record system is still being debated in the Senate.
Extending the time for people to decide whether or not to opt-out of a My Health Record is a sensible approach. This gives individuals more time to properly understand the implications of having a My Health Record and for important privacy issues to be considered by the Australian Government.
However if ongoing concerns remain about the privacy and security protections of the My Health Record System by 31 January 2019, if in doubt, better to opt out!
The Office of the Australian Information Commissioner (OAIC) has released its third quarterly report of notifiable data breaches. This is the second OAIC report to be released covering a full quarter.
The report revealed that OAIC received 245 notifications of data breaches, marginally up from 242 notifications in the second quarterly report.
Some interesting figures from the OAIC’s report are as follows:
- 18% of notifications were from health service providers, 14% were from the finance sector; 14% were from the legal, accounting and management services sector; 7% were from the private education sector, and 5% were from the personal services sector;
- 85% of data breaches involved individual’s contact details, 45% involved financial details, 35% involved identity details, 22% involved health details, 22% involved tax file numbers, and 7% involved other types of personal information; and
- 57% of data breaches were due to malicious or criminal attack, with 37% due to human error, and 6% due to system faults, with cyber incidents, namely compromised credentials or phishing being the main the cause of
Of the 245 data breaches, 58 affected only one individual – however, 7 affected more than 10,000 individuals.
These figures are a clear reminder of the need to ensure that your business is equipped to deal with data breaches. To learn more about this, take a look at this 60-second video by Cameron Abbott. With professional services ranking a solid third, we’ll take some of our own advice too!
The Office of the Australian Information Commissioner (OAIC) has released its second quarterly report of notifiable data breaches. This report is of particular significance as it, unlike the first “quarterly” report, covers a full quarter and therefore depicts a more accurate account of data breaches over a calendar quarter.
In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt. In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox. The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.
It’s been just over 6 weeks since the government’s notifiable data breach scheme came into force and the Office of the Australian Information Commissioner (OAIC) has revealed it has received 63 reports of data breaches since the scheme’s start date of February 22. The figure released as part of the OAIC’s first quarterly report on the scheme.
This is somewhat of a stark contrast to the 114 voluntary notifications for data breaches received by the OAIC in the 2016-17 financial year, before the scheme was in place.
Australia’s Information and Privacy Commissioner Timothy Pilgrim is making enquiries into allegations that the personal information of customers of three Australian telcos is being sold online.
Fairfax uncovered an alleged rort involving ‘corrupt insiders’ at the offshore call centres of Telstra, Optus and Vodafone, which has allegedly seen details including customers’ addresses, dates of birth and billing statements leaked to at least one private company in India, which is then allegedly selling the information for up to $1000.
Commissioner Pilgrim has said in a statement that he is working to determine what further action may need to be taken.
All three telcos have also released statements, reiterating that they take the privacy of their customers seriously. Vodafone and Optus have met with the AFP, which has now passed the matter on to Indian authorities.
By Cameron Abbott and Rebecca Murray
The Australian Privacy Commissioner, Timothy Pilgrim and The Privacy Commissioner of Canada, Daniel Therrien have released a joint report on the data breach of cheating website Ashley Madison which affected approximately 36 million Ashley Madison user accounts last year. Read our post on the breach here.
Controversially, despite the company not having a physical presence in Australia, the Commissioners found that Ashley Madison’s parent company Avid Life Media (ALM) was regulated as an “APP entity” due to the fact that it carried on business and collected personal information in Australia. This finding was based on the fact that ALM conducted marketing in Australia, targeted Australian residents for its services and collected the personal information of Australians.
ALM agreed to a number of enforceable undertakings to the Commissioner. Amongst other things, ALM has undertaken to augment its security framework, provide extensive security training for staff and cease its practice of retaining the information of users with deleted, deactivated or inactive accounts. Consistent with the trend in undertakings it requires independent verification of certain compliance steps. Find the undertakings here.
It also seeks to address the accuracy of the records, which is a challenge for a cheating website. Letting someone sign up using for example Tony Blair’s email address captured the attention of the regulators. They focused on the interests under Privacy laws of those whose email addresses were falsely added to the sign up. A confirming email with an option to opt out was not considered an adequate measure.
Read more about the report here.