Tag: disclosure of personal information

1
Human error accounts for 34% of Notifiable Data Breaches – 3 key take outs from the latest OAIC report
2
HealthEngine under fire for profiting from disclosure of patient information
3
Who have you been giving your name and number to? A cautionary tale
4
OAIC’s controversial decision broadens scope for the disclosure of personal information
5
UK Information Commissioner Orders Cambridge Analytica to Hand Over American’s Personal Data

Human error accounts for 34% of Notifiable Data Breaches – 3 key take outs from the latest OAIC report

By Cameron Abbott and Karla Hodgson

The Office of the Australian Information Commissioner has released its Q2 statistics on notifications received under the Notifiable Data Breach (NDB) scheme. The 245 breach notifications in Q2 are on par with each other quarter since the scheme was introduced in July 2018 and while the majority of NDBs (62%) are attributed to malicious or criminal attacks, we noted with interest that a staggering 34% are due to human error – that is, mostly avoidable errors made by staff. A consistent theme of our blogs is reinforcing the message that employees are the front line of defence for organisations.

There are 3 key statistics we took away from these human error NDBs.

Read More

HealthEngine under fire for profiting from disclosure of patient information

By Cameron Abbott, Michelle Aggromito and Alyssia Totham

The Australian Competition and Consumer Commission (ACCC) is taking on Australia’s largest online health marketplace, HealthEngine. In return for a fee, HealthEngine provided without adequate disclosure, patient information to nine private health insurance brokers. 

The MedTech platform functions as an online booking service for many health care providers Australia-wide. During the booking process, HealthEngine would ask users two additional questions. Firstly, they would ask if the user had private health insurance. Secondly, they would ask if the user would like to be contacted with health insurance comparison information. By clicking ‘Yes’ to the second question, users had their personal information transferred to health insurance brokers. This information comprised the user’s name, contact details, date of birth and private health care status.

Read More

Who have you been giving your name and number to? A cautionary tale

By Cameron Abbott and Allison Wallace

Have you inadvertently given the owners of global, searchable databases of phone numbers and associated names access to your entire contact list?

We suspect that you cannot confidently answer “no”.

In yet another tale of why you should read the terms of use and service of apps and other online products you download or sign-up to use, we’ve recently been exposed to the shock of having your name appear on a complete stranger’s phone, after they’re given your number (but not your name) to call you. We asked the question of how this could happen – and found the answer to be quite alarming.

The Samsung Smart Call function, which is powered by Hiya, boasts that it allows you to “deal with spam the easy way”, by letting you know who is calling you, even if their number is not saved in your contact list. In theory, this is a handy tool, and in the context of robocalls or other unsolicited marketing calls, doesn’t create any privacy issues. But when the database which powers the function contains the names and numbers of (we suspect) millions of private citizens, this becomes quite concerning.

So, how do private numbers (and the names of their associated users) come to be listed in databases such as Hiya? Well, for one, anyone who downloads the Hiya app is given the option to share their contacts. If they do, and your number is saved to their phone, your details will become part of the database. We have no doubt that many who download and use the Hiya app didn’t realise what they were signing up for (or what they were signing up their entire contact list for) – because they didn’t read the terms of use. This also begs the question – are companies like Hiya properly satisfying their privacy obligations merely by asking users to “opt in” to share their contacts?

Hiya is of course not the only “caller ID” app on the market – a quick search of the Apple App store reveals numerous other options for download – including Truecaller, Caller-ID, Sync.ME and CallHelp. In 2018, Hiya reached 50 million active users worldwide, while Truecaller’s website says it has over 130 million daily active users. Those figures of course would barely scrape the surface of the number of names and phone numbers held in their collective databases.

In case you’re wondering how much damage could really be done by a third party having access to your name and phone number – think about all of the things your number is linked to. Your Facebook, your Gmail, maybe even your bank account and credit cards. Information is power – and this is the kind of information that could easily allow hackers to wreak a reasonable amount of havoc. So before you sign-up to a new app, take the time to read the terms of service, because your use could not only be exposing your personal information, but that of your entire contact list.

OAIC’s controversial decision broadens scope for the disclosure of personal information

By Warwick Andersen, Rob Pulham and Georgia Mills

In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt.  In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox.  The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.

Read More

UK Information Commissioner Orders Cambridge Analytica to Hand Over American’s Personal Data

Cameron Abbott and Georgia Mills

The UK Information Commissioner has ordered UK-based firm Cambridge Analytica to hand over all the personal information it holds about an American academic, confirming the right of people to access the personal data held about them by a UK firm.  The academic initially approached Cambridge Analytica for it to explain what information it had gathered on him, and later complained to the Commissioner that the consulting firm had failed to share the entirety of its data on him nor explained how it accumulated the information it held.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.