The Office of the Australian Information Commissioner (OAIC) has released its second quarterly report of notifiable data breaches. This report is of particular significance as it, unlike the first “quarterly” report, covers a full quarter and therefore depicts a more accurate account of data breaches over a calendar quarter.
In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt. In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox. The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.
Up to 8000 clients of Family Planning New South Wales have been affected by a ransomware attack on the NGO’s website. No the sort of records people every want to see disclosed.
The website was hacked on ANZAC Day, with the personal information of clients who had contacted FPNSW in the past 2 and a half years compromised – including details such as names, contact details and reasons for enquiries.
It’s been just over 6 weeks since the government’s notifiable data breach scheme came into force and the Office of the Australian Information Commissioner (OAIC) has revealed it has received 63 reports of data breaches since the scheme’s start date of February 22. The figure released as part of the OAIC’s first quarterly report on the scheme.
This is somewhat of a stark contrast to the 114 voluntary notifications for data breaches received by the OAIC in the 2016-17 financial year, before the scheme was in place.
Over the last few weeks we’ve been blogging about the data “sharing” scandal that has rocked Facebook, and has lead to a boycott of the popular social media site, and sent CEO Mark Zuckerberg to face the music on Capitol Hill.
In case you’d missed the story (which you can read about here, here and here), Facebook estimated 87 million people globally, including 300,000 Australians, had their data shared with Cambridge Analytica, a political consultancy firm used by US President Donald Trump in his 2016 election campaign.
By Cameron Abbott and Rebecca Murray
The hugely popular Pokémon GO app is at the centre of privacy and security concerns after recent media reports noted that its installation required access to a significant amount of users’ personal information. This prompted Australian Privacy Commissioner, Timothy Pilgrim to make enquiries with the developer of the app, Niantic Labs, to “ensure the personal information of users is being managed in accordance with the Australian Privacy Act.” Read the OAIC statement here.
Available on iOS and Android platforms, the smash-hit game uses augmented reality technology and your smart-phone GPS and camera to display fictional Pokémon which users then aim to find and capture.
Privacy concerns arose after users noted that installing the iOS version of the app required full access to users’ Google accounts. In response, Niantic Labs reported that the access was requested erroneously and that Google would reduce Pokémon GO’s permission to only the basic profile data that it needs. Niantic and Google have since corrected the permissions. Read Niantic’s statement here.
Commissioner Timothy Pilgrim warned that the security scare was a “timely reminder that people need to read the privacy policies of all smartphone apps before signing up. This way people can make an informed decision about if they want to use an app.” However, we will wager that 99% of people just click “accept”.
Last week the OAIC released their consultation draft Guide to big data and the Australian Privacy Principles, with feedback on the Guide open until 26 July 2016.
The main purpose of the Guide is to facilitate big data activities while protecting personal information (being information or an opinion about an identified individual, or an individual who is reasonably identifiable). The Guide addresses issues such as notice and consent, retention minimisation and use limitation in regards to such data. Whilst not legally binding, the Guide will be referred to by the Privacy Commissioner in undertaking its functions under the Privacy Act.
One of the key aspects dealt with in the Guide is that entities should consider undertaking big data activities on an anonymised manner by de-identifying personal information. If so, this has the favourable outcome that such data will not be considered personal information so accordingly less onerous obligations apply under the Privacy Act to such data. Of course, if this is the case it also lessens the chance that personal information will be compromised should a data breach occur (speaking of which, we note OAIC’s April 2016 guide to deal with data breaches). However, in our experience most of our clients want to analyse and then drill down to take actions or campaigns in relation to a then identified group of customers.
The Guide also highlights how big data interacts with the APPs as well as discussing other related concepts, such as “privacy by design” frameworks. For more information, you can access the OAIC’s consultation draft Guide here.
On 11 April 2016, the Privacy Commissioner released a guide to deal with issues associated with data breaches. This is aimed at entities regulated by the Privacy Act 1988 (Cth) in order to assist them with complying with the Australian Privacy Principles.
When (and it is likely to be a matter of when and not if) your entity is subject to a data breach, whether it be through your system being hacked or if devices are lost or stolen, it is important that you are equipped to deal with it. It is important to get in front of such problems and have pre-prepared action plans given that it is likely that the first 24 hours will be the most crucial in determining your level of success in dealing with a data breach. Data breaches can be expensive, both in a monetary and reputational sense.
In the guide, the Privacy Commissioner highlighted that a written data breach response plan is an important tool to help deal with such issues. Such a plan should include:
- actions to be taken if a breach is suspected, discovered or reported by a staff member, including escalation measures;
- the members of the data breach response team; and
- the actions the team are expected to take.
Such a plan needs to be regularly reviewed and updated, with all relevant staff kept up to date so that they know what actions they are expected to take.
The Privacy Commissioner suggests the following four steps to be taken when a data breach is discovered:
- contain the breach and do a preliminary assessment;
- evaluate the risks associated with the breach;
- develop a plan for notifying affected individuals and consider what information should be in any notification; and
- determine steps to be taken to prevent future breaches.
For more information, please feel free to contact us. You can find out more information on practical steps you can take here.
The Attorney-General’s Department has released for discussion, an exposure draft bill regarding mandatory reporting of serious data breaches. Notification requirements will apply to companies and information subject to the Privacy Act.
Under the proposal, a company would have up to 30 days after it is aware of a breach, or ought reasonably to be aware of a breach, to assess whether a data breach is a ‘serious data breach’. A serious data breach occurs if:
- there is unauthorised access or disclosure of information; and
- there is a real risk of serious harm to any of the individuals to whom the information relates.
When considering whether there is a real risk of serious harm to an individual the draft legislation lists a number of factors that should be considered including:
- the kind of information;
- whether the information is in a form that is intelligible to an ordinary person;
- whether the information is protected by security measures;
- the kinds of person who could obtain the information;
- the nature of the harm; and
- any mitigation steps taken by the company.
If the company determines that a serious data breach has occurred, it must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable. The draft legislation also gives the OAIC additional powers to direct companies to undertake notification.
The proposal has a number of differences from the previous attempts to legislate mandatory data breach reporting which were made in 2013 and 2014. Most notably, previously the trigger for notification involved a belief that there had been a data breach, the current draft requires a company to be aware, or when it ought reasonably to be aware, of a breach. Additional types of specific harm are included in the current draft, however, this is unlikely to have a major impact in practice.
Currently, data notification is only mandatory for unauthorised access to eHealth information under the My Health Records Act 2012. However, the OAIC operates a voluntary data breach notification scheme which also uses the real risk of serious harm notification threshold.
The exposure draft and accompanying discussion paper can be found here. Submissions are due by 4 March 2016.