The Federal Government’s coronavirus tracing app has raised some privacy concerns amongst the Australian public. Even some of our government Ministers have ruled out downloading the app due to such concerns! However, the independent cyber security body tasked with reviewing the app has said that it has found no major concerns with it.Read More
We previously blogged about the plethora of Asian countries who are using telecommunications networks, smart phone applications and messaging services to inform, track and monitor individuals who may have contracted COVID-19. It appears that Australia’s eyes are on similar technology opportunities, as according to an article from the SMH, the Federal Government will ask Australians “within weeks” to opt in and sign up for a mobile application that uses tracking data to alert individuals as to their risks of contracting COVID-19.
According to the article, the relevant application will monitor the movements of participants to inform individuals whether they have been close to someone already infected with COVID-19. The application also has the functionality to enable someone who has contracted the virus to notify health authorities and ensure that an alert is sent to anyone he or she has been in contact with over the previous 24 hours. Both of these processes are part of what is known as “contact tracing”.Read More
Following on from the consultation opened by the NSW Government in July 2019 (the subject of a previous blog), NSW Attorney-General Mark Speakman has committed to introducing a mandatory data breach scheme, according to an article by ITNews.
At present, neither NSW privacy laws nor the notifiable data breach scheme under Part IIIC of the Privacy Act 1988 (Cth) require public sector agencies in NSW to notify the NSW Privacy Commissioner and affected individuals where a data breach creates a risk of serious harm. This led to a consultation conducted by the Department of Communities and Justice in late 2019, which revealed “overwhelming public support” for the introduction of a mandatory data breach scheme in NSW, with the NSW Government “sharing a view” that the relevant scheme should be introduced.Read More
We have blogged numerous times on the notifiable data breach scheme provided for in Part IIIC of Privacy Act 1988 (Cth) including more recently in relation to its success in assisting the preparedness of the health sector to report and respond to data breaches.
Whilst the NSW Information Privacy Commissioner recommends that public sector agencies notify it and affected individuals where a data breach creates a risk of serious harm, neither NSW privacy laws nor the notifiable data breach scheme require public sector agencies in NSW to provide such notification. There are many reasons for state government agencies to mandatorily report data breaches. Informing citizens when privacy breaches occur provides an opportunity for individual protection against potentially adverse consequences, whilst mandatory data breach reporting would address the current under-reporting of data breaches in NSW, which according to the consultation may be the norm.Read More
Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.
As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.Read More
It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.Read More
Last week the OAIC released their consultation draft Guide to big data and the Australian Privacy Principles, with feedback on the Guide open until 26 July 2016.
The main purpose of the Guide is to facilitate big data activities while protecting personal information (being information or an opinion about an identified individual, or an individual who is reasonably identifiable). The Guide addresses issues such as notice and consent, retention minimisation and use limitation in regards to such data. Whilst not legally binding, the Guide will be referred to by the Privacy Commissioner in undertaking its functions under the Privacy Act.
One of the key aspects dealt with in the Guide is that entities should consider undertaking big data activities on an anonymised manner by de-identifying personal information. If so, this has the favourable outcome that such data will not be considered personal information so accordingly less onerous obligations apply under the Privacy Act to such data. Of course, if this is the case it also lessens the chance that personal information will be compromised should a data breach occur (speaking of which, we note OAIC’s April 2016 guide to deal with data breaches). However, in our experience most of our clients want to analyse and then drill down to take actions or campaigns in relation to a then identified group of customers.
The Guide also highlights how big data interacts with the APPs as well as discussing other related concepts, such as “privacy by design” frameworks. For more information, you can access the OAIC’s consultation draft Guide here.
The ongoing debate surrounding what “metadata” actually is, and how it should be characterised under privacy laws has once again resurfaced. This time, the Federal Court will have a chance to decide on the issue, following a decision by the Privacy Commissioner to appeal a finding that denied a journalist access to metadata on the basis that it was not personal information.
Way back in 2013, a then technology journalist for Fairfax, Ben Grubb, asked Telstra to provide him with metadata and other information held by it in relation to his mobile phone on the basis that it constituted ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) and he was therefore entitled to it.
Telstra did provide some information to Mr Grubb (including his outgoing call records, bills and the customer details they had stored for him), however it submitted that the “metadata” produced from his mobile phone use on Telstra’s network was not personal information, as it was not linked to him in a way that made his identity apparent or reasonably ascertainable.
Unsatisfied with this answer, Mr Grubb lodged a complaint with the Privacy Commissioner. In May 2015, the Commissioner held that Telstra ‘cross-matched’ data across its mobile network in such a way that it was possible to determine a customer’s identity and that Telstra was therefore in breach on NPP 6.1 (as it then was) by refusing to provide Mr Grubb with access to his personal information.
Telstra appealed to the Administrative Appeals Tribunal of Australia (AATA). Taking a strangely narrow approach to the issue, Deputy President Forgie ruled that the mobile network data was not personal information for the purpose of the Privacy Act. Instead, she said that the metadata was actually information about the service provided by Telstra and the delivery of that service, rather than about Mr Grubb and his mobile phone use. On that basis, Telstra was not obliged to provide Mr Grubb with access to the information, despite it being generated directly from his use of Telstra’s services.
Seem contrary to the deliberately broad concept of personal information that is designed to protect individuals? We agree, and so does the Privacy Commissioner. ‘Stay on the line’ to see how the Federal Court approaches the issue.
Access the determination and reasons for determination of Privacy Commissioner Timothy Pilgrim in Ben Grubb and Telstra Corporation Limited  AICmr 35 (1 May 2015) here.
Access the AATA decision of Deputy President S A Forgie in Telstra Corporation Limited and Privacy Commissioner  AATA 991 (18 December 2015) here.
Access the Office of the Australian Information Commissioner’s Press Release here.