Privacy Advisor

Global Privacy Dispatches

September 1, 2007


By KK Lim

Government to Provide Single Source of Biometric Identification
Biometric data of foreigners entering Australia will be stored in a central repository for identification, verification and cross-checking by departments of the Australia Government. The Department of Immigration and Citizenship (DIAC) is expected to provide a single source of identification for all DIAC clients. The 3-year management strategy is covered under the Migration Legislation Amendment (Identification and Authentication) Act of 2004 and will employ facial, iris scanning and fingerprinting for foreigners entering Australia. DIAC reports that identify fraud cost Australia about $1 billion per year.
Search of Homes, Computers Draws Opposition
"Sneak and peek" laws enabling federal police to search homes and computers without notification, planting listening devices and reducing oversight on undercover operations that involved police officers, are opposed by lawyers and other concerned civil liberty groups on the basis that such powers should be used only for terrorism and organized crimes.

Australia Moves Toward Security Breach Notification Law
A security breach notification law is likely to be recommended by the Australian Law Reform Commissioners in their discussion paper to be released soon, with the final report to be submitted to the Federal Attorney General early next year.

Breach notification laws require companies to inform their customers of a security breach involving their customers' information under certain conditions.

Meanwhile, Australian Democrat Senator Natasha Stott Despoja has introduced to Federal Parliament a proposed amendment to the Federal Privacy Act that introduces data disclosure laws to Australia. The Privacy (Data Security Breach Notification) Amendment Bill 2007 would obligate a corporation or government agency to inform individuals affected by any release of personal and financial data to unauthorized parties.

Update on Workplace Surveillance Bans
State of Victoria has banned employers from using listening or optical surveillance devices such as cameras in workplace toilets and bathrooms, or communicating or publishing materials obtained from such activities. Surveillance is allowed on grounds of national security, based on a warrant or due to licensing requirements. State of New South Wales allowed surveillance of workers if notice is given in advance or on a magistrate's order to determine criminal activities by workers. 

KK Lim is the Chief Privacy Officer (Asia Pacific) at IMS Health Inc. He may be reached at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .


By Terry McQuay, CIPP, CIPP/C

On August 1, 2007, the Privacy Commissioner of Canada published guidelines designed to help private-sector organizations respond to a breach of personal information.

These voluntary guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm, for example, if there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.

The guidelines were developed by the privacy commissioner with participation from the Offices of the Privacy Commissioners of British Columbia and Alberta, private-sector businesses and business associations, and consumer advocacy organizations.

The guideline provides for the following four steps:

Step 1: Breach Containment and Preliminary Assessment — includes guidance regarding:

  • Containing the breach;
  • Designating an appropriate individual to lead investigation;
  • Determining the need to assemble a team, including representatives from appropriate business areas;
  • Determining who needs to be aware of the incident and escalate as appropriate;
  • Notifying police, if the breach appears to involve theft or other criminal activity;
  • Taking care not to compromise the ability to investigate the breach.

Step 2: Evaluate the Risks Associated with the Breach — provides guidance in determining the:

  • Nature of the personal information involved;
  • Cause and extent of the breach;
  • Individuals affected by the breach;
  • Foreseeable harm from the breach;

Step 3: Notification — provides guidance regarding:

  • Notification to affected individuals — considering:
    - Legal or contractual obligations;
    - The risk of harm;
    - Where "reasonable" risk of identity theft or fraud exists;    
    - The risk of physical harm;
    - The risk of humiliation or damage to reputation;
    - The ability of the individual to avoid or mitigate possible harm.
  • When to notify, how to notify and who should notify:
- When — as soon as possible, unless a delay is requested by law enforcement authorities;
- How — preferred method is direct (i.e. phone, letter, email) but indirect may be appropriate in some circumstances;
- Who — generally, the organization that has a direct relationship with the customer (including when a breach occurs at a third-party service provider).
  • What should be included in the notification, for example:

        - Information about the incident;
        - What personal information was affected by the breach;
        - What the organization is doing to assist individuals and what individuals can do  to mitigate potential harm;
        - Contact information of person(s) within the organization and for the appropriate privacy commissioner(s)
  • Others to contact, such as:
    - Privacy Commissioners;
    - Police;
    - Professional or regulatory bodies;
    - Credit card companies, financial institutions or credit reporting agencies;
    - Other internal or external parties such as third-party contractors, labour unions, etc.

Step 4:  Prevention of Future Breaches — provides guidelines concerning:

  • Investigating the cause of the breach and consider whether to develop a prevention plan;
  • Consideration to include a requirement for an audit to ensure that the prevention plan has been fully implemented.

The new guidelines, as well as a privacy breach checklist, are available on the privacy commissioner's Web site,

Terry McQuay, CIPP, CIPP/C, is the Founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at


By Shannon Ballard, CIPP/G, and Lauren Saadat, CIPP/G

The EU recently agreed upon legal texts governing the Visa Information System (VIS) and the exchange of data between member states on short-stay visas and visa applications from third-country citizens who wish to enter the EU's Schengen area. The VIS is composed of a European central database, which is connected to the national systems to enable competent member state authorities to enter and consult data on visa applications and related decisions. The personal data from visa applications stored in VIS will include biometrics (photographs and fingerprints) and written information such as the name, address and occupation of the applicant, date and place of the application, and any decision taken by the member state responsible to issue, refuse, annul, revoke or extend the visa. The Visa Information System will store data on up to 70 million people, and will become the largest 10-fingerprint database in the world.

The new legal texts define the purpose, functionalities, and responsibilities for the VIS, and establish the conditions and procedures for the exchange of visa data between member states. It also describes certain safeguards, in relation to the fair information principles, to protect personally identifiable information. 

Shannon Ballard, CIPP/G, and Lauren Saadat, CIPP/G, are Associate Directors of International Privacy Policy at the U.S. Department of Homeland Security. They can be reached at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it and This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .


Credit Reporting Company Faces Lawsuits
Lawsuits rained on a credit reporting company in Malaysia due to outdated credit reports issued to banks' prospective customers. Credit Tip Off Service (CTOS) was slapped with a number of lawsuits from people who were denied credit cards and loans from banks based on their credit reports.

Other complaints against the company included allegedly failing to update their records, delays in reacting to complaints and feedback, and selling information to an ex-spouse of a complainant. Calls have been made by members of the Parliament to implement data privacy law to prevent such incidents. Banks have been directed by the government to seek permission from borrowers before assessing their credit histories from third parties.   
— KK Lim


High Court Rejects Petition to Restrain Implementation of Anti-Terror Law

The Supreme Court has rejected a petition by various groups to restrain the government from implementing an anti-terrorist law. These groups claimed that the law is unconstitutional as it violates provisions in the Bill of Right of Individuals such as right to privacy, due process freedom of expression etc. In addition, it could be used for political harassment and persecution. The government's aim is to use the law against terrorist groups such as Abu Sayyaf and Al-Qaeda.                 
— KK Lim


Groups React to Proposal for Mandatory AIDS Testing
Compulsory testing for AIDs for high-risk groups in hospitals was proposed by one family-oriented welfare group, Focus on the Family. This proposal came in response to a report released by the Ministry of Health on anonymously collected blood samples from hospitals on 3,000 persons.

The report revealed that 0.28 of those who thought they are free, are HIV positive. This works out to one in every 350 hospital patients who are HIV positive, posing a threat to health workers attending to them. Since 2004, pregnant women in Singapore have been subjected to an opt-out HIV test as part of standard health screening. Groups like AIDS Business Alliance and Action for AIDS said the proposal was a violation of privacy, discriminatory and has the opposite effect of helping those with the disease.
— KK Lim


Anti-Censorship Group Opposes New Cyber Crime law
Police can seize computers from businesses and homes under a new cyber crime law to crack down on Internet pornography. A maximum 20-year prison term is applicable for offenders under the new legislation.

Freedom Against Censorship of Thailand is opposing the measure, citing it as invasion of privacy. Censorship is on the increase since the military coup last year with the government blocking sites critical of the King or supportive of ousted former Premier Thaksin Shinawatra.                          
— KK Lim


By Eduardo Ustaran

Jail for Privacy Regulator Impersonator
A fraudster from Chester in England was sentenced to 20 months in prison after pleading guilty to fraudulently obtaining more than £400,000 from a number of businesses in the area.

Between December 2002 and April 2004, Christopher J. Williams of Hoole deceived businesses into believing he was an agent working on behalf of the Information Commissioner's Office.

He sent fake forms to companies requiring them to register under the Data Protection Act and demanding they pay him a fee of between £95 and £135. Unlike most European jurisdictions, making a data protection filing in the UK is not free. The official fee is £35. Williams, along with one other man, ran a number of bogus agencies which directly targeted businesses.

Guidance for Fingerprinting in Schools
According to recent guidance from the Information Commissioner's Office, when a school intends to take fingerprints, it should inform and consult pupils about the use of their personal information.

A school should explain the reasons for introducing the system, how personal information is used and how it is kept safe. Some pupils — because of their age or maturity — may not understand the sensitivities involved in providing a fingerprint. Therefore, where a school cannot be certain that a child understands the implications of giving their fingerprint, the school must fully involve parents to ensure the information is obtained fairly. In circumstances where children are not in a position to understand, failure to inform parents and seek their approval is likely to breach the Data Protection Act. In addition, information should be processed on a suitably designed IT system, in which templates cannot readily be used by computers running other fingerprint recognition applications.

Eduardo Ustaran is a Partner at Field Fisher Waterhouse LLP, based in London. He may be reached at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .