ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

ONLINE PRIVACY—CHINA

China Mobile Assures Subscribers of Privacy (January 26, 2010)
China Mobile, China's largest mobile communications service provider, is responding to allegations that it is filtering subscriber text messages in search of pornographic content by assuring the public that their privacy is safe, the Web site CIOL.com reports. Concerns over filtering and surveillance arose after China Mobile installed a filtering system designed as a hedge against "unhealthy" Web content. "The freedom and privacy of individual users enjoys legal protection," said Li Kang of China Mobile. "China Mobile will do its best to protect consumers' rights and interests strictly in line with the relevant laws and regulations."
Full Story

PRIVACY

IAPP Announces New Board Members (January 22, 2010)
The International Association of Privacy Professionals has announced new appointments to its 2010 Board of Directors. Five new members have joined the board and three existing members have moved into leadership roles. Incoming board members hail from Microsoft, Hewlett-Packard, Siemens, Hunton & Williams LLP and the Graduate Management Admissions Council. New board president Nuala O'Connor Kelly, CIPP, CIPP/G, said, "I'm extremely pleased to welcome these distinguished privacy professionals to our board. Their vision and experience will be invaluable in leading the IAPP and the privacy profession into the next decade."

DATA PROTECTION

UN Official Calls for Int’l Declaration on Data Protection (January 22, 2010)
A UN official has called for a new international agreement on privacy, reports The Register. In a report to the UN Human Rights Council, special rapporteur Martin Scheinin said "a global declaration on data protection and data privacy" is necessary to stopgap what he describes as the loss of basic privacy protections in the wake of expanded counter-terrorism efforts. European Data Protection Supervisor Peter Hustinx told the IAPP Daily Dashboard newsletter that he considers this "a very welcome call for action that should be considered very carefully." Hustinx said that global standards and global safeguards are required to limit increasing surveillance activities and to ensure a legitimate global use of new technologies. However, Martin Abrams, executive director of the Hunton & Williams Centre for Information Policy Leadership, said that until UN member states can find the balance between physical security and data protection within their own borders, it is unlikely they will be able to move forward with an international agreement.
Full Story

TRAVELERS’ PRIVACY—AUSTRALIA

Advocates Say Full-Body Scanners Need More Scrutiny (January 22, 2010)
Four civil liberties groups and the Australian Privacy Foundation are asking Transport Minister Anthony Albanese not to introduce full-body scanners at Australia's airports without first developing a Privacy Impact Assessment, Civil Liberties Australia reports. The five groups have drafted a letter urging Albanese to weigh the effectiveness of the scanners with the potential for privacy violations. In a letter sent to CLA last year, transport officials wrote that further consultation with members of the public and interest groups would be held prior to any decision on implementation. The advocates' letter asks the department to look at the effectiveness of the technology not only in terms of safety, but also with regard to protecting individual privacy.
Full Story

PRIVACY LAW—NEW ZEALAND

CEO Says Breach Notification Laws Coming (January 22, 2010)
New Zealand businesses will soon face laws forcing them to disclose any loss of personal information to cyber-criminals. That's according to the CEO of a computer security company-- Enrique Salem--who told the New Zealand Herald, "they will happen, and they will--absolutely--be enforced." Salem said that laws currently being developed in Australia and New Zealand "will absolutely push the notion that if data is stolen, you'll have to say." He said his company is lobbying for provisions in the new laws to protect against unnecessary notifications in cases where it can be proven data was not compromised despite a breach.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

E-Health Safeguards Fall Short, Opponents Say (January 22, 2010)
Though additional privacy safeguards for Australia's proposed national e-health bill have been suggested, opponents to the plan say they fall short, reports Computerworld. The bill would assign patients a health ID number, linked to their Medicare number, which is intended to streamline healthcare delivery and reduce errors. But opponents to the bill, including health IT consultant Dr. David More, say its safety provisions fall short. "Those involved do not have a clue what they are doing and more than that are not telling the public--in other than carefully spun press releases," More says.
Full Story

ONLINE PRIVACY—NEW SOUTH WALES

Macquarie Moves to Cloud, Despite Concerns (January 22, 2010)
Google has agreed to house Macquarie's data in the European Union as part of its hosting agreement with the university, The Australian reports. The arrangement stems from the university's fears that data hosted in the U.S. would be subject to the USA Patriot Act, which would potentially allow security agencies to override privacy restrictions in order to combat terrorism. The university is the first in Australia to move staff e-mail to the so-called cloud. Macquarie Chief Information Officer Marc Bailey dismissed concerns about the security of intellectual property and academic privacy on the cloud, saying that storing data with companies such as Google and Microsoft provides significantly more security than a university.
Full Story

DATA RETENTION

Microsoft Reduces Search Data Storage Limit (January 20, 2010)
Microsoft has announced that it will further reduce the length of time it holds data entered into its Bing search engine, the New York Times reports. The decision comes in response to criticism related to search data management from within the European Union and will be implemented over the next 18 months for users everywhere, not just in the EU. Professor Hendrik Speck of the University of Applied Sciences in Kaiserslautern, Germany predicts that the move will prompt Bing competitors to follow suit, saying, "Google and other engines are starting to realize that consumers around the world are placing an increasing value on privacy and that can have business consequences." (Registration may be required to view story.)
Full Story

Philippines RFID

Philippines Courts to Transportation Office: No RFID (January 13, 2010)
The Philippines Supreme Court has ordered the country's Land Transportation Office (LTO) to halt its plan to require motor vehicles to be equipped with radio frequency identification (RFID) systems, The Inquirer reports. The order came in response to petitions filed against the LTO by political and transportation trade organizations opposed to the plan on privacy grounds. The order will remain in effect until a decision is made in the case. Court spokesman Jose Midas Marquez said, "[The status quo ante order] means that the prevailing situation prior to the implementation of the RFID would be implemented in the meantime until further orders from the court."
Full Story

PRIVACY LAW—CHINA

China Passes Privacy Protections Law (January 13, 2010)
A Hunton and Williams Client Alert reports that the Chinese government has enacted a sweeping tort liability law--the PRC Tort Liability Law--that includes provisions specific to the protection of personal privacy. The law, passed on December 26 and expected to take effect on July 1, covers not only privacy, but also environmental damage and animal bites while establishing parameters for liability in cases where organizations are found to have mishandled personal information. For the first time, PRC Tort Liability Law creates specific private rights of action for citizens in cases where they believe their privacy has been violated.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Charity Accused of Abusing Trust (January 12, 2010)
The Australia Privacy Foundation has accused the St. Vincent de Paul Society of betraying donor trust by allowing a data broker to help develop a survey mailed to donors over the Christmas season, and then sharing the information with the company, The Age reports. The charity defended its actions--which may have violated aspects of the Privacy Act--by saying that it opened its donor list in order to build a mailing list which was then used to distribute the four-page questionnaire to 20,000 people. The survey was conducted under the data broker's privacy policy, not the charity's. For its part, the broker says it complied with privacy legislation.
Full Story

PRIVACY—SINGAPORE

New Law Oks Research Access to Public Data (January 11, 2010)
Following a change to its Statistics Act earlier this month, Singapore's Department of Statistics will allow researchers to access data collected by public agencies, provided the information contains no personal identifiers, reports ChannelNewsAsia.com. Parliament made the change despite lingering privacy and ethics concerns. West Coast GRC MP Ho Geok Choo says, "There is a concern of accidentally revealing the identity or sensitive information. It is imperative that Singapore safeguards the data obtained and ensures that it does not fall into unauthorised hands."
Full Story

DATA PROTECTION

USB Sticks Recalled (January 8, 2010)

At least three vendors have recalled hardware-encrypted USB memory sticks after penetration testers discovered a vulnerability that could allow hackers access to the data contained on the devices, reports CSO. According to one of the USB vendors affected by the flaw, "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data..." The flaw pertains to the drives' access-control mechanisms.

Full Story

20-Somethings and Privacy (January 8, 2010)

A Curtin University of Technology researcher has published a paper on how certain Facebook users understand and navigate privacy concerns. The paper, which appears on the peer-reviewed journal site First Monday, builds upon a Canadian ethnographic study about the privacy concerns of younger users. Specifically, the research explores how a 20-something community of Facebook users perceives privacy and how the users' privacy concerns differ from those of others. The paper also explores ways that users attempt to enhance their social privacy and why users remain active on the site despite their privacy concerns.
Full Story

RFID—PHILIPPINES

Government Assures Motorists of RFID Safety in Philippines (January 7, 2010)

In response to privacy concerns voiced by the Commission on Human Rights (CHR), the Philippines Land Transportation Office (LTO) has moved to assure motorists in that country that a new RFID motor vehicle tagging technology does not have the capability to allow tracking of vehicles, and that its staff will be properly trained in using the new system, reports the Manila Bulletin. LTO Chief Arturo Lomibao told the CHR that the tags do not function as a global positioning system and cannot be tracked, nor will the tags contain a driver's personally identifiable information. Further, Lomibao said the tags can only be read from a distance of 10 - 12 meters.
Full Story

PRIVACY—MARIANAS

Marianas Call For Alien Registry (January 6, 2010)

The Fitial Administration of the Commonwealth of the Northern Mariana Islands (CNMI) has called for a mandatory national registry for any aliens who remain in the islands for more than 90 days, reports the Saipan Tribune. The registry has been proposed in response to a change in U.S. law that places CNMI immigration under the direct control of the U.S. federal government and was drafted in cooperation with the U.S. Department of Homeland Security. Registration would likely include biometric data, such as fingerprints, photographs and other personal information. The public comment period for the policy ends on January 8.
Full Story

ONLINE PRIVACY

Profile Purgers Come Under Fire (January 5, 2010)

Services that help social networkers expunge their accounts have come under the scrutiny of Facebook, reports MediaPost. According to the report, last month the company sent a cease-and-desist letter to Les Liens Invisibles, the company behind the Seppukoo.com platform that assists users in committing "Facebook suicide." A Facebook spokesperson said the service causes users to violate Facebook terms of service and breaks anti-hacking and spam laws, among others. The Los Angeles Times reports that Facebook is also blocking the IP address of Web 2.0 Suicide Machine, another deactivation platform, and has filed a lawsuit against social networking data aggregator, Power.com.   
Full Story

Travelers’ Privacy (January 4, 2010)
Revived Interest in Full-Body Scanners

The thwarted Christmas Day terrorist attack on a Detroit-bound plane has prompted a new interest in bringing full-body imaging scanners to airports worldwide, the Washington Post reports. The U.S. Transportation Security Administration (TSA) has ordered 150 scanners to add to its complement of 40 already in place at American airports, and has received funding approval for an additional 300. Leaders in Britain, Germany and elsewhere have signaled that they will install the scanners despite concerns about the revealing images produced by the scans, and Dutch officials will now require all U.S.-bound passengers to pass through the machines. U.S. lawmakers are expected to debate the issue upon reconvening this month.
Full Story

ONLINE PRIVACY—ITALY

Defense Rests in Milan (January 4, 2010)
Defense rests in Italian online privacy trial against Google.

TRAVELERS’ PRIVACY

Revived Interest in Full-Body Scanners (January 4, 2010)
The thwarted Christmas Day terrorist attack on a Detroit-bound plane has prompted a new interest in bringing full-body imaging scanners to airports worldwide, the Washington Post reports. The U.S. Transportation Security Administration (TSA) has ordered 150 scanners to add to its complement of 40 already in place at American airports, and has received funding approval for an additional 300. Leaders in Britain, Germany and elsewhere have signaled that they will install the scanners despite concerns about the revealing images produced by the scans, and Dutch officials will now require all U.S.-bound passengers to pass through the machines. U.S. lawmakers are expected to debate the issue upon reconvening this month.
Full Story