ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

SOCIAL NETWORKING

Advocates Not “Liking” Ad Plan (January 31, 2011)

While a new feature on the world's largest social network is being seen as potential gold for advertising, privacy advocates and some users are raising concerns, USA TODAY reports. The new advertising format uses Facebook members' "likes" and other online actions to create promotional content in the form of "Sponsored Stories," which "became available for large brands to buy last week and is being rolled out over the next few weeks to Facebook's more than 500 million members." The Electronic Frontier Foundation is calling for an opt-out option for users. "Any time they make a change, people react, especially if there is a commercial element," says Future of Privacy Forum Director Jules Polonetsky, CIPP.
Full Story

DATA PROTECTION

Data Protection Day Brings Celebration, Call for International Treaty (January 28, 2011)
Across the globe today, institutions and individuals are recognizing Data Privacy and Protection Day. Officials from the U.S. to Canada and the UK to Belgrade are recognizing the anniversary with special events and announcements. In Europe, the day falls on the thirtieth anniversary of the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the first comprehensive international document on data storage, use and sharing, Deutsche Welle reports. European Data Protection Supervisor and EU Justice Commissioner Viviane Reding hailed the occasion in video addresses, while in a speech earlier today, Council of Europe Secretary General Thorbjorn Jagland said, "30 years of experience with data protection allows us to make one clear conclusion: the only way to strike the balance between freedom of expression and the right to privacy in data collection is having an international, legally binding treaty."

DATA LOSS—AUSTRALIA

Vodafone Terminates Dealer Relationship (January 28, 2011)

The Sydney Morning Herald reports that Vodafone has terminated its dealer agreement with Communications Direct (CD) after allegations that CD staff were misusing customer information. The staff allegedly mined Vodafone's nationwide customer database to find customers nearing the end of their contracts and then sell them on a CD plan. The database included customers' dates of birth and addresses. The staff also allegedly forwarded detailed customer call records outside the company, the report states. Privacy Commissioner Timothy Pilgrim launched an investigation into the breach earlier this month and Vodafone involved the NSW Police. A Vodafone spokeswoman said the company's decision to sever ties with CD marks a "renewed commitment to privacy."
Full Story

DATA LOSS—NEW SOUTH WALES

Councilor Dismissed after Disclosing Details (January 28, 2011)

A city council has dismissed an employee and required her to complete privacy awareness and code of conduct training after she disclosed a woman's personal details, reports the Newcastle Herald. The incident involved a letter written to the Lake Macquarie City Council about a man who had parked his vehicle on her street. A councilor forwarded that letter, including the woman's personal details, to the vehicle's owner, who then harassed the woman. The council has not been penalized by the Administrative Decisions Tribunal because it apologised to the woman and disciplined the employee, a spokesman for the tribunal said.
Full Story

DATA LOSS—NEW ZEALAND

Employees Increasingly Stealing Company Data (January 28, 2011)

Forensics experts at Deloitte report a steady rise in cases of employees stealing confidential business information and taking it to competing firms, The New Zealand Herald reports. The rise in such incidents are in part a result of the ease in which information can be downloaded to USB sticks or social networking sites, the report states, citing numerous examples in which employees did just that. Meanwhile, Otago University's 2010 Computer Crime and Security Survey found that more than half of firms had no USB incident protection in place.
Full Story

PRIVACY—VICTORIA

Hospitals Ban Filming Childbirths (January 28, 2011)

The Herald Sun reports on an increasing trend at Victorian hospitals to ban video cameras in birthing suites. As video recording devices become commonplace at births, hospitals are responding by developing protocols on filming, with many choosing to ban it, the report states, to protect staff privacy and to prevent unnecessary distractions or legal repercussions. Four Melbourne hospitals currently ban filming, and another advises strongly against it. Meanwhile, New Zealand hospitals say there is no plan for similar actions there because the filming of births is not causing any problems.
Full Story

PRIVACY LAW—HONG KONG

Data Transfer Ordinance To Be Enforced (January 28, 2011)

Linklaters reports on the Hong Kong privacy commissioner's plans to bring a personal data ordinance into force as soon as possible. Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data outside Hong Kong unless one of a number of conditions is met, the report states, and has existed since the PDPO was enacted but has not come into force. The ordinance allows for transfers if the receiving destination has been approved by the commissioner or if the individual has consented in writing to the transfer, among other conditions. Businesses should prepare for the impending ordinance, the report cautions.
Full Story

ONLINE PRIVACY—HONG KONG

Street View Cars Resume Routes (January 28, 2011)

Google Street View cars began roaming Hong Kong streets again this week, but the company says only photos and 3D images are being collected, the South China Morning Post reports. The cars were halted in May after it was discovered they were inadvertently collecting WiFi data from unencrypted networks, including user names, e-mails and passwords. Privacy Commissioner for Personal Data Allan Chiang this week released unanswered concerns about the cars' resumption, asking when Google will release a privacy policy in Chinese for Google Maps products and whether it will designate a response window for customers' requests to blur images. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Privacy as Competitive Edge (January 27, 2011)

The Wall Street Journal examines whether startup search engine DuckDuckGo's pledge to honor user privacy by not storing personal data or sending search information to other sites will provide a competitive edge against online search giants. The report poses the question, "Would you switch search engines for privacy reasons, or are other aspects of search more important to you?" DuckDuckGo's founder has said the company's goal is to appeal "to a non-negligible part of the population," adding he expects the site to see about 4 million searches this month, up from a typical 2.5 million per month before he publicized its privacy features. (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Tracking Technology Raises Concerns (January 26, 2011)

New tracking units are raising concerns among privacy advocates. Garmin's new personal tracking device, GTU 10, was introduced last month and is small enough to be stored without a person knowing, reports The Kansas City Star. The Electronic Frontier Foundation's Lee Tien says he is concerned about "protecting the privacy of individuals with respect to location and movement." Meanwhile, a "Find Your Car" system introduced in California allows mall shoppers to punch in their license plate number for a network of cameras to detect the car's location, prompting an ACLU attorney to caution that "the unintended consequences can be huge."
Full Story

ONLINE PRIVACY

Search Engines Offer Opt-Out Plans (January 25, 2011)

Major media outlets are reporting on plans by Google and Mozilla to offer do-not-track options for their users. Google has announced its new "Keep My Opt-Outs" tool, which enables users of its Chrome Web browser to permanently opt out of online tracking, while Mozilla's new opt-out tool for its Firefox browser provides users with more understanding and control of how their personal information is being used by advertisers. A Federal Trade Commission spokeswoman discussed efforts by Mozilla, Microsoft and Google to provide do-not-track options. Meanwhile, MediaPost News reports that while the FTC is cheering such plans, "whether ad networks and online marketers will follow those preferences is far from clear."
Full Story

ONLINE PRIVACY

Opinion: Is There a Dark Lining in the Cloud? (January 25, 2011)

There are many benefits to cloud computing, but European Commissioner Viviane Reding questions, "is there a dark lining to the cloud?" In an opinion piece for The Wall Street Journal, Reding cautions, "Consumers who store data in the cloud risk losing control over their photos, contacts and e-mails. Data is whirling around the world: A UK resident who creates an online personal agenda could use software hosted in Germany that is then processed in India, stored in Poland and accessed in Spain." Describing the European Commission's commitment to privacy, she writes that the EU's data protection rules "have stood the test of time, but now they need to be modernized to reflect the new technological landscape." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Bill Would Increase Police Access to Phone Data (January 24, 2011)

The Sydney Morning Herald reports privacy advocates are concerned about a plan to change surveillance laws. Currently, police can look at call, SMS and data use up until the date-of-disappearance in missing persons cases. But NSW Police support a federal bill that would allow police to access all records beyond that date, saying it needs access to real-time information to do its job. Privacy advocates fear such a change would allow police to monitor people without their knowledge and could lead to "gross invasions of privacy." They are calling for stricter access regulations. A senate committee on legal and constitutional affairs has recommended the Attorney General's Department review the bill for privacy issues.
Full Story

DATA LOSS

Smartphone User Data Potentially Exposed (January 24, 2011)

A mobile application developer has warned of a data breach that could affect up to 10 million users, SC Magazine reports. Trapster.com says a hacker may have accessed user e-mail addresses and passwords and advises that users change their passwords. The company believes this was a single event and has rewritten the software code to prevent future attacks, it says. It is now notifying those potentially affected, though there is no evidence that the data has been used.
Full Story

FINANCIAL PRIVACY—AUSTRALIA

Survey: Bank Staff Will Share Customers’ Data (January 21, 2011)

A survey of bank call centres from eight of Australia's leading banks has found that half of their staff would help callers access other customers' financial information, The Age reports. "The callers would say things such as, 'My girlfriend needs to transfer money today, she's gone to work...' Half the time, after saying no, the call centre staff would work with the caller to find out ways to do it," said a spokesman for Global Reviews, which conducted the survey. Former Privacy Commissioner Malcolm Crompton, whose firm Information Integrity Solutions cosponsored the survey, said that, when pressed, employees were more likely to give in, even if it meant breaching privacy rules.
Full Story

Commissioner Examining USyd (January 21, 2011)

Computerworld reports that New South Wales acting Privacy Commissioner John McAteer is looking into a data breach at the University of Sydney. In a letter to students this week, university Vice-Chancellor Michael Spence apologised for the breach, which exposed students' names, addresses, e-mail addresses, course histories and costs, according to a Sydney Morning Herald report. Commissioner McAteer told the SMH that, upon preliminary assessment, the university may have breached a section of the NSW Privacy and Personal Information Protection Act of 1998. He said it will take about five weeks to investigate.
Full Story

DATA LOSS—AUSTRALIA

Festival E-mail Exposes Addresses (January 21, 2011)

ZDNet Australia reports that Sydney Festival organisers inadvertently exposed the e-mail addresses of 130 people on a festival mailing list. The organisers say human error is to blame. "We inadvertently open copied our e-mail so that the addresses were visible to all recipients," the organisers said. "Nothing like this has ever happened before and I must assure you that Sydney Festival respects your privacy and will ensure that nothing like this ever happens again." The festival staff issued an apology to those affected shortly after it happened.
Full Story

DATA LOSS—AUSTRALIA

Investigations Continue, Company Ramps up Security (January 21, 2011)

Vodafone has ordered daily password changes and other security-enhancing protocols following a breach that exposed customers' sensitive data, Business Spectator reports. The company, law enforcement and the Office of the Privacy Commissioner are investigating the incident, which led Vodafone to terminate several employees last week. A Fairfax Media report describes the breach as "one of the most serious...in Australian history," and states that Internet security experts feel the company's database remains vulnerable.
Full Story

PRIVACY LAW—THAILAND

Opinion: Thailand Needs Stronger Privacy Laws (January 21, 2011)

Vilaiporn Taweelappontong says the recent WikiLeaks data scandal "provides a lesson to be learned" for governments. In the Bangkok Post, Taweelappontong, who is a partner at PricewaterhouseCoopers Thailand, writes that Thailand has to strengthen its privacy laws. "Privacy is an individual right and privacy law is supposed to protect and preserve those rights," he says, adding that the recently drafted data protection law intends to do just that. "The challenges after such laws have been launched are awareness and consistency in their implementation across all government agencies," Taweelappontong writes. He goes on to offer tips on how Thai organizations can improve their data protection practices.
Full Story

 

SOCIAL NETWORKING

Facebook Suspends Third-Party Plans (January 18, 2011)

Facebook has decided to suspend its latest privacy policy modification, which would have enabled third-party applications to access users' addresses and cell phone numbers, reports the Inquirer. The company said it would protect users' personal information by only sharing it with third parties if the user explicitly granted permission to do so, but a Facebook spokesman this week said the company would "temporarily disable the feature" based on feedback that it could make people more clearly aware of the changes. Some have questioned how the third parties would use the additional data.
Full Story

DATA LOSS—NEW ZEALAND

Telecom Customer Details Exposed (January 17, 2011)

Privacy Commissioner Marie Shroff has announced that she will investigate a reported breach involving the information of millions of Telecom customers, The New Zealand Herald reports. The breach reportedly was perpetrated by associates of Telecom's rival Slingshot and exposed the names, addresses and billing plan data of every Telecom customer. Telecom retail chief executive Alan Gourdie said, "We're just outraged. This is our customer data--potentially fraudulently used. We will pursue this to all remedies that are available." Gourdie added that the Commerce Commission is also looking into the matter.
Full Story

ONLINE PRIVACY

Flash Fix Is Important First Step (January 14, 2011)

The Wall Street Journal reports on efforts to improve privacy controls in Adobe's Flash video player after privacy advocates and regulators raised concerns that companies could use such technology to track Internet users. "So-called 'Flash cookies,' which are small files stored on a user's computer through the Flash program, have raised privacy questions because they are more difficult for users to detect and delete than regular cookies associated with Web browsers," the report states, noting that although Adobe's effort to simplify the program's settings is an important step, it "doesn't solve all the issues associated with this type of tracking," and other video programs can also track users. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Survey: PCI DSS Standards Necessary (January 14, 2011)

A new survey has found that the majority of IT security practitioners believe that the Payment Card Industry Data Security Standard (PCI DSS) is necessary for protecting cardholder information, SC Magazine reports. The Cisco survey polled 500 IT security decision makers in healthcare, finance, retail and education, a majority of whom said they were "very confident" they could pass an assessment today. The greatest challenge for PCI DSS compliance is educating employees about the proper handling of cardholder data, the report states. Respondents also indicated they expect "significantly increased spending" on PCI compliance this year. Meanwhile, a recent Verizon survey found that organizations that had suffered data breaches performed "dismally" with PCI requirements.
Full Story

DATA LOSS—AUSTRALIA

Vodafone Involves Police, Terminates Employees (January 14, 2011)

Following a privacy breach at Vodafone, the company says it has terminated several employees, The Herald Sun reports. The breach, which exposed customer details including names, dates of birth, PIN numbers, driver's license numbers, addresses and credit card numbers, allegedly occurred because Vodafone allowed its partners to access its customer database. Privacy Commissioner Timothy Pilgrim has launched an investigation, and Vodafone says it has now involved the NSW police. "The employment of a number of staff members has been terminated and Vodafone has contacted the NSW Police while its investigation continues," said a company spokesperson. "We take data security and the storage of our customers' information extremely seriously."
Full Story 

FINANCIAL PRIVACY—NEW ZEALAND

Shroff Discusses Credit Agency Reporting (January 14, 2011)

Privacy Commissioner Marie Shroff has acknowledged that external oversight put in place to ensure sensitive credit history information held by privately owned agencies will be the responsibility of the credit reporting agencies themselves, The New Zealand Herald reports, although the overseer will report to the privacy commissioner. Beginning in October, changes to the Credit Reporting Privacy Code will for the first time allow credit reporters to begin collecting "positive" credit data as well as such other information as driver's licence numbers. In terms of the new oversight, Shroff said, "It's a middle ground between doing it internally and having no external scrutiny and a full-blown external audit."
Full Story

PRIVACY LAW—HONG KONG

Lawmakers Oppose Another Octopus Inquiry (January 13, 2011)

Hong Kong legislators have rejected one lawmaker's call for the creation of a committee to probe the Octopus data scandal, The Standard reports. In calling for the committee, democrat James To Kun-sun said, "We have to find out the truth behind the incident so as to give the public an account of the data leaks." But his colleagues say that a public consultation has already taken place and there is no need to begin an inquiry. Secretary for Transport and Housing Eva Cheng Yu-wah said the government will make proposals to strengthen personal data protection, according to the report.
Full Story 

FINANCIAL PRIVACY—AUSTRALIA

Minister Proposes Credit Reporting Code of Conduct (January 10, 2011)

Minister for Privacy Brendan O'Connor is calling for the development of a new Credit Reporting Code of Conduct designed to provide better privacy protection, TechWorld reports. In a statement, O'Connor said, "A binding Code of Conduct will be an integral part of the new credit reporting regime, helping to provide better protection for consumers and better guidance for business." The plan will be discussed at a roundtable on February 10, the report states, and O'Connor noted, "The roundtable will contribute to the development of the industry-led code and will provide an open forum for interested parties to discuss any outstanding issues of concern."
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Public Discussion to Begin on E-Health System Plans (January 7, 2011)

Federal Health Minister Nicola Roxon says a draft framework of the nation's electronic health record system will be issued for public consultation soon, The Australian reports. The National E-Health Transition Authority developed the framework but the government has faced criticism from those who have concerns about privacy and say the development process has not been transparent. Roxon says she is committed to working with stakeholders "to make sure we develop the right e-health system" and that "The next step will be a public discussion paper on the operating concepts for the personally controlled e-health record."
Full Story

SURVEILLANCE—NEW SOUTH WALES

Council Calls for Laws on Home Security Cameras (January 7, 2011)

The Herald Sun reports that a Sydney council is calling for laws to end problems caused by the increasing use of home security cameras. Sutherland Council will submit calls for legislation at an upcoming local government conference in hopes of generating support from other state councils due to mounting complaints that the technology, increasingly more affordable, is invading privacy. "There is a genuine fear people are being spied on. It's become a real problem," said one councilor. The council will make a submission explaining that no laws exist to control security cameras' operation, the report states.
Full Story

PRIVACY LAW—AUSTRALIA

Opinion: The Time Has Come for a Right to Privacy (January 7, 2011)

In The Sydney Morning Herald, Paul Ritchie makes the argument that the "time has come for a public debate about legislating a right to privacy." There will be resisters, Ritchie writes, but new media make the need for a legislated right to privacy essential. "What we need is protection of what is private or what should be private," he says. "This applies as much to the private photos of a footballer as to the old medical records of a politician."
Full Story

SURVEILLANCE—SOUTH AUSTRALIA

Bathroom Surveillance System Raises Concerns (January 7, 2011)

According to the South Australian Privacy Committee's annual report, a surveillance system installed in a public toilet aiming to thwart vandalism has raised concerns, The Advertiser reports. The Local Government Association (LGA) has discussed the complaint with the local council that lodged it and says the cameras were installed after consulting the SA Police, the report states. The LGA says the cameras only record certain elements of the facility and the recordings are not watched unless graffiti is put on the wall. The surveillance system is said to have reduced vandalism by 90 percent. The report also mentions complaints about government disclosures of individuals' personal information.
Full Story

PRIVACY LAW

Privacy Lawsuits Target Apple, Others (January 7, 2011)

The Sydney Morning Herald reports on recent lawsuits filed against Apple, Backflip, Dictionary.com, Pandora and the Weather Channel, among others. The suits claim users' data was shared without their knowledge and seek to prevent the applications from sharing ages, genders and locations of users as well as iPad and iPhone device identifying numbers. According to an InformationWeek article, a lack of laws defining privacy rights means it's likely there will be more suits like these. "Consumers are engaged in a marketplace, but it's not a fully informed market," said Dave Stampley of KamberLaw. Kevin Pomfret, a lawyer with LeClairRyan, said that in order to avoid a lawsuit, companies should carefully consider why they need consumer data and how they use it, adding "Unfortunately, there's no clear-cut answer right now because of the uncertainty."
Full Story

PRIVACY LAW—SOUTH KOREA

Police: Data Collected Illegally (January 6, 2011)

South Korea's police authority says Google broke the country's privacy law when it collected WiFi data with its Street View cars, The Guardian reports. The authority says it will conclude its investigation by the end of January. It is not yet known whether Seoul--where Google's Korean headquarters are located--will prosecute the company. Google's Korean arm said, "As soon as we realized what had happened, we stopped collecting all WiFi data from our Street View cars and immediately informed the authorities. We have been cooperating with the Korean communications commission and the police and will continue to do so." The company is facing similar investigations in more than 20 countries.
Full Story

FINANCIAL PRIVACY—HONG KONG

Government Considers Expanding Mortgage Database (January 5, 2011)

Hong Kong's government is seeking public feedback until February 8 on a proposed expansion of a data-sharing system to include positive and negative credit history for homes and properties, Privacy Commissioner for Personal Data Allan Chiang has announced. Bloomberg reports that under Hong Kong's current system, banks can share only negative data on housing mortgages while both positive and negative data is available for unsecured debt such as credit card borrowings. One financial services expert suggests that if the expansion is approved, it will allow banks to better assess home buyers' credit status.
Full Story

ONLINE PRIVACY

The Privacy Year In Review (January 3, 2011)

The BBC looks at the year that was 2010 from a privacy perspective. Exploring high-profile breaches of the past year, the report considers the implications of government and private-sector privacy decisions for the future. It suggests that "an interesting twist in 2010's privacy story" is that while private-sector organizations have been taken to task on privacy issues, "governments seem intent on increasing their snooping powers." When it comes to social networking, Ian Brown of the Oxford Internet Institute says the environment "is designed to encourage people to share. Often the default setting is privacy-unfriendly." The report also suggests that personal information "is fast becoming the most important commodity online."
Full Story