ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

ONLINE PRIVACY

Headlines Inspire Opt-Out Technologies (February 28, 2011)
Concerns about privacy have prompted the creation of two start-ups that aim to provide online users with more choice. Following the news of a privacy breach at Facebook, a former Google engineer created a piece of software that disabled features that track browsing history, The Wall Street Journal reports. Within two weeks, 50,000 users downloaded the free application. Engineer Brian Kennish said he's since left Google so that he could create "Disconnect"--software to work with a wider array of sites' tracking devices or "widgets." The software also disables search engines from tracking users' Web movements. Meanwhile, a 19-year-old college student has started a company that allows users to opt out of tracking by 100 companies. (Registration may be required to access this story.)

PRIVACY LAW—NEW ZEALAND

Emergency Code Issued After Earthquake (February 28, 2011)

In the aftermath of the Christchurch earthquake, Privacy Commissioner Marie Shroff has issued an Information Sharing Code to allow emergency services to "share personal information as necessary to assist victims of the earthquake and their families." Voxy reports that the code will remain in effect for the next three months and will then be reviewed. "Although the Privacy Act already allows collection and disclosure of information in emergencies and for public safety, greater certainty will help everyone," Shroff said. The code is aimed at helping identify injured individuals, assisting with medical and financial needs, notifying families and making it possible for visitors to get home.
Full Story

ONLINE PRIVACY

Companies Take Steps To Protect Privacy (February 28, 2011)

Internet companies are taking steps to address calls for stronger online protection for Internet users, The Wall Street Journal reports. Most recently, both Microsoft and Facebook have "moved to beef up and clarify their efforts around the thorny issue of online privacy," the report states, describing Microsoft's move to add a do-not-track tool to its services and Facebook's new draft of its privacy policy with more user-friendly information headings. "The new policy is much more of a user guide to how to manage your data," said Jules Polonetsky, CIPP, of the Future of Privacy Forum, which was consulted by Facebook. "You might actually want to read this thing." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

APF Concerned About E-Health Implementation (February 28, 2011)

The head of the Australian Privacy Foundation says that patients' medical data is vulnerable because e-health projects are being planned absent their input, The Australian reports. "Because consumer representatives have had so little input, there's a very strong chance sensitive data will be compromised, and the system won't suit people's needs," says Roger Clarke, who adds that consumer engagement only began in January. A health department spokeswoman said that consultations with consumers and privacy groups have been "constructive," and "The government is serious about a personally controlled system in which privacy protections will be a key element."
Full Story

ONLINE PRIVACY

Start-Ups Capitalize on Data as Currency (February 28, 2011)

Entrepreneur Shane Green's company allows people to personally profit from providing companies with their personal data, which he says has become "a new form of currency." His company is one of about a dozen start-ups aiming to capitalize on privacy as marketers increasingly rely on personal data for targeted ads, The Wall Street Journal reports. One London real estate developer now offers to sell people's personal information on their behalf and give them 70 percent of the sale, the report states, while others offer products to help block online tracking or charge to remove users from marketing databases. One entrepreneur said while "privacy" was a hard sell as of two years ago, investors are now quick to jump at opportunities. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Governing Body Accepts Microsoft Tracking Proposal (February 25, 2011)

The World Wide Web Consortium (W3C), the governing body for HTML5, has accepted Microsoft's tracking opt-out proposal to protect consumer privacy, PCWorld reports. Microsoft's Tracking Protection allows users to choose not to be tracked on the Web by blocking the content that does the tracking, the report states. Internet Explorer's corporate vice president, Dean Hachamovitch, said online privacy is a high priority for consumers and governments around the world. Ashkan Soltani, a privacy and security researcher, called Microsoft's release of the program "a great move" that demonstrates the company's recognition "that for this to work, you want both technology and policy to work in tandem."
Full Story

BIOMETRICS—AUSTRALIA

Officials Say No Fingerprint Scans (February 25, 2011)

Officials have decided not to move forward with plans to require such biometric data as fingerprint scans for poker machine use, The Age reports. Families Minister Jenny Macklin and MP Andrew Wilkie instead favor the use of smartcards "to limit the amount gamblers could spend on pokies in a session," the report states. The decision came in the wake of concerns by gambling and hospitality representatives that using biometric data could result in identity theft. "I'm happy to rule out fingerprinting, retinal scans, any other sort of biometric system that might be out there," Wilkie said, adding that he agrees with Macklin's position that "Australians are very comfortable with cards.''
Full Story

TRAVELLERS’ PRIVACY—NEW ZEALAND

Scanners To Be Introduced at Airport (February 25, 2011)

Privacy Commissioner Marie Shroff says the Customs Service has informed her office that it will test body image scanners at Auckland Airport as part of its fight against illegal drugs, stuff.co.nz reports. The trial will assess whether passengers are willing to opt for a "less invasive alternative to a physical personal search," the report states. Customs says it has established privacy safeguards ahead of the trial. "We will see the results," Shroff said. "We've advised customs about keeping the public informed about the scanners and about good practice for the collection, storage and handling of images and information." She added that customs will conduct a privacy impact assessment if scanner plans become permanent.
Full Story

DATA LOSS—AUSTRALIA

Laptop Stolen, Data Lost (February 25, 2011)

An ACT Department of Disability, Housing and Community Services data loss is unlikely to result in identity theft, according to Department Minister Joy Burch. ABC News reports that an employee broke protocol last November and brought home a laptop containing client data which was then stolen. Burch said the computer contained surnames, some given names, postcodes and possibly dates of birth. The affected clients have been notified, but an opposition spokesman is questioning why it took the department two-and-a-half months to send the notification letters. Burch says the delay was necessary to figure out which clients needed to be notified.
Full Story

PRIVACY LAW—AUSTRALIA & U.S.

Nations Look To Retain Data for One Year (February 22, 2011)

Talks between the U.S. and Australia could result in Internet search providers (ISPs) retaining data on users for one year. The talks, slated for July, aim to align data retention periods between the two countries and Europe, ZDNet reports. Though some European nations suggest retaining data for five years--an idea being considered by the European Convention on Cybercrime--both the U.S. and Australia believe that's too long, according to Australia Attorney General Robert McClelland. McClelland added that governments have a "strong obligation" to balance the scope of data retention and law enforcement needs for data to solve crimes.
Full Story

PRIVACY LAW—KOREA

Expert Discusses New Data Protection Draft (February 22, 2011)

Korea JoongAng Daily reports on a new version of the Data Protection Act currently before the Korean National Assembly and experts' calls for the reforms. Prof. Park Whon-il describes Korean's data protection legislation history and the effect of current technological advances extending personal information from "the data of a living person such as character, voice, sound and image...to include data such as e-mail addresses, credit card numbers and log files." With proposed revisions to the act aimed at regulating the public and private sector, Park notes the importance of an independent data protection authority and provisions for breach notifications.
Full Story

DATA PROTECTION

PCI Council Launches Training Program (February 18, 2011)

The PCI Council today begins its series of training programs intended to educate practitioners on Payment Card Industry Data Security Standards (PCI DSS). Council General Manager Bob Russo told Info Security that the courses "cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant." Offerings include in-person sessions as well as online training, and according to Russo, there will likely be supplemental guidance throughout the year. Version 2.0 of the PCI DSS went into effect last month, and merchants have one year to comply with the new standard. "We can say confidently that (PCI compliance) is the best defense you will have against a breach, but by no means is this the ceiling," said Russo.
Full Story

DATA LOSS—HONG KONG

Lost Flash Drive Contains Patient Records (February 18, 2011)

An occupational therapist at Kwai Chung Hospital lost her personal USB flash drive that contained the medical records and reports of 59 patients, reports News.gov.hk. The flash drive is not protected by encryption or password. The hospital is investigating the loss and has notified the Hospital Authority and the Office of the Privacy Commissioner for Personal Data. The flash drive disappeared on February 16.
Full Story

DATA LOSS—NEW ZEALAND

SFO Asked To Investigate Breach (February 18, 2011)

The New Zealand Herald reports that the Serious Fraud Office (SFO) has been asked to investigate an alleged breach of Telecom's database by a firm working for one of its rivals. The privacy commissioner's office is already investigating the incident, which involved the exposure of the personal details of up to 2.15 million Telecom customers. Neither Telecom nor the SFO would confirm that the SFO is investigating this breach; however, "documents show the SFO is looking into numerous incidents of unauthorised access to Telecom's database," according to the report.
Full Story

PRIVACY LAW—AUSTRALIA

Supreme Court: Internet Data Could Prevent Fair Trial (February 18, 2011)

The Australian Supreme Court has ordered newspapers to delete certain articles from their Web sites, saying that they could impact the fairness of an upcoming trial, The Age reports. The jurors on the trial will also be ordered to refrain from reading about or discussing the case, but "The confidence in the integrity of the jurors does not mean the court should not protect them from incidents that put their integrity to the test," said Justice Derek Price. One publishing executive described the decision as "the modern equivalent of burning books," and a civil liberties advocate said the order appears to "discriminate against the Internet because courts never ordered the removal of a microfiche from every library in the state."
Full Story

SOCIAL NETWORKING—NEW ZEALAND

Company Apologises for Use of Photo, Name (February 18, 2011)

Vodafone has changed its policies and apologised to an Auckland woman after using information from her social networking profile for a newspaper advertisement without permission, The New Zealand Herald reports. The ad contained the woman's photo and name. "It may be legal, but it's certainly not ethical," the woman said, adding, "It is well within their financial means to buy stock imaging." A Vodafone spokesman described the incident as "a human error mistake," adding that "Obviously we're going to investigate and put things in place to make sure this doesn't happen again."
Full Story

DATA LOSS—AUSTRALIA & NEW ZEALAND

Lush Cosmetics Sites Hacked (February 18, 2011)

On the heels of a breach in the UK, the Herald Sun reports that Lush Cosmetics has announced a breach of its Australian and New Zealand stores. Lush's director Mark Lincoln said the company was informed on Monday that there had been "unauthorised access of the Web site and data had been downloaded." The company has since closed access to the site and notified all online customers--about 40,000--urging them to contact their banks.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

APF Releases E-Health Privacy Concerns Draft (February 18, 2011)

The Australian Privacy Foundation (APF) has released a draft of its privacy concerns checklist on e-health records. The checklist is for review by all relevant health consumer advocacy organizations as plans continue on implementation of Personally-Controlled eHealth Records (PCEHR). The APF draft will be amended to reflect concerns raised by various categories of healthcare consumers. It has thus far been reviewed by participants at two Consumer Reference Forum meetings run by the National E-Health Transition Authority earlier this year. While privacy isn't the main factor to be considered in PCEHR implementation, it is "a vital element," the discussion draft states. Major decisions on the plan are expected next month.
Full Story

PRIVACY LAW—NEW ZEALAND

Plan Aims to Give Businesses Single Identifiers (February 18, 2011)

The New Zealand Herald reports on plans to establish uniform ID numbers for businesses to reduce compliance and reporting costs to various government agencies. When it comes to assigning numbers to sole traders, however, problems ensue because of a Privacy Act provision that says "a unique identifier assigned to an individual by one agency cannot be used by another," the report states. Privacy Commissioner Marie Shroff says the personal information aspects are being considered and that "Privacy isn't a roadblock to setting up a single business number for sole traders. There's a range of ways to get it right and we've been discussing these with MED and other interested agencies."
Full Story

HEALTHCARE PRIVACY—NEW ZEALAND

Doctors Encouraged To Eliminate Slang (February 18, 2011)

New Zealand Privacy Commissioner Marie Shroff says doctors' "slang" notes on patient records should be eliminated as patient records move to electronic databases, Stuff.co.nz reports. As information becomes more widely shared and available, certain acronyms should not be used, Shroff notes, adding, "I think people need to keep the humour in their lives...but respect for patients is a really important part of the practice. I'm sure doctors want their patients to trust them."
Full Story

ONLINE PRIVACY—AUSTRALIA

Survey: Smartphone Users Unaware of Risks (February 18, 2011)

Australians are using smartphones more than ever, but some are unfamiliar with the security risks, according to the results of a new survey. Adelaidenow.com reports that 79 percent of users polled were not aware that their phones could track their locations. The study, which was conducted by the Ponemon Institute on behalf of the company AVG, also found that up to a third of smartphone users were not aware of the security risks associated with their devices.
Full Story

ONLINE PRIVACY—SINGAPORE

Youths Not Concerned About Online Privacy, Survey Finds (February 18, 2011)

A survey has found that online privacy in social networking sites is not a concern for those between the ages of 18 and 35, Channel News Asia reports. The Singapore Polytechnic survey solicited responses from 800 participants, the majority of whom said they spend between two to five hours online every day. Close to 95 percent said they reveal such personal information as their name and gender on social networking sites. Seventy-five percent said they reveal photos of themselves, and 67.5 percent have never changed their passwords. The survey also found that most participants felt they were responsible for their own online safety, with only 18.1 percent saying the responsibility lies with parents.
Full Story

PRIVACY LAW—SINGAPORE

Data Protection Regulations Closer to Fruition (February 18, 2011)

Singapore is taking steps to introduce a data protection regime, ZDNet reports. The government has announced plans to introduce legislation in parliament in early 2012. The minister for information, communication and the arts said the proposed laws will provide a "baseline standard for data protection in Singapore." The proposed law will aim to protect individuals against unauthorized use of their data for profit, curb excessive data collection and require consent for information sharing, the report states. A Data Protection Council will be established to oversee the law's implementation, and the "Infocomm Development Authority of Singapore will engage relevant stakeholders...to address concerns." For now, data protection continues to be regulated by sector-specific rules.
Full Story

ONLINE PRIVACY

Mobile Ads Spark Privacy Concerns (February 18, 2011)

Privacy concerns abound over increased targeted advertising to users of smartphones and other mobile devices, The Age reports. Sharing input from various industry leaders, the report also explores assessments from research firm Berg Insight, of how the devices are used "to deliver messages which are highly relevant for the recipient, taking into consideration demographics, interests, habits and other preferences." With so much personal information accessible, authorities are considering new regulations, and some business leaders are also weighing in. As one executive put it, "we need to do a better job...If you don't offer the options to protect the consumer through self regulation, you will have imposed regulation."
Full Story

PRIVACY LAW

G8 May Have Privacy Focus (February 16, 2011)
Following up on its efforts in October to move toward the goal of adopting "an international binding legal instrument harmonizing the protection of privacy," France has announced its intent to bring the world's Internet leaders to the G8 Summit in May. An announcement from France's Commission nationale de l'informatique et des libertés (CNIL) suggests that including privacy on the agenda for the G8 "would mark a critical milestone in the protection of privacy against the development of digital technologies." Despite the continual exchange of data across borders and the prevalence of biometrics, geolocation and surveillance, the CNIL points out that "there is no globalized legal answer, and the levels of privacy protection are disparate."

PRIVACY LAW—AUSTRALIA

Vodafone Investigation Concludes: Act Breach (February 16, 2011)

After an investigation, Privacy Commissioner Timothy Pilgrim has found that Vodafone breached the Privacy Act by failing to take reasonable steps to protect its customers' information, but the commissioner dismissed claims that information was made public, ABC News reports. The company had been accused of allowing billing and call records to be stored on a public Web site with only a password to protect them. Pilgrim found that some staff may have breached company login and password policies, and that "Vodafone did not have the appropriate level of security measures in place to adequately protect their customers' personal information." 
Full Story

PRIVACY LAW—PHILIPPINES

Data Privacy Law Moves On (February 14, 2011)

The Philippines House of Representatives last week passed a second reading of the proposed Data Privacy Act, which aims to set regulations for the processing of personal information. According to Newsbytes.ph, the bill recently received the endorsement of both the committee on information and communications technology and the committee on government reorganization and has the backing of the business process outsourcing sector. Chief author of the bill Roman Romulo says, "The bill is quite strong...you are expected to adopt adequate organizational, physical and technical measures to protect your electronic files." Meanwhile, a proposed cybercrime bill that seeks international cooperation in fighting cybercrime is also in congress.
Full Story

DATA LOSS—NEW ZEALAND

Investigation Continues Into Telecom Breach (February 11, 2011)

The federal privacy commissioner's office says its investigation into the recent Telecom data breach is progressing, but it might be another month before it is complete, The New Zealand Herald reports. "There's quite a lot to do," said Assistant Privacy Commissioner Katrine Evans. "We have three parties to talk to and everybody with their own point of view, so it's just going to take a little while to sift through exactly what has happened." She said the investigation centers on Telecom's security procedures and its partners' collection and use of Telecom customers' personal information.
Full Story

ONLINE PRIVACY—AUSTRALIA

Ingram: Gov’t Needs To Work Harder (February 11, 2011)

In an interview with Bank Info Security, Graham Ingram, general manager of the Australian Computer Emergency Response Team, says that government agencies need to work harder on data protection. Ingram says government should follow the banks' lead in terms of online business--taking security matters seriously and acknowledging the risks involved. "There are too many people in government organisations who are in denial (of risks)," he says, adding that government has done a good job enabling online transactions in order to reduce costs and make government more efficient but is putting citizens' personal information at greater risk.
Full Story

EMPLOYEE PRIVACY—AUSTRALIA

Internet and Social Networking Bring Complications (February 11, 2011)

Technology and social networking mean less privacy in the workplace, The Sydney Morning Herald reports. Using examples of "draconian" company policies on employee Internet use and e-mail and social network monitoring, the author asks, "what are the limits for employers?" Victorian Privacy Commissioner Helen Versey says employee monitoring "for no purpose other than curiosity may be considered unreasonably intrusive or unfair" under the Privacy Act. Studies show that companies are split on the use of social networking; some are banning sites during work hours, while others are leveraging them to share information and drive business. The report suggests employees check privacy settings on social networking sites and know what their companies' policies are.
Full Story

DATA PROTECTION—AUSTRALIA

CIOs Should Pay Attention to PCI DSS (February 11, 2011)

CIOs should make themselves aware of recent changes to the Payment Card Industry Data Security Standards (PCI DSS), according to one executive. In an interview with CIO Australia, Tim Smith of Bridge Point Communications says that "PCI is such a technical standard, it absolutely involves the CIO or members of the CIO's team." Smith predicts that companies that think of PCI DSS compliance as a way toward greater security will rise above those that do not. "The companies that have done the best...are those that have looked at (PCI DSS) as being an opportunity to bring a good security rigor into their organisation," Smith said.
Full Story

FINANCIAL PRIVACY—HONG KONG

After Octopus Breach, Concerns Persist (February 11, 2011)

The Octopus Holdings Ltd. privacy breach has incited widespread public concerns about companies' and financial institutions' handling of customers' personal data, writes Angela Wang for Reuters. A recent case involved a bank customer's complaint after she was contacted by an insurance company that had entered into a marketing agreement with the bank. The Administrative Appeal Board ruled that the bank should not have shared the customer's information because its small-print provisions on data sharing discouraged customers from reading them, and the customer should have been informed of the reasons her data was to be shared. The board also said shared data must be used for the same purposes for which it was collected.
Full Story

ONLINE PRIVACY

Users, Protect Yourselves Online (February 11, 2011)

A ZDNet article explores some of the complex issues of online privacy, questioning how much responsibility users hold in keeping their personal information private and if companies are providing the necessary tools for users to control their information. One expert notes that many Internet companies' business models depend on users' personal information, saying, "If privacy is dead, so is online commerce in the long run." But, he adds, users need to realize that the content needs to be paid for in some form. Meanwhile, one Singaporean undergraduate points out that "sometimes you don't even realize information is being taken from you." Other experts weigh in on how lawmakers are expected to handle online privacy issues.
Full Story

SURVEILLANCE—AUSTRALIA & U.S.

Vehicle Tracking Devices Could Be Used To…Track (February 10, 2011)

Plans to install vehicle tracking devices are concerning advocates. A private car-for-hire company in Australia has announced it will install GPS devices in up to 30 percent of its fleet, News.com.au reports. The company said the devices will allow them to know if the cars are driven out of the contracted range or on dirt roads, which would breach contract. But Civil Liberties Australia calls the move an "excessive invasion of privacy." Meanwhile, the U.S. National Highway Transportation Administration will consider new rulemaking that would require event data recorders to be installed in passenger vehicles, according to a press conference announcement Tuesday. The announcement has some privacy advocates concerned that the recorders could be used to track Americans' movements.
Full Story

ONLINE PRIVACY

Schwartz Discusses the Impact of Choice on Privacy (February 8, 2011)

Barry Schwartz, author of The Paradox of Choice: Why More is Less and professor of social therapy and social action at Swarthmore College, shared his insights on the intersection of choices and privacy with the Privacy Advisor. "I think the main task facing organizations that worry about Internet privacy is to figure out a 'default' level of privacy that enables people to benefit from what the Web makes available and not be tortured by it," he explained. Schwartz, who will be a keynote speaker at the IAPP Global Privacy Summit in March, said he will be discussing "how too much choice produces paralysis rather than liberation, leads to bad decisions and reduces satisfaction with even good decisions."
Full Story

DATA LOSS—AUSTRALIA

CityCycle Apologizes for Breach (February 4, 2011)

Brisbane's CityCycle bike hire company is apologizing to customers for a data breach involving their e-mail addresses. Brisbane Times reports that the company sent a message to 1,306 customers yesterday, exposing the e-mail addresses of all in the "to" field. The company's chief executive, Steve O'Connor, described it as a "regrettable" human error, adding, "We'll have to do a review of our procedures internally to make sure it doesn't happen again." O'Connor said the company would notify the privacy commissioner's office on Monday, asserting, "We'll explain (to the commissioner) how it happened and why it won't happen again."
Full Story

BIOMETRICS—AUSTRALIA

Fingerprint Scanners Popular, Regulations Lacking (February 4, 2011)

Australian night clubs are increasingly requiring patrons to use fingerprint scanners for access, but a lack of regulations about the biometric data collected has some concerned about potential ramifications, The Sydney Morning Herald reports. Privacy Commissioner Timothy Pilgrim has drafted scanner guidelines but has no auditing powers. The Biometrics Institute of Australia has called for changes to the Privacy Act, including mandatory privacy impact assessments and audits with no exemption for any group and a unified national privacy system, the report states. Pilgrim said anyone using the scanners should be aware that the Privacy Act requires that they provide notice for data uses and that it "cannot be automatically shared with other venues."
Full Story

DATA LOSS—AUSTRALIA and NEW ZEALAND

Recent Breaches Highlight Need for Laws (February 4, 2011)

Recent data breaches across Australia and New Zealand are prompting calls for new legislation, ZDNet reports. Citing recent high-profile data breach incidents, the report points out that companies are not required to notify the public about breaches, prompting author Suzanne Tindal to ponder how many breaches are actually disclosed. "We can force them out of those comfy little dark holes they so love to hide in via data breach laws," she writes, adding, "Unfortunately, such laws are still a long way off...I for one wish the process could be accelerated. Because until companies are forced to be accountable for any mess they create, there's no real incentive not to create it."
Full Story

PRIVACY—AUSTRALIA

Direct Marketing Chief Focused on Privacy (February 4, 2011)

Jodie Sangster, the incoming chief of the direct marketing industry, says privacy issues will be a key focus when her job begins in April, The Sydney Morning Herald reports. ''Everyone is struggling to deal with privacy,'' said Sangster, who previously worked for the Australian Direct Marketing Association, adding that Australia's regulatory environment is somewhere in the middle of the ''extremely strict rules'' of Europe and more ''sensible'' U.S. laws, the report states. ''We will maintain a watchful eye to make sure that the legislation that we have here does make sense with the new way that customers are both interacting and being contacted, to make sure that it is neither too restrictive nor too lax," she said.
Full Story

PRIVACY LAW—NEW ZEALAND

Tribunal: Doctor Did Not Breach Privacy (February 4, 2011)

The Human Rights Review Tribunal has cleared an Invercargill doctor of breaching a careworker's privacy by disclosing personal information to her employer, The New Zealand Herald reports. The doctor was reprimanded for breaching the patient's privacy by disclosing her drug addiction to the nursing home where she worked, the report states. The doctor contended he was concerned for patient safety at the facility, and the tribunal found he had reasonable grounds to believe there was a serious and imminent threat to rest home patients. Privacy Commissioner Marie Shroff had previously ruled the doctor should have notified only the nursing home's manager; however, the High Court of Wellington overturned that ruling.
Full Story

PERSONAL PRIVACY

Cavoukian Releases Smart Grid Study (February 2, 2011)

Ontario Privacy Commissioner Ann Cavoukian today released a study on an Ontario utility's approach to smart meter deployment, which she says should serve as the model for all future smart grid investment, The Globe and Mail reports. Released at a California event, Operationalizing Privacy by Design: The Ontario Smart Grid Case Study is the third in a suite of papers on smart grid deployment. It describes the utility's policy to only include customer identification information in the company's own billing records and not share it with third parties unless consent is acquired for service offers. "Smart grid technologies have the potential to collect extremely detailed information about energy consumption in the home, which can lead to the unwelcome profiling of individuals," Cavoukian said.
Full Story

ONLINE PRIVACY

Mozilla Offers Do-Not-Track Feature (February 1, 2011)
Mozilla has confirmed that its Firefox 4 Web browser will include a do-not-track system allowing users to opt out of targeted advertising, V3.co.uk reports. "This is just our first step," said Mozilla developer Sid Stamm. "We are exploring ways to empower users to have more robust and precise control over their data, and will share our progress on this as it is made." Google has added a similar feature to its Chrome browser, while Microsoft is exploring tracking protection to work consistently across browsers. The announcements come in the midst of questions about what "do not track" actually means, prompting the Center for Democracy & Technology to release a draft definition.

DATA PROTECTION

Study: Compliance Saves Money (February 1, 2011)

A benchmark study conducted by the Ponemon Institute and sponsored by Tripwire has shown that investing in IT and security compliance can save companies money over time. Bank Info Security reports that through interviews with 160 IT practitioners across a broad range of industries, the study found that companies that review and maintain compliance with security standards spend an average of $3.5 million yearly, while the cost of noncompliance came in at $9.4 million--due mostly to business disruption and loss of productivity, according to the researchers. Tripwire's Rekha Shenoy noted that, in terms of compliance reviews, "PCI was the one that was top of mind across all industries, because they all take card payments."
Full Story