ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

ONLINE PRIVACY

Opinion: Big Data Needs Ethics (May 27, 2011)

In an article for the MIT Technology Review, Jeffrey F. Rayport delves into "Big Data" and the myriad companies emerging that mine and aggregate "massive amounts of unstructured data"--800 billion gigabytes of which is currently available, estimates market intelligence firm IDC--for financial gain. "As the store of data grows, the analytics available to draw inferences from it will only become more sophisticated," Rayport opines, adding, "The potential dark side of Big Data suggests the need for a code of ethical principles." Rayport proposes a structure of ethics, including his own digital "Golden Rule: Do unto the data of others as you would have them do unto yours."
Full Story

PRIVACY LAW—AUSTRALIA

Report: Gov’t Should Not Regulate Cloud Computing (May 27, 2011)

ABC's "PM with Mark Colvin" reports on a task force that says the federal government should not interfere with cloud computing. Three cloud computing experts are interviewed on the program. One expert was part of the task force that "recommended the Gillard Government consider developing an industry code of conduct, setting minimum contract standards and providing consumer education." Another expert disagreed with the report, saying the task force focused on the trust mark--"a very poor model." An Electronic Frontiers Australia spokesman noted that they are "in favour of principles-based legislation that requires companies to make best efforts to look after user privacy."
Full Story

ONLINE PRIVACY—NEW ZEALAND

Poll: Majority Want Privacy Regulation (May 27, 2011)

A recent poll surveying New Zealanders indicates that while positive opinions of Google and Facebook are high--94 and 73 percent respectively--more than half of the respondents still think each service should be regulated to protect personal privacy, Stuff.co.nz reports. Conducted by UMR Research, the poll surveyed 1,000 adult New Zealanders in April, one month after surveying Australians. The results "also showed New Zealanders were more trusting of the Internet heavyweight(s) than Australians."   
Full Story  

ONLINE PRIVACY—NEW ZEALAND

How Do They Know This Stuff? (May 27, 2011)

A Stuff.co.nz report explores the ways in which marketers and fraudsters alike can acquire consumers' valuable personal information--from posts on social networking sites and uploading photos to using "airpoints" bonus cards and methods beyond consumer control. A study showed that last year, 43 percent of New Zealand citizens used social networking sites; meanwhile, high-profile data breaches abound and Privacy Commissioner Marie Shroff acknowledged that not using the Internet amounts to social exclusion. But how do consumers protect their privacy? The report includes experts attesting to the importance of setting secure privacy settings, using unique passwords for different websites and being smart about what information you offer up online.
Full Story

PRIVACY LAW—QUEENSLAND

Police Return Journalist’s iPad (May 27, 2011)

Queensland Police have returned a Fairfax journalist's iPad after retaining it last week, The Sydney Morning Herald reports. Police arrested journalist Ben Grubbs after he wrote about a privacy flaw on Facebook. Police believed the iPad contained evidence of an alleged offence, raising questions about the protection of journalists' data. Terry O'Gorman, president of The Australian Council for Civil Liberties, said the iPad functions as a notebook, which would require a subpoena to obtain. "There's far too many of these seizures of iPads and iPhones by police," he said.
Full Story

DATA PROTECTION—HONG KONG

Octopus To Enhance Privacy Protections (May 27, 2011)

Octopus Holdings Limited (OHL) has said it welcomes the Office of the Privacy Commissioner for Personal Data's (PCPD) interim report on its investigation into the company's data protection practices, PaymentsMarket reports. OHL said it will consider and implement the PCPD's recommendations "where appropriate" after it reviews the report more closely. The company has also taken several steps to improve its customer data and privacy protection, including the discontinuation of sharing consumer data with third-party marketers, the appointment of an independent auditor and the inclusion of opt-outs for customers.
Full Story

ONLINE PRIVACY

G-8 Leaders Talk Privacy, Internet Regulation (May 25, 2011)
In a communiqué to be issued later this week, G-8 leaders are expected to call for stronger regulation of the Internet, including strengthened privacy protections, The New York Times reports. The document is expected to call for "an international approach to protecting users' personal data," and to "encourage the development of common approaches...based on fundamental rights that protect personal data, whilst allowing the legitimate transfer of data," according to a Daily Mail report. At yesterday's opening of the e-G8 Forum in Paris--a prelude event to the Group of Eight meeting taking place later this week in Deauville, France--global Internet leaders and heads of state discussed and debated some of the issues that have provoked the attention of the G-8. (Registration may be required to access this story.)

PRIVACY LAW

EU Cookie Rules Will Have International Impact (May 24, 2011)

New EU privacy rules requiring companies to give users "clear, comprehensive and understandable information about how, why and for how long their data is processed" will affect any Web company with EU customers, eWEEK reports. The law, which gives Internet users more control of their data, went into effect May 26. "The e-Privacy Directive applies to cookies used to collect information that is not directly related to the service offered by the site and would be used for advertising purposes," the report states, noting cookies used for the collection of non-advertising data such as passwords may still be installed without explicit user consent.
Full Story

DATA LOSS

Data Breaches Continue (May 24, 2011)

Sony has announced that it has found a data breach in one of its Sony Music Entertainment Greece units. Usernames, passwords, e-mails and phone numbers for approximately 8,500 customers were compromised, but credit card information was not, The Wall Street Journal reports. Sony has also detected unauthorized user access to two additional websites in Thailand and Indonesia. The company immediately shut down the websites upon learning of the breaches. A spokesman for Sony said the company is not sure if these incidents were related to the PlayStation Network breaches last month, but added, "For now, we are still investigating each incident." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—AUSTRALIA

Opinion: The Necessary Big Data Debate (May 23, 2011)

In a column for ITNews, former Australian Privacy Commissioner Malcolm Crompton, CIPP, raises several issues surrounding the emergence of "Big Data." Noting that "immense datasets" offer potential economic gains while driving innovation, Crompton asks, "Can we gain from the enormous economic benefits of Big Data while maintaining privacy?" To flesh out the debate, he cites an OECD roundtable, "The Economics of Personal Data and Privacy;" a recent blog post, "Will a Crackdown on Privacy Kill Big Data Innovation," and a speech touching upon the need for an ethical framework built into search algorithms.
Full Story

PRIVACY LAW

OIPC Releases Annual Report (May 20, 2011)

Urging public organizations to "be proactive," Ontario Information and Privacy Commissioner Ann Cavoukian released her annual report on Tuesday. In a year where more Freedom of Information requests were filed in Ontario, the press release said, it was also a year that set a new record for the number of privacy complaints closed. Key issues identified in the report include the protection of personal health information on mobile devices; international recognition of Privacy by Design and Access by Design by government frameworks; the OIPC's collaboration with Hydro One and Toronto One to embed privacy into the smart grid; a privacy-friendly biometric facial recognition system for the Ontario Lottery and Gaming Corporation, and the issue of standardizing the cost of health record access.
Full Story

ONLINE PRIVACY

Schmidt: No Facial Recognition for Google (May 20, 2011)

Google CEO Eric Schmidt, talking this week at the company's "Big Tent" conference in the UK, said that Google is "unlikely" to create a facial recognition database, saying the accuracy of the technology is "very concerning" and that popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences, reports PC Advisor. Schmidt also announced Google's new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. "It is worth stressing that we can only do this with data you have shared with Google. We can't be a vacuum cleaner for the whole Internet," said Schmidt.
Full Story 

ONLINE PRIVACY

Expert Explores Internet Data Dilemma (May 20, 2011)

When it comes to controlling personal information online, the best option Internet users have lies in that old adage, "if you can't beat them, join them." That's according to MIT Prof. Sandy Pentland, whose work has focused on finding a data collection approach that works for organizations, advocates and regulators, The Wall Street Journal reports. Pentland suggests an approach where consumers manage their data and receive compensation for making it available. "Your data becomes a new asset class," he said, adding, "you have more control over the information, and it becomes your most lucrative asset." (Registration may be required to access this story.)
Full Story 

DATA LOSS—AUSTRALIA

Underreported Breaches Mask Problem’s Severity (May 20, 2011)

The number of breaches occurring at local organisations are underreported, masking the severity of the problem, The Australian reports. That's according to Queensland Police Superintendent Brian Hay, who said that the "continuous silence is suppressing the reality of the situation" and that "breaches are happening all the time, and yet, no one's told us about it; everything's being suppressed." Recent headlines about major companies' data breaches helped to expose the problem, Hay said, adding that "the gravity and extent of the problem will never be recognised if the matter isn't openly debated."
Full Story

ONLINE PRIVACY—NEW ZEALAND

Mitigating Risks in the Cloud (May 20, 2011)

The New Zealand Hearld reports on Privacy Commissioner Marie Shroff's concerns about cloud computing risks for individuals and organisations in the context of recent data breaches, social networking privacy policies and information security on mobile devices. A recent survey of 50 large businesses found that many organisations currently use cloud computing providers to handle information without checking the providers' information use and management policies. Shroff notes that "the people whose information it is often don't have a clue where the information is or how it's controlled." The commissioner's office is using the survey results to develop strategies to alleviate risks when using cloud computing services.
Full Story

DATA LOSS—AUSTRALIA

Breach Costs Expected To Continue Rising (May 20, 2011)

The average cost of each record lost in a data breach is about $128, up four percent from 2009, Smart Company reports. That's according to new research by Symantec and the Ponemon Institute, which also found that the cost of significant data breaches--those involving 3,200 to 65,000 individuals--was $2 million in 2010, as reported by 19 Australian companies. "The data breach aspect is not going to get any better. It's going to get worse with all new types of cloud-based models companies are using now, so leak stress will be even greater," said one expert.
Full Story

PRIVACY LAW—NEW ZEALAND

Commissioner Extends Earthquake Sharing Code (May 20, 2011)

Privacy Commissioner Marie Shroff has announced that the Christchurch Earthquake Information Sharing Code has been extended to 30 June. The commissioner issued the code on 24 February to assist with response to the disaster. The code allows emergency services to share personal information as necessary to help victims find relatives, get back home or receive medical or financial assistance. "Although the state of national emergency was lifted earlier this month, many extraordinary challenges continue in the current phase of the earthquake response," Shroff said.
Full Story

DATA LOSS—QUEENSLAND

Social Network Security Lesson Spurs Arrest (May 20, 2011)

Queensland Police arrested a journalist after he wrote about vulnerabilities in Facebook privacy controls, The Sydney Morning Herald reports. No charges were filed, but police did retain Ben Grubb's iPad, the report states. The arrest stemmed from an IT security conference that included access to password-protected information on the social network. "I thought it made a great story--a flaw in the system that meant not everything you uploaded...was secure, even if placed behind a privacy-protected profile," Grubb explained. But, he wrote, to have his iPad, which "contains not only private but work-related information," confiscated was a "seriously alarming" consequence.
Full Story

SOCIAL NETWORKING—AUSTRALIA

Opinion: Time to Rethink Privacy, Property (May 20, 2011)

A mens'-only social networking group has raised the ire of some in Australia who say it is time to rethink legislative means toward protecting individuals' privacy. In The Sydney Morning Herald, a Melbourne University doctoral student discusses the so-called Brocial Network, on which male group members share photographs of women. Jessica Lake looks back on how the use of photography sparked the first privacy-related bill in the United States back in 1886 and says the Brocial Network should provoke Australia to "seriously consider the law-reform question of how best to protect the private rights of photographed subjects."
Full Story

 

PRIVACY LAW—NEW ZEALAND

Opinion: Mandatory Breach Notification Needed (May 20, 2011)

In an opinion piece for the National Business Review, InternetNZ Chief Executive Vikram Kumar writes that he hopes the Law Commission recommends making breach notifications compulsory in its upcoming review of the Privacy Act. At present, there are guidelines for organisations to voluntarily notify affected individuals. But mandatory notifications will add costs in the case of a breach, Kumar writes, which would incite companies to better protect data in the first place. Because some argue that mandatory breach notification has not been proven to reduce breaches, Kumar recommends a trial period of two years, after which a determination could be made.
Full Story

DATA LOSS—JAPAN

Gaming Company Loses Data (May 20, 2011)

Japanese game developer Square Enix announced a breach that may have affected 25,000 e-mail addresses and as many as 350 resumes of job seekers, reports Cryptzone. Hackers gained access to a subsidiary's website and to an online page for a yet-to-be-released game. Upon discovering the breach, the company took down both sites and enhanced their security before making them live again. Square Enix is writing apology letters to those affected.
Full Story

PRIVACY LAW—KOREA

Comprehensive Data Protection Law Passed (May 19, 2011)

On March 29, Korea passed the Personal Information Protection Act (PIPA), which will go into effect September 30. The law broadly restricts the collection, use and retention of personal data and puts limits on the use of closed-circuit television, while also providing for internal controls and litigation of data protection disputes, reports the Bae, Kim & Lee Newsletter. PIPA applies broad definitions to "personal information" and "data handlers" and will overlap the two data protection laws covering telecom service providers and entities handling credit information, respectively. It also requires data handlers to publish personal data handling policies and appoint an individual to be responsible for the data.
Full Story

DATA LOSS

Security Flaw Forces Site Shutdown (May 19, 2011)

Sony has shut down a website that was designed to help those affected by last month's data breaches, Reuters reports. The announcement came after Sony found a "security hole"--potentially allowing hackers to access users' accounts by using personal information stolen during the original breaches. The news comes after U.S. lawmakers wrote a letter to the company questioning the breach incidents and response. One expert said, "The Sony network in general still isn't secure and still has security issues that could be exploited by hackers." A Sony spokesman said the issue has been fixed, and the site will be back up soon.
Full Story 

ONLINE PRIVACY

Google Introduces TRUSTe Seal in App Marketplace (May 19, 2011)

In response to concerns about the data handling practices of Web apps, Google has introduced a TRUSTe certification in its Apps Marketplace--the online store offering business-oriented Android applications, reports InformationWeek. The certification applies to installable applications and aims to clarify the makers' privacy practices. To get certified, app makers need to answer a series of questions about data sharing and security. Certified apps will display the green TRUSTe seal. The report stresses, however, that the certification is "not a guarantee of security or proper data handling; it's merely an assessment of whether a particular vendor's self-reported practices fall within industry norms."
Full Story 

 

ONLINE PRIVACY

Research: Flaw Could Compromise Smartphones (May 18, 2011)

Researchers from Germany's Ulm University have found a security flaw that could make it possible for hackers to breach data on certain Google Android applications, the Financial Times reports. The research indicates that photo-sharing, calendar and contacts applications could be breached, the report states, spurring warnings to Android users to avoid public WiFi networks. Google is quoted as saying, "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa." As the effort to fix the issues continues, IT PRO reports that Google is adding trust accreditation to its Marketplace Apps. (Registration may be required to access this story.)
Full Story 

PRIVACY LAW—NEW ZEALAND

Commissioner Proposes Changes to Credit Reporting (May 17, 2011)

Privacy Commissioner Marie Shroff has proposed several changes to New Zealand's Credit Reporting Privacy Code. A press release issued by the privacy commissioner noted that Amendment No. 5 will introduce a style of credit reporting similar to the system employed in the U.S. The new amendment will include ongoing reporting of repayment history, give credit reporters additional tools to assess creditworthiness and allow victims of identity theft to exercise a "credit freeze." Supporters of the changes claim they will help New Zealand "climb" out of the recession, whereas skeptics are "very suspicious," saying it is not a "transparent system." Shroff noted, "There is no doubt that this would be a more intrusive regime, but I have tried to ensure that there will be benefits to individuals and the community as well as to business members."
Full Story

DATA PROTECTION—AUSTRALIA

Committee: Biometrics Not To Be Used To ID Gamblers (May 13, 2011)

Biometrics are not an acceptable form of identification for gamblers, says an Australian committee charged with curbing gambling addiction, ZDNet reports. The gambling reform parliamentary committee said biometrics are too privacy invasive and that though some information is needed for identification purposes, storing biometric data in a national database would be unacceptable. Any proposed national regulation authority for gambling should have a detailed plan for how privacy will be handled, the committee said in a report last week.
Full Story

PRIVACY PROTECTION—NEW ZEALAND

Survey Finds Organisations Foggy on Cloud Issues (May 13, 2011)

Survey results presented by Privacy Commissioner Marie Shroff during Privacy Awareness Week show that many government agencies and companies are confused over whether mobile devices use overseas ICT infrastructure. While 46 of the 50 respondents said their organisations use mobile e-mail/Internet devices, 26 respondents said they don't use over seas infrastructure at all. But, most mobile e-mail/Internet data is "offshored to Australia and the U.S.," reports Computerworld. Shroff says companies are responsible for protecting that data and should use encryption; put in place controls over use and retrieval, and then monitor those controls. Shroff says she's working with regulators across the globe on privacy issues in the cloud.
Full Story

TRAVELLERS’ PRIVACY—AUSTRALIA

Security Expert: Scanners Invasive, Ineffective (May 13, 2011)

An airport security expert says body scanners at Australian airports, expected later this year, are the "ultimate intrusion of privacy" and will "provide a placebo feeling of security." In an Adelaide Now Q&A, Roger Henning of Homeland Security Asia-Pacific says that travellers have "zero" rights when it comes to the scanners and that refusing to be scanned will result in a full-scale pat-down, despite the Department of Infrastructure and Transport's assertion that pat-downs will be permission based. Australian authorities have said that the body scanners will be less privacy invasive than those deployed in the U.S., displaying only a generic image of a traveller.
Full Story

GEO PRIVACY

Google Car Signs Manufacturer (May 13, 2011)

Google has signed a deal with Ford to create cars that the companies hope will eventually be able to predict where drivers want to go. The car will send trip data to remote servers that use cloud computing technology to store and analyse it, reports The Sydney Morning Herald. The car will then use the data to improve its efficiency and plan its routes. Ford research engineer Johannes Kristinsson said, "A key component of this project is looking at how to develop secure personal profiles that will ensure appropriate levels of protection and specific data use only by the driver and the vehicle.''
Full Story

DATA LOSS

Many Negative Effects After Breaches (May 13, 2011)

The Wall Street Journal reports on the financial impact on Sony after three consecutive data breaches. Mintz Levin attorney Cynthia Larose, CIPP, said, "Taken as a whole, the number of customers affected, the PR impact and now the legislative inquiries" rank these data breaches "at the top." Last week, class-action lawsuits were filed against Sony in the U.S. and Canada; however, in Australia, plaintiffs would need to show resulting unauthorised credit card use or identity theft to be successful in a class-action suit, reports The Australian. Brisbane lawyer Mark O'Connor said that would be hard to prove, as "customers can't simply assume they can blame Sony if they have given their personal and credit card details to other businesses online."
Full Story

ONLINE PRIVACY

Research Raises New Smartphone Concerns (May 12, 2011)

The Wall Street Journal reports on research suggesting that unique smartphone identifiers can be linked with other information to allow third parties access to personal information without users' consent. "The identifiers--long strings of numbers and letters associated with the phone--don't themselves hold any information about users," the report states, but New Zealand-based researcher Aldo Cortesi has found that U.S. gaming company OpenFeint "connected the IDs to users' locations and Facebook profiles and then made the combined data available to outsiders." Although the company has since fixed those issues, Cortesi has noted it is likely that other databases also link the unique IDs with other user information. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—JAPAN

Current Developments in Data Protection (May 12, 2011)

The Korea Times provides an overview of Japan's data privacy frameworks, including the guidelines currently used by the country. Japan uses guidelines from the Organisation for Economic Co-operation and Development and its own Japanese Industry Standards. In the private sector, the Privacy Mark System is an accreditation that allows organizations to demonstrate their compliance with the law while providing a high level of protection. The article also reviews the three main laws that drive the current legislative structure and mentions that "various issues, such as behavioral targeting marketing and cloud computing, are in talks recently." The Japanese government has also proposed the idea for a "Number System for Social Security and Taxation" and a "Number System Council for Social Security and Taxation."
Full Story 

 

ONLINE PRIVACY

App Glitch Allowed Fourth-Party Access to Accounts (May 11, 2011)

A security firm has exposed a Facebook vulnerability that allowed third-party applications to share "access tokens" with advertisers and analytics companies, giving them access to users' accounts--including the ability to post information, read wall posts, access friends' profiles and mine personal information, reports The Wall Street Journal. The vulnerability has existed for years and likely affected about 100,000 apps, according to Symantec, which also said it's possible the third parties didn't know they had this ability. Symantec alerted Facebook to the vulnerability in April and the company has since addressed the problem and conducted an investigation that revealed "no evidence of this issue resulting in a user's private information being shared with unauthorized third parties," said a Facebook spokeswoman. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—NEW ZEALAND

Commissioner Calls for Breach Notification Law (May 9, 2011)

New Zealand Privacy Commissioner Marie Shroff is calling for mandatory notification for breaches that create risk to those affected and criminal sanctions for those who fail to comply, stuff.co.nz reports. "You need to have a sanction there if the scheme is going to be effective," Shroff said. The Law Commission is now reviewing the Privacy Act and will soon make a decision. Shroff says that if the commission opts not to recommend mandatory notification laws, she will consider introducing a statutory code. The chief executive of Business New Zealand said jumping to criminal sanctions is "disturbing" and unjustified.
Full Story  

PRIVACY LAW—AUSTRALIA

Pilgrim Calls for Stricter Laws for Online Posts (May 9, 2011)

Australian Privacy Commissioner Timothy Pilgrim says he has recommended tougher laws for publishing to social networks images that could adversely affect an individual, The Daily Telegraph reports. The government is considering changes to current law, which allows for organizations, but not individuals, to be punished for mishandling personal information. Pilgrim says posting embarrassing photos or damaging information about individuals could harm their chances of gaining employment or put them in physical danger. Because posts can be made by a "much broader range of people rather than just organizations, we need to make sure the community has access to a broader range of remedies to be able to protect personal information," Pilgrim said.
Full Story  

GEO PRIVACY—AUSTRALIA

TomTom Announces Plan To Sell Data (May 6, 2011)

Shortly after getting heat in the Netherlands for selling data that was used by police to set speed traps, TomTom Australia has announced plans to sell user data to third parties, The Sydney Morning Herald reports. The company's vice president of marketing says they'll have to figure out how to ensure the data won't be used for speed traps but gave assurances that it cannot be tracked back to an individual. Australia Privacy Commissioner Timothy Pilgrim said companies that provide GPS devices should be clear about their practices, adding that he has concerns about data aggregation, "where pieces of individual data can be put together to build up a profile."
Full Story  

PRIVACY LAW—AUSTRALIA

Breaches May Advance Privacy Law Reform (May 6, 2011)

In light of Sony's recent data breaches, the Australian government may look to expedite reforms of its Privacy Act, reports The Register. Privacy Commissioner Timothy Pilgrim has asked Sony for information about the breaches and says he will investigate, adding, "I am particularly concerned that it involves information stored on an out-of-date database."  Pilgrim says the breach reinforces his view that companies need to further limit the amount of consumer data they collect and how long they store it. The Australian Law Reform Commission has recommended the introduction of a mandatory breach notification law, and the government is considering increasing the privacy commissioner's powers to impose penalties for serious breaches.
Full Story

DATA LOSS

Nations Vigilant on Data Breach (May 6, 2011)

Concern over Sony's PlayStation Network data breaches continues to grow around the world. The breaches have affected more than 300,000 users in New Zealand and 1.5 million users in Australia, reports the Dominion Post. New Zealand's privacy commissioner notes that her country is a member of the new Global Privacy Enforcement Network (GPEN), adding, "This incident may be one where international cooperation and coordination is useful." Australia will create federal legislation requiring companies to quickly disclose breaches, and its privacy commissioner is investigating whether Sony was in violation of the Privacy Act. With as many as 400,000 affected users, Hong Kong's privacy commissioner said that he expects a report from Sony and will decide if action against the company is necessary.
Full Story

PRIVACY—ASIA PACIFIC

Commissioners Engage in Privacy Awareness Week (May 6, 2011)

Regulators across the region have engaged in Asia Pacific Privacy Authorities' Privacy Awareness Week. Australia Privacy Commissioner Timothy Pilgrim encouraged citizens to reflect on their personal data security practices and take practical steps to protect their own privacy. Pilgrim's office has launched a survey to gauge online users' habits on social networking sites and determine whether they read privacy policies. Pilgrim also said this week that government and businesses have particular data protection responsibilities, PS News reports. Meanwhile, Hong Kong Privacy Commissioner for Personal Data Allan Chiang broadcast a program for youths on protecting privacy and will organize two seminars for teachers and businesses. And New Zealand Privacy Commissioner Marie Shroff has rolled out a toolkit.
Full Story

DATA PROTECTION—NEW ZEALAND

Survey: Organisations Need Guidance for Offshore Data Storage (May 6, 2011)

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information, reports Voxy. "The International Disclosures and Overseas ICT Survey" queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organisations have controls for data in transit but no controls for information once it's sent overseas. "If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer," said Shroff, "it is imperative that privacy issues are tackled and got right."
Full Story

ONLINE PRIVACY—SOUTH KOREA

Google Services Prompt Investigation (May 6, 2011)

Police in South Korea are investigating Google's privacy policies over what one official said are concerns that the company's "AdMob collected personal location information without consent or approval from the Korean Communication Commission." Investigators raided the company's Seoul offices on Tuesday morning, The Register reports.
Full Story

ONLINE PRIVACY

Apple Releases iPhone Update (May 6, 2011)

The New Zealand Herald reports on Apple's release of software to update how long its iPhone stores users' location information in the wake of privacy concerns. Information included with the update indicates that location information will no longer be backed up on computers and disabling location features will result in location data being deleted. "Apple says the location data won't be kept for more than a week after the changes to the iPhone's operating system are installed," the report states.
Full Story

HEALTHCARE PRIVACY—NEW ZEALAND

Shroff Rolls Out Toolkit for Awareness Week (May 5, 2011)

Privacy Commissioner Marie Shroff has released a toolkit for healthcare providers and consumers as part of Privacy Awareness Week. The kit contains brochures and fact sheets for consumers as well as an updated privacy reference guide, case notes and a training presentation for providers. Otago Daily Times reports that Shroff said the patient-provider relationship is "based on confidentiality and trust," and while providers do their best, it's important for consumers to know their rights. "Consumers need the chance to participate in the conversation about how their health information can be appropriately managed. They need some control. And they can only do this if they know what's going on," she said.
Full Story

ONLINE PRIVACY

Study: Define “Do Not Track” (May 4, 2011)

Initial results of a study of 200 Web users reveal that consumers might define the term "do not track" differently than Web companies, MediaPost reports. Preceding last week's World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40 percent of respondents felt that "nothing at all" would be collected. Fifty-one percent of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. Eighty-one percent said it was the first time they had heard the phrase do not track.
Full Story

DATA PROTECTION—AUSTRALIA

Commissioner Warns Gov’t Agencies of Cloud’s Risks (May 3, 2011)

The desire to reduce costs by using cloud computing should be weighed against the risk factors, warns Victoria Privacy Commissioner Helen Versey. State government entities that store data in a cloud hosted internationally complicate the state government's ability to protect the data from misuse, loss and unauthorized access, Versey said, adding that it "may even be possible for foreign governments to access the information if that government requires it. By using a cloud service, the government agency is relinquishing some--if not all--control over their data." Versey this week released a decision-making guide on cloud computing, The Australian reports.
Full Story

DATA PROTECTION—AUSTRALIA

Pilgrim: Companies Need To Protect Consumer Data (May 2, 2011)

Privacy Commissioner Timothy Pilgrim is calling on companies to make sure their data protection efforts are "world standard." Citing the breach notification laws in 40 U.S. states, the commissioner said the Australian Law Reform Commission is recommending similar regulations, reports ABC Sydney. Pilgrim says that while the onus is on companies to protect information online, users can do more by setting privacy settings to the strongest level. For those who feel their privacy has been breached, the commissioner will hear complaints, but, the report states, the Law Reform Commission is also asking for an "explicit right to privacy" so people can bring lawsuits.
Full Story