ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

HEALTHCARE PRIVACY—AUSTRALIA

E-Health Violations To Result in Fines (September 30, 2011)

Australia's government will fine health practitioners $66,000 for breaches of electronic health records, iTNews reports. Draft legislation includes penalties of $13,200 for each instance of a record being either breached or accessed without authorization. It also states that healthcare practitioners can only upload patient data if consent is obtained and that Australians will have access to their own data. Exceptions to patient records access rules include "to prevent a serious threat to an individual's life, health or safety" or to public health and safety. Health Minister Nicola Roxon said the Personally Controlled Electronic Health Record system will be more secure and private than paper-based records.
Full Story

SOCIAL NETWORKING

Site Introduces New Privacy Features (September 30, 2011)

Music streaming site Spotify has introduced new privacy features in the wake of complaints about its integration with the world's largest social network, the Financial Times reports. The music service had "quietly introduced the requirement that all new users sign up with a Facebook account rather than the usual e-mail" and "defaulted to sharing all a user's listening habits," the report states. While users could choose to opt out of sharing their music tastes through Facebook, in response to "hundreds of complaints," Spotify's CEO has announced a new "private listening" mode, noting, "we value feedback and will make changes based on it." (Registration may be required to access this story.)
Full Story

SURVEILLANCE—NEW ZEALAND

Commission To Question Transport Agency (September 30, 2011)

The Privacy Commission will ask the New Zealand Transport Agency why it has been collecting information on individual vehicles, The New Zealand Herald reports. The agency has been using automatic number plate recognition cameras to collect and store information on about 14,000 cars per day to monitor speeding near a construction site. The Privacy Commission was not made aware of the project and says it will follow up with the agency next week about the data collection. "You've got to have good reason to collect it in the first place and hold on to it," said Assistant Privacy Commissioner Katrine Evans.
Full Story

PRIVACY LAW—AUSTRALIA

Opinion: Call for Civil Actions Misses Mark (September 30, 2011)

The day after Privacy Minister Brendan O'Connor published an issues paper calling for the creation of new laws to give Australians a civil right to action for certain privacy breaches, The Australian criticised it, describing the effort as "disappointing" and encouraging the federal government to find a more balanced approached. "There is community consensus that privacy needs protection," the report states, "the only question is how best to achieve that goal." The paper says the federal government should be coming up with "a way of protecting privacy that achieves its goal without inflicting unexpected damage on other valuable interests."
Full Story

FINANCIAL PRIVACY—AUSTRALIA & NEW ZEALAND

Audits Reveal Businesses Are At Risk of Fraud (September 30, 2011)

SC Magazine reports that Australia and New Zealand's 40,000 small- and medium-sized businesses are at highest risk to be victims of fraud. That's according to Visa, which found in biannual audits that most at risk are businesses such as independent supermarket chains, clubs and restaurants that process point-of-sale credit card transactions through backroom servers--hacker favorites because they are easy to crack, the report states. A Visa spokesman said merchants may have integrated systems years ago--some before PCI DSS standards--that are no longer up-to-date, while cybercriminals have moved forward. Businesses with the most unsecure networks were those with WiFi and Bluetooth networks, the report states.
Full Story

IDENTITY THEFT—NEW ZEALAND

Identity Theft Advice Issued (September 30, 2011)

As individuals give out increasing amounts of personal information online, Privacy Commissioner Marie Shroff's office has partnered with Neighbourhood Support to publish advice geared especially toward older adults on how to avoid identity theft--a crime Shroff says affects more than 130,000 New Zealanders per year. The advice is based on interviews conducted with a group of a seniors on their perceptions of key problems in keeping their personal information safe. A spokeswoman for the Office for Senior Citizens said, "We'd like to see people have the confidence to say no if they are concerned about handing over their information or agreeing to let someone else have access to their personal details."
Full Story
 

SOCIAL NETWORKING—VICTORIA

Gov’t Use of Social Media Legit, Brings Risks (September 30, 2011)

Victorian Privacy Commissioner Helen Versey has released guidance on government organisations' use of social networking sites, which she says can be a useful business tool. "However, there are privacy concerns that need to be identified and addressed," she says. It's important that organisations realise that not every individual will understand their privacy settings and options on social networking sites, Versey's Social Networking information sheet says, and individuals should be made aware of what personal information will be publicly available.
Full Story

PRIVACY LAW—HONG KONG

Privacy Advisory Committee Members Appointed (September 30, 2011)

New members have been appointed to Hong Kong's Personal Data (Privacy) Advisory Committee, reports 7th Space. The members will be official as of 1 October and will serve a term of two years. "Given the wealth of experience and the broad spectrum of expertise of the committee members, we are confident that the committee will be able to provide valuable advice to the privacy commissioner on the protection of personal data privacy and matters relevant to the operation of the Personal Data (Privacy) Ordinance," said a government spokesperson.
Full Story

DATA LOSS—AUSTRALIA

Pilgrim: Sony Did Not Breach Privacy Act (September 29, 2011)

Privacy Commissioner Timothy Pilgrim has cleared Sony Computer Entertainment Australia of wrongdoing in the hacks earlier this year that exposed the personal information of 77 million customers, The Sydney Morning Herald reports. Pilgrim today published his investigation report, which found no breach of the Privacy Act because there was no evidence that Sony "intentionally disclosed" data and the company "took reasonable steps to protect its customers' personal information." However, Pilgrim said he "would have liked to have seen Sony act more swiftly to let its customers know about this incident." Last week, U.S. officials arrested a man in connection with the Sony hackings.
Full Story

FINANCIAL PRIVACY

Firms Scrambling Ahead of PCI DSS Audits (September 29, 2011)

Firms are struggling to maintain compliance with PCI DSS standards, SearchSecurity.com reports. That's based on the "2011 Verizon Payment Card Industry Compliance Report," which looked at more than 100 PCI DSS assessments conducted by Verizon's PCI Qualified Security Assessors in 2010, based on compliance with 12 PCI DSS standards. The report found 21 percent of organizations were fully compliant, and when compliance is achieved, it's not maintained through the next assessment period. Organizations are meeting about 80 percent of requirements, a Verizon spokesman said, adding, "We're seeing lots of scrambling to get things in order for the assessor, and that's not the intent of PCI DSS at all."
Full Story

SOCIAL NETWORKING

Technologist Says Site Fixed Cookie Problem (September 28, 2011)

ZDNet reports that Facebook has denied technologist Nik Cubrilovic's claim that the social networking site tracks users even after they have logged out. Cubrilovic, whose claims incited concerns among privacy advocates this week, says Facebook has since made changes to the logout process, alleviating privacy concerns. He has detailed the functions of what he says are the site's five persistent cookies, including the user ID, which he says is now destroyed when a user logs out. The rest of the cookies, Cubrilovic says, are not concerning and users "shouldn't worry about them."
Full Story

PRIVACY LAW—AUSTRALIA

Minister: Breach Notification Laws Possible (September 28, 2011)

A discussion paper for Australia's proposed federal privacy reforms, announced last week, could introduce a statutory cause of actions for victims of privacy invasions, reports SC Magazine. A spokesperson for Home Affairs Minister Brendan O'Conner says that "proposals for mandatory breach notification rules (would be) considered by the government once foundational reforms to the Privacy Act have been progressed." O'Conner's department has said that it would consider breach notification laws if there is sufficient evidence that the loss of personal information within business is increasing and information security is lacking. The Australia Law Reform Commission recommended breach notification laws in 2008, and they have remained under consideration since. 
Full Story

SOCIAL NETWORKING

Site’s Redesign Ignites Concerns (September 27, 2011)

Facebook's planned redesign has some users and privacy advocates concerned, The Washington Post reports. The redesign will integrate third-party apps into a user's profile page and update user activity on those apps automatically, meaning "users will have to think more carefully about what apps they use, since their private media consumption, exercise routines and other habits could be automatically published on their profiles," the report states. Pam Dixon of the World Privacy Forum said consumers have voiced that they don't understand the new, more granular privacy controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: Search Engines Need Discretion (September 27, 2011)

In a column for The New York Times, Noam Cohen analyzes the "predicament" surrounding the loss of control of one's online identity through search engine algorithms. One such case involves a U.S. presidential candidate whose lost online identity "stands as a chilling example of what it means to be at the mercy" of a search engine algorithm. A search engine company says that "search results are a reflection of the content and information that is available on the Web," but Cohen writes that the issue should be directed at the companies, not the algorithms, "especially when it comes to hurting living, breathing people." (Registration may be required to access this story.)
Full Story

PRIVACY

Report Spotlights “New World of Corporate Privacy” (September 26, 2011)
The Wall Street Journal explores the value of privacy impact assessments to avoid "running into regulatory fire in the complicated landscape of privacy law" across jurisdictions, pointing out that a "growing cadre of professionals is being hired to manage companies' privacy risk." The report spotlights the work of the IAPP; includes insights from several IAPP members from leading companies including GE, IBM, Apple and Hewlett-Packard, and quotes IAPP President and CEO J. Trevor Hughes, CIPP, who explains that when it comes to the work of privacy professionals, "Early on it was all about compliance. Today, there is as much business-management focus as there is law and compliance." (Registration may be required to access this story.)

DATA PROTECTION

New Technologies and Tips for Protecting Data (September 26, 2011)

The frequency and scale of recent data breaches is causing many companies to reevaluate their data protection mechanisms and question what to do in the event of a cyberattack. The Wall Street Journal reports on new methods of system security that go beyond the password, such as two-factor authentication and machine fingerprinting. While not perfect, one expert equates the additional security to "putting speed bumps in front of the bad guys." In a separate report, the WSJ outlines a list of steps to take if your organization has been hacked, including preemptive training and planning; when to call in the experts and authorities, and tips on notifying customers. (Registration may be required to access this story.)
Full Story

TRAVELLERS’ PRIVACY—EU & AUSTRALIA

New PNR Agreement Gets OK from Council (September 23, 2011)

The Council of the European Union has approved the signing of a new EU-Australia Passenger Name Records (PNR) agreement, which is expected by the end of the month. The main aspects of the agreement, according to a council press release, include a strict purpose-of-use limitation to terrorist activities and transnational crime; a requirement that Australian border authorities share intelligence leads from PNR data with EU authorities; a strong data protection regime prohibiting the use of sensitive data, and a time limit of five-and-a-half years on storing the data. The agreement must receive the European Parliament's consent before its adoption.
Full Story

PRIVACY LAW—AUSTRALIA

OPC Breach Investigation Wrapping Up (September 23, 2011)

The Office of the Privacy Commissioner yesterday said it is close to completing its investigation into breaches related to recent Sony hacking incidents, reports The Australian. Privacy Commissioner Timothy Pilgrim asked Sony to provide his office with details on what information was accessed, what protections were in place to protect consumer data and whether the protections were "reasonable measures to take to protect its customers' personal information from unauthorised access and disclosure." Meanwhile, in the U.S., the company has added a clause to its terms of service to prevent class-action lawsuits after breach-related suits were filed in both Canada and the U.S.
Full Story

BIOMETRICS—NEW ZEALAND

Regulations Announced for Infant Heel-Prick Tests (September 23, 2011)

Health Minister Tony Ryall has announced new protections for heel-prick blood tests taken from newborns. The Dominion Post reports that Privacy Commissioner Marie Shroff has voiced her concerns over the security of this data, calling it the "ultimate identifier" and highlighting the dangers of misuse. Ryall announced that, while heel-prick cards will be kept indefinitely, individual written consent will be needed to use samples taken prior to June of this year in research, and since June, parents have been informed of possible uses prior to agreeing to long-term storage of blood samples. Ryall also said the Privacy Commission is considering plans for regulating the use of the data.
Full Story

PRIVACY LAW—PHILIPPINES

Senate Introduces Data Protection Legislation (September 22, 2011)

New legislation has been introduced in the Senate that would enact a data protection bill, Newsbytes.ph reports. The Data Privacy Act was sponsored by Sen. Edgardo J. Angara and supported by information technology and business process outsourcing industry representatives. The present version of the bill follows the information privacy principles laid out in the Asia-Pacific Economic Cooperation Privacy Framework, including harm prevention notice and data collection limits, the report states. Angara said, "Our Data Privacy Act will act as another layer of legal protection...This is a clear signal to potential investors that the Philippines is seriously committed to safeguarding information."    
Full Story

HEALTHCARE PRIVACY

Survey: Industry Lacks Data Security (September 22, 2011)

A survey of the healthcare industry reveals that less than half the companies surveyed are bolstering privacy and security measures to keep up with the growing use of digital technology, Reuters reports. Of the 600 executives interviewed by PricewaterhouseCoopers' Health Research Institute, nearly 74 percent are planning to expand the use of electronic health records, but only 47 percent are addressing related privacy and security implications. One of the report's contributors, Jim Koenig, CIPP, said, "health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step...That is some of the most sensitive and important information to a consumer, so with the advancement of healthcare IT, it's only natural that advancements in privacy and security should come along."  
Full Story

HEALTHCARE PRIVACY

Study: Majority Concerned About EHRs (September 21, 2011)

The Australian reports on a survey that reveals more than 80 percent of citizens living in Australia, the U.S. and UK are concerned about the move towards electronic health records. Approximately 37 percent of Australians expressed concern about identity theft; 30 percent worried personal information would find its way onto the Internet, and three percent thought that an employer could access private health data, while only 17 percent expressed "no concerns." A survey representative said, "In all three countries, the growing use of e-medical records is a prime concern because adults believe that having healthcare organzations manage their data electronically exposes them to more threats." 
Full Story

PRIVACY LAW—U.S. & MACAU

Case Seeks Return of “Massive Amounts” of Data (September 19, 2011)
A former Las Vegas Sands (LVS) Macau CEO who is involved in a wrongful termination suit has been accused of refusing to return "massive amounts of confidential company data," AsiaOne News reports. LVS has listed concerns that Steven Jacobs "will disclose company documents that contain personal data in violation of Macau law. The Macau Personal Data Protection Act provides for serious sanctions in such circumstances." An attorney for Jacobs is disputing the plaintiff's claims and has said "Macau data privacy laws do not prevent any of the parties from producing documents in this action."

DATA LOSS—AUSTRALIA

Pilgrim: PSR Breached Privacy Act (September 19, 2011)

After a 14-month investigation, Privacy Commissioner Timothy Pilgrim has determined that the Professional Services Review (PSR) breached the Privacy Act, The Australian reports. Pilgrim said the agency stored pharmaceutical and Medicare claims information in the same database, which "was in contravention of PSR's obligations under the privacy guidelines for Medicare benefits and Pharmaceutical benefits programs," Pilgrim said. The PSR has agreed to improve its data handling practices as a result; it will separate the stored data and update its information technology policies. Pilgrim also examined PSR's data security practices, finding that it "has appropriate security safeguards in place."  
Full Story

ONLINE PRIVACY

Researcher: Smartphone IDs Not Secure (September 19, 2011)

The Wall Street Journal reports on the use of smartphones' unique ID numbers as a way for criminals to access users' social networks. While the IDs do not contain user information in and of themselves, the report notes that "app developers and mobile ad networks often use them to keep track of user accounts, sometimes storing them along with more sensitive information like name, location, e-mail address or social-networking data," effectively using the IDs as what researcher Aldo Cortesi describes as a not-too-secure key to that information. "Mobile security is not limited to a singular app or games overall--it's an issue that the entire mobile ecosystem needs to address," Cortesi said. (Registration may be required to access this story.)
Full Story

PRIVACY

Jennifer Barrett Glasgow Receives 2011 Privacy Vanguard Award (September 16, 2011)
Jennifer Barrett Glasgow, CIPP, Acxiom Corporation Executive for Global Public Policy and Privacy, received the 2011 IAPP Privacy Vanguard Award at the annual Privacy Dinner last night in Dallas, TX. Presenting the award, past IAPP Board Chairman and GE Chief Privacy Leader Nuala O'Connor Kelly, CIPP, CIPP/G, described Barrett Glasgow as an educator, advocate and "model of courage, of poise and grace." Also recognized at the dinner were the winners of the 2011 HP-IAPP Innovation Awards--Warner Bros. Entertainment, Inc., Ontario Telemedicine Network and Heartland Payment Systems. Texas Comptroller Susan Combs delivered the evening's keynote address on how agencies, businesses and organizations can learn from a data breach, make proactive data protection choices and improve for the future.

DATA PROTECTION—NEW ZEALAND

Cloud Computing Concerns and Code of Practice (September 16, 2011)

The New Zealand Herald reports on the advertising industry's designs to create a code of practice for cloud computing because of concerns around organisations' use of such services. A survey of 50 businesses and government agencies conducted by the privacy commissioner last May revealed that users possess a "patchy" understanding of cloud services, and often, decisions to utilise cloud services are made on an ad-hoc basis, the report states. Acknowledging that cloud computing is part of the digital revolution, Privacy Commissioner Marie Shroff adds, "It's an immature industry, but it's so big and significant that we wanted to get ahead and see what was happening and what steps people were taking to deal with the risks." 
Full Story

FINANCIAL PRIVACY—AUSTRALIA

Core PCI Compliance Requirements for Businesses (September 16, 2011)

When assuring compliance with the Payment Card (PCI) Data Security Standards, Australian businesses should focus on three core areas, CIO reports. In addition to the 12 PCI compliance requirements for best security practices, businesses should focus on assessing, remediating and reporting. Assessing includes taking an IT asset inventory and noting the ways with which payment details are processed. Remediating takes system vulnerabilities into account and stratifies vulnerability levels in order to address the most serious risks first. Businesses also should regularly submit scan reports to their acquiring bank or payment brands approximately every three months. Compliance allows companies to demonstrate their "business professionalism and commitment to data security," the report states.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

E-Health To Be Gradual, Celebs Given Fake IDs (September 16, 2011)

Federal Health Minister Nicola Roxon says Australians will be able to opt in to the country's e-health system when it begins in 2012--rather than having it imposed on them--advocating for the system's gradual growth, the Courier Mail reports. Meanwhile, the government has decided that celebrities, politicians and victims of domestic violence will be given fake identities to prevent hacking into their electronic medical records. The government will allow patients who "fear public exposure due to the public nature of their work" or who fear "being traceable when escaping family violence" to use pseudonyms under the new e-health system, which one doctor says will undermine public trust and diminish accuracy.
Full Story

PRIVACY LAW—AUSTRALIA

Expert: Unstable Gov’t Means Delays for Notification Law (September 16, 2011)

While the Australian Law Reform Commission initially proposed the introduction of a data breach notification law in 2008, such legislation has yet to be passed, reports IT Wire. One privacy expert says that is, in part, due to the unstable political environment. "I hope it happens soon," said Craig Scroggie of Symantec, "but ultimately in politics, someone has to be prepared to drive that issue, and in an unstable political environment, the big issues are not easy to get through." Scroggie also notes that implementing a breach notification law means that the government would have to comply with that law.
Full Story

PERSONAL PRIVACY—NEW SOUTH WALES

“Find My Car” App Disabled Due to Concerns (September 16, 2011)

Retailer Westfield has pulled the "Find My Car" option from its iPhone app due to privacy concerns, The Australian reports. The move follows an analyst's findings that the number plates of vehicles parked at its Bondi Junction centre were publicly available due to unencrypted transmission of details. Westfield said it addressed the issue upon discovering the vulnerability, and that the Find My Car option is disabled until it can be "modified to ensure that data cannot be accessed online." The retailer added, "In terms of privacy, the application does not contravene the Privacy Act in so far as number plates are not 'personal information' and are therefore not subject to that act."
Full Story

PRIVACY LAW—SINGAPORE

MICA Proposals Include Do-Not-Call List (September 16, 2011)

The Ministry of Information, Communications and the Arts (MICA) has proposed a do-not-call registry that would allow consumers to opt out of unsolicited telemarketing calls, texts and faxes, reports Today. The proposal is part of a broader push from Members of Parliament for a national data protection law, expected to be tabled in Parliament next year. MICA is also calling for the establishment of a data protection commission with investigatory and fining powers. Lawyers told Today that legislators need to be careful not to make the law too restrictive or "unique" or it may deter business. MICA is currently seeking feedback on its do-not-call proposal through 25 October.
Full Story

PRIVACY LAW—THAILAND

Opinion: Bill Falls Short of True Protection (September 15, 2011)

As Thailand's proposed Personal Information Bill awaits passage, an op-ed in the Bangkok Post outlines the pros and cons of the bill. While it lays out regulations for commercial data controllers, requiring them to adopt adequate data storage systems that meet Personal Information Protection Commission standards, the author writes that the bill also has some fundamental problems. "Almost every aspect of the individual right to personal information protection is heavily qualified," making it "difficult to rely on the act to provide any sort of framework for effective human rights protection," attorney Narun Popattanachai opines. "The second concern is the idea of allowing for open-ended qualifications to the data protection right, which is flatly inadmissible."
Full Story 

ONLINE PRIVACY

Google Offers Location Service Opt-Out (September 14, 2011)

The New York Times reports Google will provide an option for residential WiFi routers to be removed from a registry the company uses to locate cell towers. The change comes in the wake of warnings by EU data protection regulators that "unauthorized use of data sent by WiFi routers, which can broadcast the names, locations and identities of cell phones within their range, violated European law," the report states. Google Global Privacy Counsel Peter Fleischer noted the opt-out comes at the request of several European data protection authorities and "will allow an access point owner to opt out from Google's location services." The opt-out will be available internationally, the report states. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Hires Three: A Privacy Expert, Obama Advisor and Former MEP (September 14, 2011)

Facebook has hired a privacy expert for its Washington, DC, office, The Washington Post reports. Erin Egan, who is currently a partner at Covington & Burling and co-chair of that firm's global privacy and data security practice, will join the company in October as its senior policy advisor and director of privacy. Facebook spokesman Andrew Noyes said, "It's imperative that we scale our policy team so that we have the resources in place to demonstrate to policymakers that we are industry leaders in privacy, data security and safety." The company also announced the hiring of legislative advisor Louisa Terrell as its director of public policy and former European Parliament member Erika Mann as head of its Brussels office. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Doctors To Have Emergency Access to EHRs (September 13, 2011)

The Department of Health and Ageing (DHA) has revised its concept of operations to eliminate the "no access" tier of its document security levels, effectively giving doctors access to all electronic health records (EHRs) in the case of an emergency, reports ITNews. In a former draft of the initiative, patient-controlled EHRs had three levels, "no access," "limited access" and "general access." Privacy Commissioner Timothy Pilgrim has said the "limited" and "no access" security levels are central to consumer trust in the e-health system, while the Australian Medical Association president supports the change--which the DHA says was in response to doctors' concerns that vital information would not be available in an emergency.
Full Story

SOCIAL NETWORKING

Facebook Tests “Smart Lists” Feature (September 13, 2011)

Facebook has been testing a new privacy feature with a select number of users, reports Mobiledia. Smart Lists allows users to group their friends in categories and customize news feeds to deliver content to certain lists. The report states that the feature may be Facebook's response to Google+, which uses its "Circles" feature to categorize groups of people. Facebook has not officially announced the feature or when it will be released to all users.
Full Story

PRIVACY

Mexican DPA Discusses Data Protection, International Conference (September 12, 2011)
For the first time in its 33-year history, the International Conference of Data Protection and Privacy Commissioners (ICDPPC) will be held in Latin America, hosted this year by Mexico's Federal Institute for Access to Information and Data Protection (IFAI). In this Daily Dashboard exclusive, IFAI President Commissioner Jacqueline Peschard discusses the highlights of the upcoming 2011 conference, entitled "PRIVACY: The Global Age," as well as the work of the IFAI and the international data protection landscape. As Peschard puts it, in a time when data is not hemmed in by geographic boundaries, DPAs must work together across borders, which is one of the key aims of ICDPPC.

BEHAVIORAL TARGETING

W3C Announces Tracking Protection Working Group (September 12, 2011)

The World Wide Web Consortium (W3C) recently announced its Tracking Protection Working Group, established to create a "set of standards that enables individuals to express their preferences and choices about online tracking and enables transparency concerning online tracking activities," the group said on its blog. The Register reports that one of the first hurdles the group may face is getting all the stakeholders to agree on the standards. "A critical element of the group's success will be broad-based participation," W3C said, adding that do-not-track efforts by Microsoft and Mozilla will act as the basis for the group's work. Aleecia McDonald, senior privacy researcher at Mozilla, and another unidentified industry leader will co-chair the group. 
Full Story

PRIVACY LAW—AUSTRALIA

Expert: Statutory Tort Is Subjective, Emotive (September 9, 2011)

Rule of Law Institute Chairman Robin Speed is voicing concerns about the government's plan to revisit a statutory privacy tort under which individuals could sue for a "serious invasion of privacy," reports The Australian. Speed's comments come as federal Justice Minister Brendan O'Connor prepares to release an issues paper on the matter. Australian Privacy Commissioner Timothy Pilgrim recently outlined alternatives to a tort. According to Speed, the initiative is aimed at intimidating the media, but his concerns are centered on ordinary citizens. Calling the basis of the tort subjective and emotive, Speed says the commission offered "no proper evidentiary basis to support it--apart from the fact that emotionally 'we don't like our privacy to be invaded.'"
Full Story

PRIVACY LAW—NEW ZEALAND

Advocate Calls Criminal Sanctions Unjustified (September 9, 2011)

New Zealand's privacy commissioner is calling for mandatory data breach notifications--and for the concealment of data breaches to be a crime--reports Stuff.co.nz. But the national organisation representing New Zealand businesses says such penalties would be unjustified. As the Law Commission reviews the Privacy Act, Commissioner Marie Shroff--who implemented voluntary breach notification guidelines in 2008--says, "You need to have a sanction there if the scheme is going to be effective. You may never have to use that sanction." But Business New Zealand's chief executive says that it's "disturbing" that the commissioner has leapt from voluntary notification guidelines to criminal sanctions, calling it a "very heavy-duty thing to do."
Full Story

ONLINE PRIVACY—AUSTRALIA

Should Online Anonymity Be Abolished? (September 9, 2011)

Web giants are arguing that anonymity should be abolished online, The Sydney Morning Herald reports, a concept that has the support of some government and law enforcement bodies. One former CEO recently said that if a company knows a person's real name, it can "hold them accountable." A Sydney academic says privacy online may no longer be seen as a fundamental civil right and that privacy is becoming "commodified and something you have to purchase." Another academic says that requiring people to use their real names online may "hamper the kinds of playfulness and experimentation and exchanges that can take place."
Full Story

ONLINE PRIVACY—NEW ZEALAND

Cloud Computing Code Forthcoming (September 9, 2011)

The New Zealand Cloud Computing industry has announced plans for a voluntary Cloud Computing Code of Practice, Scoop News reports. New Zealand Privacy Commissioner Marie Shroff has welcomed the development, saying, "We've had concerns around cloud computing for some time, and a significant survey undertaken by our office earlier this year concluding a lack of awareness around cloud issues." The New Zealand Computer Society will facilitate the first part of the project, and the group's participants include Microsoft, Zero, Equinox and InternetNZ. Meanwhile, InternetNZ's CEO recently spoke to Computerworld about its overall goals, including protecting and promoting the Internet for New Zealand.
Full Story

TRAVELLERS’ PRIVACY—NEW ZEALAND

Surveillance Centre Opens in Auckland (September 9, 2011)

Stuff.co.nz reports on a new operations centre that will record the details of travellers moving in and out of the country. The Customs' Integrated Targeting and Operations Centre (ITOC) will collect all travel information such as flight payment methods and special seat and meal requests. Some have warned that the new system is an invasion of privacy, but, the report states, the government says it will help ensure the safety of citizens. Prime Minister John Key said, "Anyone who is innocent has nothing to fear," while Customs Minister Maurice Williamson added, "Everything needed to determine risks presented by people, goods or craft are now brought together at the ITOC." 
Full Story

PRIVACY LAW—NEW ZEALAND

Opinion: Laws Could Undermine Privacy (September 9, 2011)

In a feature piece for The New Zealand Herald, Chris Barton writes of government discussions about examining New Zealand's laws with an eye toward adopting the Council of Europe Convention on Cybercrime, questioning the privacy implications of such a move. International treaties need all countries to abide by them, he writes, noting, "you worry such global laws will undermine values we hold dear, like individual privacy, and gift the state big brother surveillance powers which restrict civil liberties." While there are many positive aspects to the convention, he notes, "As our Ministry of Justice points out, many of New Zealand's legal arrangements already conform to much of the convention's provisions."
Full Story

CHILDREN’S PRIVACY—AUSTRALIA

Opinion: Schools Must Improve Privacy Practices (September 9, 2011)

Schools need to "rethink the way in which they communicate information about the school community," writes Ainslie MacGibbon in the The Sydney Morning Herald, because basic Web searches often disclose "endless details about students." In many cases, schools create online profiles of their students without parental permission, MacGibbon asserts. One cyber-safety specialist said, "Schools need to have a very clear policy and not just have parents tick a box and accept their child may be photographed somewhere, at some time. It needs to be very, very clear and there needs to be separate permission for how, where and when this information will be used."
Full Story

PRIVACY LAW—HONG KONG

Privacy Amendment Bill Introduced (September 9, 2011)

The Hogan Lovells' Chronicle of Data Protection analyses a new bill introduced in the Legislative Council aimed to reform the Personal Data (Privacy) Ordinance so that it is updated to meet the latest challenges posed by technological advancements and personal data misuse. As a "culmination of a lengthy consultation process," the Personal Data (Privacy) Amendment Bill will enact new requirements relating to direct marketing and the sale of personal information and data processing; address the powers of the Privacy Commissioner for Personal Data, and increase penalties for breaches of the ordinance.
Full Story

PERSONAL PRIVACY—HONG KONG

Property Management Complaints on the Rise (September 9, 2011)

The Privacy Commissioner for Personal Data has released guidance on property managers' compliance with the data protection ordinance. Property management professionals encounter data protection issues including building entry passes; visitors' names and ID cards; recorded CCTV images of individuals, and disclosure of personal details at owners' meetings. The commissioner will hold a workshop on 9 November to help property managers understand the "Guidance on Property Management Practices" document. "Respecting and protecting residents' personal data privacy is one of the essential factors enabling property management bodies to win the residents' trust and support," the commissioner said, adding that his office has seen an increase in complaints in recent years.
Full Story
 

DATA PROTECTION

In-depth on Incident Response (September 8, 2011)

SCMagazine looks at incident response and data protection. Lockheed Martin CISO Chandra McMahon discusses the company's "kill chain" approach to network protection. "The way the kill chain is set up, you're doing incident response as soon as the attack gets started," McMahon says. The company was the target of hackers earlier this year. The premise of its seven-step kill chain "is that the attacker has to be correct every step of the way. Somewhere between steps one and seven, we have to stop those attacks." The feature also looks at other high-profile data incidents and offers incident response "steps to success."  
Full Story

BIOMETRICS—AUSTRALIA

Vein Scanning To Track Librarians (September 8, 2011)

Melbourne's City of Monash may next month begin tracking library employee work hours with vein scanning technology, reports ABC News. City officials say they are only considering the plan, but the Australian Services Union claims it has received confirmation from the council that the technology will be employed in libraries next month, affecting as many as 100 workers. Victoria Privacy Commissioner Helen Versey says that without the facts, she can't determine whether the plan contravenes the Privacy Act, but notes, "If they're creating a database of their employees' biometrics, then that does raise some significant issues in terms of data security."
Full Story

DATA THEFT

Company Halts Authentication Certificates (September 8, 2011)

A security company has suspended issuing authentication certificates for secure websites in response to claims that an unauthorized individual accessed the company's servers, BBC News reports. The Belgian-based company, GlobalSign, has stopped issuing the certificates while it investigates the allegations. The hacker also claims to have accessed additional certificate authorities, including DigiNotar. A GlobalSign representative said that the company takes the hacker's claims "very seriously."        
Full Story

DATA LOSS

Study: Breaches Cost Companies Almost $157 Billion (September 7, 2011)

A recent study found that from 2005 through 2010, data breaches cost companies $156.7 billion dollars, reports InfoSecurity. The Digital Forensics Association studied 3,765 publicly disclosed data breach incidents encompassing more than 800 million lost records--65 percent of which disclosed victims' names, addresses and Social Security numbers. Incidents of confirmed criminal use of breached data increased by 58 percent from the prior study, states the report, with hackers responsible for 48 percent of the records studied.
Full Story

SURVEILLANCE

Facial Recognition Technology Seeing “Boom Time” (September 7, 2011)

Forbes reports on the increasing popularity of facial recognition technology, now experiencing its "boom time." The technology is being used by police departments, casinos and bars, among others. Shoe retailer Adidas is now testing the technology in order to market shoes to specific age and gender demographics, and Kraft foods is working with supermarket chains with hopes of installing facial recognition kiosks in order to better target specific consumers. "You can put this technology into kiosks, vending machines, digital signs," said a spokesman for Intel, a developer of the software. "It's going to become a much more common thing in the next few years."    
Full Story

ONLINE PRIVACY

Smartphone Makers Respond to Tracking Allegations (September 6, 2011)

Microsoft has responded to a class-action lawsuit, saying the location data it collects through its Windows Phone camera is not linked to a specific device or user, reports The Next Web. While the suit claims the software collects users' geographical coordinates even after they request not to be tracked, Microsoft says that because it does not collect unique identifiers, "the Windows Phone camera would not enable Microsoft to identify an individual or 'track' his or her movements." Meanwhile, smartphone maker HTC responded to claims that at least two of its phones collect location and personal data, explaining that the data in question is de-identified, encrypted and only collected upon user opt-in.
Full Story

SURVEILLANCE—AUSTRALIA

Commissioner To Conduct CCTV Audit (September 6, 2011)

Queensland's privacy commissioner says she will audit the number of closed circuit television (CCTV) camera networks after concerns about privacy, including a police investigation into stolen security footage from a casino. A count of cameras and their purposes will begin within weeks and will involve about 200 government departments, News.com.au reports. Acting Privacy Commissioner Rachael Rangihaeata said councils are increasingly using the cameras as a law enforcement tool. "We have significant concerns with reports in the rise in the use of CCTV," Rangihaeata said. "And we are very keen to make sure security footage is used properly...There needs to be a higher responsibility." 
Full Story

PRIVACY LAW—AUSTRALIA

McClelland: Cyber Law Casts Proper Net (September 2, 2011)

Reaction continues surrounding the cybercrime legislation passed by the House of Representatives last week. The bill enables agencies to request the retention of and access to communications for cybercrime prevention purposes. Some have questioned the ability of Australian law enforcement agencies to enforce the law, and others have asserted that it will "diminish our liberal democracy..." However, in The Sydney Morning Herald, federal Attorney-General Robert McClelland rebuked what he described as "alarmist" and "entirely false" assertions that have been made about the legislation. "To suggest that the judiciary will no longer have oversight of access to a citizen's information--through the granting of warrants--is entirely wrong."
Full Story

PERSONAL PRIVACY—NEW ZEALAND

Coroner: Circumvent Privacy Act To Protect At-Risk Kids (September 2, 2011)

A coroner is recommending that government agencies circumvent parts of the Privacy Act in order to protect at-risk children after his investigation into the murder of a three year old, reports The Dominion Post. Among other things, effective information-sharing between government agencies and healthcare organisations could help vulnerable children, but the coroner says the Privacy Act prevents such sharing. Privacy Commissioner Marie Shroff says the problem lies with agencies' interpretation of the act, adding that it's vital people share information about at-risk children with the proper authorities. 
Full Story

PRIVACY LAW

Class-Action Filed on Behalf of Mobile Phone Users (September 2, 2011)

A proposed class-action lawsuit filed on behalf of Windows Phone 7 users in a Seattle, WA, court on Wednesday alleges that Microsoft designed the phone to track customers regardless of their preferences, The Sydney Morning Herald reports. The suit alleges the company designed camera software on the phone's operating system to collect users' geographical coordinates even if they had requested not to be tracked, the report states. The suit also alleges that statements the company made in a letter to the U.S. Congress were "false." 
Full Story

ONLINE PRIVACY

Kundra: Cloud Concerns re: Privacy “Unfounded and Ridiculous” (September 1, 2011)
Former U.S. Chief Information Officer Vivek Kundra is sounding off on governments' reluctance to adopt cloud computing due to privacy and information security concerns, noting the U.S. government's outsourcing of more than 4,700 systems "and yet when it comes to cloud for some reason these fears are raised," reports The Australian. In The New York Times, Kundra  writes that "governments around the world are wasting billions of dollars on unnecessary information technology," adding that cloud computing is often more secure than traditional methods. Taking part in a Digital Agenda panel on Wednesday, Kundra urged government officials to think about how they are serving constituents. "All that money's being spent on redundant infrastructure, redundant application that we're not able to optimize," he said. Meanwhile, Kundra's Digital Agenda co-panelist Vice President of the European Commission Digital Agenda Neelie Kroes said that while she agrees there are benefits to the adoption of cloud computing, the value depends on trust and security in the system, and there are cultural hurdles to overcome that will take time, ZDNet reports. Editor's Note: Navigate, an IAPP executive forum being held on September 14 in Dallas, TX, will feature a special program entitled Putting Cloud Computing on Trial to fully explore these issues.