ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

PRIVACY LAW—EU & AUSTRALIA

EP Approves Passenger Data Agreement (October 28, 2011)

The European Parliament approved an agreement on the transfer of EU airplane travellers' personal data to the Australian Customs Service on Thursday, according to a European Parliament press release. The agreement will bring Passenger Name Record data transfers into compliance with the European Data Protection Directive and will last for seven years. The agreement permits the Australian Customs Service to retain data transferred from air carriers--including passport numbers and credit card details--for a maximum of 5.5 years for the purpose of detecting and combating crime. After three years, data that could be used to identify a passenger will be anonymised. Processing on sensitive data, such as race or religion, is prohibited.
Full Story

DATA LOSS—AUSTRALIA

Opinion: CSOs Should Learn From Recent Breach (October 28, 2011)

The consequences of the First State Super (FSS) breach are still revealing themselves, but they were likely clear to chief security officers, opines David Braue for CSO. The breach was discovered when a security consultant informed the company that he was capable of accessing hundreds of members' personal information by changing an index number in a URL. Though the company has stated that only 568 member details were viewed, "Any security executive, however, knows it's 568 too many," Braue writes, adding, "If ever there were a case for centralised, robust security and extensive testing, this is it."
Full Story

DATA LOSS—HONG KONG

Department Reports PI Loss (October 27, 2011)

7th Space reports on the Hong Kong Labour Department's announcement that it has notified police and the Office of the Privacy Commissioner for Personal Data of the loss of a document containing personal information on 56 employees' compensation applicants. "The department has started a thorough investigation into the case and initiated a review," the report states. It has also begun "calling the persons affected to express its apologies." The Labour Department has stated it is working with authorities to prevent such incidents from happening in the future.
Full Story

DATA PROTECTION—AUSTRALIA

Company: No Laws, No Fines, No Change (October 27, 2011)

According to Verizon Global Security Services Director Jonathan Nguyen-Duy, Australia needs breach notification laws in order to keep its reputation as a leader in information security. Noting that major changes only happened in the U.S. when companies were fined for contravening the Payment Card Industry (PCI) Digital Security Standards, Nguyen-Duy told ZDNet Australia that there's little incentive for Australian organizations to fess up about breaches. "Data breaches have doubled, but there have been no fines, no levies against PCI compliance," he said. Despite the risks, Nguyen-Duy said, "in 92 percent of cases, simple to intermediate controls would have detected and prevented the breach."    
Full Story

BEHAVIORAL TARGETING

Credit Card Companies Look Into OBA (October 26, 2011)
The Wall Street Journal reports on plans by the world's two largest credit card networks to move into the online behavioral advertising business. Though the technology to link purchase transactions with an individual's online profile is still evolving, according to the report, Visa and Mastercard are currently pursuing the idea. The article cites a published Visa patent application that would attempt to incorporate information from DNA data banks into profiles that would target consumers online. Meanwhile, a representative from Mastercard said in an interview in August, "There is a lot of data out there, but there is not a lot of data based on actual purchase transactions...We are taking it a level deeper...it is a much more precise targeting mechanism." (Registration may be required to access this story.)

DATA PROTECTION

Study Delves Into the Stress of the Job (October 26, 2011)

A survey commissioned by data protection company Websense shows that while many IT managers feel their jobs depend on keeping company data secure, 91 percent said new levels of management are engaging in data security conversations. Systems & Networks Security reports the study polled 1,000 IT managers and 1,000 non-IT employees in Canada, Australia, the U.S. and the UK about security threats, and 86 percent of respondents said their job would be at risk if a security incident occurred, while 72 percent called protecting company data more stressful than getting a divorce. Meanwhile, "When asked about real-time protection solutions in place, many respondents listed product and vendor names that don't offer real-time protection at all," said a Websense spokesman.
Full Story

ONLINE PRIVACY

Researcher Says Skypers Are Vulnerable (October 25, 2011)

A researcher from New York University (NYU) will present findings in Berlin next week asserting that Skype may allow strangers access to users' contact details. "If you have Skype running in your laptop, then I or any other attacker can inconspicuously call you, obtain your current IP address and your current location without you ever knowing about it," says NYU's Keith Ross, a professor of computer science. A high school-aged hacker would be capable of such an act, Ross says, adding that the hacker could scale the operation to track thousands of users. Skype's chief information security officer says determining other users' IP addresses is possible with typical Internet communications software, not just Skype's. 
Full Story

SOCIAL NETWORKING

DPC Investigating “Shadow Profiles” and Data Logs (October 24, 2011)

The Irish Data Protection Commissioner (DPC) is investigating complaints against Facebook for its data collection practices. Fox News reports on one allegation that the site encourages members to offer information on nonmembers and uses it to create "extensive profiles." The Wall Street Journal reports that another complaint claims Facebook held information on an Austrian student which appeared to have been deleted from his account. The data included rejected friend requests, untagged photos of the student and logs of all his chats. Facebook denies both claims. A company spokeswoman said "the assertion that Facebook is doing some sort of nefarious profiling is simply wrong," adding that its messaging service works the way "every message service ever invented works." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—MALAYSIA

Opinion: PDPA, No Commissioner, No Bite (October 21, 2011)

While the passage of the Personal Data Protection Act (PDPA) made strides towards protecting personal information, some privacy experts say data abuse in Malaysia is "rampant," and without a commissioner to enforce the law, it will continue. An op-ed in The Star covers this and other concerns that experts have voiced, including the exemption of federal agencies, police and religious authorities; the lack of territorial and bodily privacy, and that the enforcing commissioner answers to the information, communication and culture minister. Data protection law expert Abu Bakar Munir details instances of data for sale and financial sites contravening the law, but, he says, "Having something is better than nothing."
Full Story

DATA LOSS—AUSTRALIA

Company Scrutinized for Unreported Breach (October 19, 2011)

The Sydney Morning Herald reports on a security breach at fund management company First State Super and the reaction of customers who were reportedly not notified of the incident. The event came to light when a security consultant attempted to warn the company of a flaw in its system that allowed access to sensitive customer data. Of its 770,000 customers, the company warned approximately 500 individuals whose information was accessed by the consultant. Acting New South Wales Privacy Commissioner John McAteer said the incident highlights the need for data breach notification legislation. Australian Privacy Commissioner Timothy Pilgrim has announced that he is opening an "own motion investigation" into the company.
Full Story

SURVEILLANCE—JAPAN

“Boyfriend Tracker” App Revised After Complaints (October 19, 2011)

A Japanese mobile application developer has released a new version of an app designed to track GPS-enabled mobile devices after receiving hundreds of complaints that the software had been covertly installed on peoples' phones, reports The Telegraph. Kare Log did not display an icon to alert users that the software was in use. Japan's communications ministry said in a statement, "The consent of a tracked individual is very important. There were problems with the way that Kare Log was advertised." While the basic plan allowed location and battery usage to be tracked, an upgrade would allow for the monitoring of calls--including phone numbers dialed and the dates, times and lengths of calls.
Full Story

ONLINE PRIVACY

Site Brings New Meaning to “Creepy” Data Use (October 19, 2011)

A new website--used by 300,000 people in its first 24 hours--accesses information from peoples' Facebook accounts to create a personalized horror movie featuring a man browsing through the user's account and "getting increasingly agitated," reports The New York Times. Take This Lollipop's developer, Jason Zada, says creating the site was a fun seasonal project but adds that its popularity may in part be due to peoples' concerns about how their data is being used. "When you see your personal information in an environment where you normally wouldn't, it creates a strong emotional response," Zada said. "It's tied into the fears about privacy and personal info that we have now that we live online." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—PHILIPPINES

Senate Deliberates Data Protection Act (October 18, 2011)

The Philippines Senate has begun deliberations on the proposed Data Privacy Act, which includes monetary fines and jail terms for data breaches, unauthorized disclosure of data to a third party and disclosure of sensitive personal information, reports Business World. The bill's sponsor, Sen. Edgardo J. Angara, said the country lacks "the over-arching policy framework that upholds privacy laws and penalizes individuals for overstepping them." The Senate committee has approved the creation of a National Privacy Commission to implement the regulations once enacted. A Business Processing Association representative lauded the effort, saying, "a data privacy law will pave the way to increased client or investor confidence as it solidifies our commitment of data security to our foreign clients." 
Full Story

PRIVACY—VICTORIA

Versey Reflects on Tenure (October 14, 2011)

ZDNet reports on comments made by outgoing Victorian Privacy Commissioner Helen Versey. With 10 years of experience within Privacy Victoria and more than four years served as privacy commissioner, Versey reflects on changes in the privacy landscape during her tenure, saying that Victorian agencies have had a "patchy" adherence to the Information Privacy Principles. "Some organisations have embraced their responsibilities, but there are still some that clearly simply see the act as an irritation that should be afforded the barest resources," Versey said. "The organisations which are most successful in embracing the privacy principles are those where there is leadership from the top and where sufficient resources are given to privacy and privacy awareness within the organisation." 
Full Story

ONLINE PRIVACY—AUSTRALIA

Companies Form Cloud Council (October 14, 2011)

ZDNet reports that four major players in the Australian cloud market have formed a national cloud council aimed at promoting cloud computing and combating potential threats to its success. The OzHub cloud council, comprised of companies Macquarie Telecom, Fujitsu, Infoplex and VMware, is backed by the federal government and "seeks to establish a regulation framework to promote good business practices and greater transparency to consumers about crucial issues such as where their data is held," the report states. Concerns about data sovereignty and privacy--including the U.S. Patriot Act's parameters--have hampered movement toward the cloud, but one report suggests the Australian market could become a hub for cloud computing.
Full Story

DATA PROTECTION—AUSTRALIA

Expert Warns Businesses To Be Vigilant on Cloud Computing (October 14, 2011)

The Sydney Morning Herald reports on warnings conveyed by Australian Computer Society President Anthony Wong, who says that organisations must ensure that data stored by overseas cloud providers does not violate Australian laws that require consumer privacy and corporate record retention, among others. Wong says that businesses should weigh the use of cloud computing against the responsibilities required under Australian legislation. "When a business decides to go into the cloud, they have to look at the sensitivity of their information and decide what level of security the cloud provider must have," Wong says. "Businesses should address it right from the start...Courts are not likely to be understanding (of governance shortfalls) just because your data is in the cloud."
Full Story

PRIVACY LAW—AUSTRALIA

APF Submits Privacy Amicus in Copyright Case (October 14, 2011)

The Australian Privacy Foundation (APF) has applied to submit an amicus brief in a copyright appeal case, arguing that the decision could have privacy impacts for "virtually every person in Australia," reports The Australian. A group of 34 entertainment companies is trying to persuade the federal court that iiNet should be found liable for acts of copyright infringement carried out over the company's networks. In its submission to the High Court, the APF said, "ISPs are poorly placed to assume the role that copyright owners wish to impose on them," adding that copyright owners have legitimate financial concerns, but "it must be remembered that those financial interests cannot be given greater weight than the interests of upholding an adequate level of protection for the...right to be shielded from privacy violations." 
Full Story

BIOMETRICS—NEW SOUTH WALES

Company Introduces Employee Fingerprint Scanning (October 14, 2011)

Hundreds of employees of Railcorp will soon use a fingerprint reader to clock in and out of work, The Sydney Morning Herald reports. The new biometric "bundy clock" has been introduced to curb payroll fraud and streamline payroll procedures and should be operational by mid-2012. Workers have expressed concern that their data could be subject to identity theft or misused by employers. Acting New South Wales Privacy Commissioner John McAteer has said that the adoption of such technology could lead to a "slippery slope" of employers gaining access to employee data, the report states. 
Full Story

PERSONAL PRIVACY—AUSTRALIA

Shopper-Tracking Tool Coming to Oz (October 14, 2011)

An Australian shopping centre has plans to implement mobile phone-locator technology within the month, raising concerns about shoppers' privacy, The Courier Mail reports. The technology, which uses receivers to locate phones by their frequency codes, will let retailers monitor customers' movements in order to better understand their shopping habits. Australian Privacy Foundation Chairman Roger Clarke described the technique as "seriously creepy" and called for an investigation, but a sales manager for the maker of the technology said, "It's much less intrusive or invasive than existing people-counting methods, for instance CCTV cameras and number plate monitoring." 
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Opinion: Health Minister Should Listen to Advocates (October 14, 2011)

In an opinion piece for The Australian, Karen Dearne contends that Health Minister Nicola Roxon has taken "an unwarranted swipe at volunteer health consumer and privacy advocates who have tried to consult with her department" on the national e-health record system. Dearne writes that the Australian Privacy Foundation (APF) has "earned the minister's rebuke" by suggesting that privacy protections in e-health record draft legislation might not be robust enough. The APF "just wants to see it done well," Dearne adds, "so there are no nasty surprises for anyone, and we do get the promised improvements in the quality of care and efficiencies across the health sector." 
Full Story

SOCIAL NETWORKING

A Viewpoint, a New Network and a Proclamation (October 14, 2011)

A Sydney Morning Herald editorial looks at the growing popularity of Facebook, describing the amount of social intelligence it has amassed as unsettling. "If a government department had so much up-to-the-minute information...one can only imagine the outcry," writes Julian Lee. Lee describes the limits of legal privacy protections and asserts, "The hyperbolic pace at which technology moves is no match for the law." Meanwhile, a Gold Coast business has created what it describes as a "family" social network where privacy is the "number one priority." But a Web developer tells CSO that the site is "not very secure."
Full Story

DATA LOSS

Company Suspends 93,000 Online Accounts (October 12, 2011)

Sony announced that it has locked 93,000 online network user accounts because of an unusual amount of sign-in attempts from an unauthorized user, AFP reports. The suspicious activity reportedly took place between October 7 and 10 and verified user IDs and passwords. The company said that the incidents "appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources," and "only a small fraction of the 93,000 accounts showed additional activity prior to being locked." Sony is continuing an investigation into the breaches and has notified affected users.
Full Story

TRAVELERS’ PRIVACY—CHINA

Engineer: Transport Cards Reveal Travel History (October 11, 2011)

A Beijing engineer says that public transportation cards are capable of serving as a tracking mechanism, China Daily reports. By entering a card's 17-digit code into the Beijing Municipal Administration and Communication Card Co's website, an individual can see where a passenger has traveled, which software engineer Li Teijun says violates travelers' privacy, "may undermine public safety" and could be used for nefarious purposes. "The database may also be an easy target for hackers," he says. A spokesperson from the administration says the cards--45 million of which are currently in use in Beijing--are not connected to real names, which negates privacy concerns.
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

Credit Reporting Law Gets Overhaul (October 7, 2011)

Privacy Commissioner Marie Shroff has announced changes to the credit reporting law that mean, as of 1 April, more of New Zealanders' data will be collected by credit reporters. Noting the drawback of handing over more personal financial information, Shroff said there are benefits as well. "There is a strong economic case that giving lenders more information of this sort will support more responsible lending." Shroff has acknowledged the need for educating people about the changes and has released a Summary of Rights to assist in that effort. The changes also include the ability to freeze credit reports under special circumstances and allow lenders to obtain driver's licence information to enable better authentication.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Roxon Defends eHealth System Amidst Criticism (October 7, 2011)

Health Minister Nicola Roxon is defending draft legislation surrounding the government's personally controlled electronic health records system, calling it an improvement to the protections currently in place for paper records. But The Australian reports that critics say the government is sidestepping the responsibility for creating a promised audit trail--and any penalties for breaches--by putting the onus on healthcare facilities to identify which individuals have accessed records, meanwhile exempting federal- and state-run facilities from prosecution. Additionally, computer experts say the authentication technology necessary for a secure system does not yet exist, and the Australian Privacy Foundation's chairwoman called the system unusable due to privacy concerns.
Full Story

SOCIAL NETWORKING—AUSTRALIA

Pilgrim “Monitoring Future Developments” (October 7, 2011)

Privacy Commissioner Timothy Pilgrim said this week he will not conduct a full investigation of Facebook's alleged post-logout tracking of users, The Australian reports. Pilgrim explored the issue when first raised last week but declined to look further as Facebook said it had fixed the problem, the report states. "On 26 September 2011, I was alerted to concerns about Facebook tracking users with cookies after they had logged out of the site. Our office contacted Facebook and I understand it has rectified this issue," Pilgrim said, adding, that he "will be monitoring future developments."
Full Story

SOCIAL NETWORKING

Opinion: Site’s “Frictionless Sharing” Rubs the Wrong Way (October 7, 2011)

An op-ed in The Sydney Morning Herald outlines concerns voiced in cities around the world about Facebook's privacy practices and the ongoing changes to them, and uses a quote from the Financial Times--"It's not your Facebook page; it's Facebook's," to rationalise the indignation. In its efforts to facilitate sharing, Facebook has made changes to the ways users can share information and with whom, but some privacy advocates, among others, are concerned that the changes are too many and too confusing for users. Meanwhile, Australian Privacy Commissioner Timothy Pilgrim has warned users to read privacy policies and use controls when available. Facebook's Sydney-based subsidiary "has been curiously reticent about commenting" on the changes, states the report.
Full Story

PRIVACY

Pro Bono Privacy Initiative Brings Expertise to Nonprofits (October 6, 2011)

Amidst a growing need among nonprofits for expertise in the protection of personal information, privacy professionals have come together to form the Pro Bono Privacy Initiative, which is now in its pilot phase. In this Daily Dashboard exclusive, pilot volunteers--who hail from such well-known firms and companies as Baker & McKenzie, Hogan Lovells, Hunton & Williams, Deloitte, Intuit, Verizon and IBM--discuss their hope for this new program. As IBM VP Security Counsel and Chief Privacy Officer Harriet Pearson, CIPP, puts it, "The true sign of a mature profession is when people step back and give back."   
Full Story

DATA PROTECTION

Experts Offer Advice on Legacy IT Systems (October 5, 2011)

Though businesses rolling out new IT systems or collecting new data on their customers are increasingly privacy-conscious, the same is not true for legacy systems, reports Computerworld Canada. Experts including Ontario Privacy Commissioner Ann Cavoukian and Sagi Leizerov, CIPP, of Ernst & Young, offer advice on how to address the most pressing issues when it comes to such systems, including advising IT staff that more is not better when it comes to data collection, taking stock of "which systems your sensitive information is passing though...evaluating and improving upon the password policy settings in custom apps" and looking at any "unrestricted mass data storages and share folders."
Full Story

PERSONAL PRIVACY

Opinion: Privacy? Fuhgettaboutit. Enter Extreme Transparency (October 5, 2011)

In the BBC News Magazine, an advertising consultant and founder of an Internet start up proposes that we forget about privacy and, instead, focus on image. "The new reality that all of us live in today, personally and professionally, is one of complete transparency," says Cindy Gallop, who goes on to propose "a very simple solution" for individuals and companies--"identify exactly who you are...what you stand for, what you believe in, what you value...and if you then only ever behave, act and communicate in a way that is true to you, then you never have to worry about where anybody comes across you or what you're found doing."   
Full Story