ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

SURVEILLANCE

As Use of Facial Recognition and Surveillance Increase, What Happens To Privacy? (April 30, 2012)

The Economist reports on the increasingly pervasive use of video surveillance in countries around the world. China will soon employ three million surveillance cameras--surpassing Britain--and its industry is expected to reach 500 billion yuan, or $79 billion, in 2015. Alongside the increase in video surveillance is an increase in the use of facial recognition technology, currently employed at Mexican prisons, U.S. bars, Japanese workplaces and many other locations worldwide. Brazilian police will use it to improve security at the 2014 World Cup. The U.S. National Institute of Standards and Technology has found that such technology is improving, raising legal questions about the "reasonable expectation of privacy" in public, the report states. 
Full Story

PRIVACY LAW—NEW ZEALAND & EU

EU “May Be Close” to Finding NZ Privacy Law Adequate (April 27, 2012)

COMPUTERWORLD reports that the EU "may be close" to finding New Zealand's privacy legislation "adequate." The EU Article 29 Working Party last April recommended adequacy status for New Zealand, and in a letter this week to EU Justice Commissioner Viviane Reding, Working Party Chairman Jacob Kohnstamm wrote, "Since more than a year has passed, I would like to urge the commission to make progress...and convene a meeting of the (relevant) committee as soon as possible." A spokesperson for New Zealand Privacy Commissioner Marie Shroff said the office is unable to comment on the Trans-Pacific Partnership agreement. An adequacy finding would ease data transfer restrictions between the two jurisdictions.
Full Story

PRIVACY LAW—AUSTRALIA

Experts Assess Privacy Act Reforms (April 27, 2012)

As Australians observe Privacy Awareness Week, COMPUTERWORLD reports on the history of the government's reforms to the Privacy Act since 2006 and what the reforms could mean for the digital environment. A representative from Xamax Consultancy, Roger Clarke, said that reforms to the Privacy Act have progressed "extraordinarily slowly, and they still haven't really reached any point of resolution..." An AGW Consulting representative suggested the main impact of the reforms "will be dealt out in the second tranche response by the government." Clarke says he wants the privacy commissioner to be granted "real power to do real things and solve problems," and both consultants support civil remedies, which will force companies to be more responsible, the report states.
Full Story

DATA LOSS—NEW ZEALAND

Victims File Complaint with Privacy Commissioner (April 27, 2012)

At least three ACC claimants who have had their personal information compromised have filed a complaint with Privacy Commissioner Marie Shroff, The Northern Advocate reports. The ACC advocate representing the victims said, "My main concern with the information being leaked unintentionally, the information consisted of not only medical issues, but there is a legal component to these files."
Full Story

PERSONAL PRIVACY—NEW SOUTH WALES

State Government Limits Property Records Access (April 27, 2012)

The state government is limiting access to certain property records based on citizens' complaints about marketers using information held in the records to sell goods, The Sydney Morning Herald reports. "While the number of complaints may be small, all potential breaches of privacy are taken seriously and actively investigated," said a Department of Sustainability and Environment spokeswoman, adding, "any activity that might constitute a breach of an individual's privacy and implied misuse of the property sales information is unacceptable."
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Opinion: EHRs Raise Privacy Concerns (April 27, 2012)

In light of a recent study that revealed a rise in patient record breaches in the U.S., a column in CSO stresses that "Australian medical experts warn that patient safety could be put at risk" once health records in Australia go digital. Three experts from the Medical Journal of Australia wrote, "It is not yet possible to make any definitive statement about whether the personally controlled electronic health record is safe or not."
Full Story

ONLINE PRIVACY

Critics Say Terms of Service Allow for Lack of Privacy (April 27, 2012)

The New York Times reports on concerns about Google's recently released online storage service, Google Drive. The service offers free storage of documents, pictures and video, among other data, and critics say that under Google's “one-size-fits-all” terms of service, the company can use the stored content for its own purposes. A Google representative, however, said the company doesn't "take personal information and use it in a way that we don't represent to the user,” and the company’s terms state, “You retain ownership of any intellectual property rights that you hold…In short, what belongs to you stays yours.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—AUSTRALIA

Company Discontinues Ad Campaign Following Complaints (April 20, 2012)

The company behind a "hangover recovery pill" has said it will discontinue its ad campaign after the Advertising Standards Bureau called it "irresponsible." Members of the public complained after Big Night Recovery created ads featuring various intoxicated people, The Age reports. It's unclear whether the "real people" featured gave consent, but the company's privacy policy states anything uploaded to its site becomes company property. A second campaign asks the public to send in pictures of their intoxicated friends to win a prize, but it's unclear if the company's two campaigns are related. Privacy Commissioner Timothy Pilgrim said the case "demonstrates the ease with which personal information can be exchanged and published in the digital age."
Full Story

DATA LOSS—NEW ZEALAND

Commissioner Investigating Data Leak (April 20, 2012)

The privacy commissioner is investigating four complaints made by the Council of Trade Unions about the Ports of Auckland, Radio New Zealand reports. One case involves the leaking of a Maritime Union crane operator's details by the company via an Internet blog, which one expert says "undoubtedly" breached the Privacy Act. A union president said it filed an additional complaint alleging that another worker's details were released to the same blog. Ports of Auckland said it will cooperate with the commissioner's investigation.
Full Story

PRIVACY LAW—NEW ZEALAND

Opinion: Should Employers Have Access to Social Media Passwords? (April 20, 2012)

Following recent discussions in the U.S. on what employers can and cannot do when it comes to accessing employees' social media accounts, employment attorney Peter Cullen discusses New Zealand's employment privacy landscape in this Stuff.co.nz report. Cullen says a New Zealand employee who refuses to provide access to online accounts may run into problems. He adds, however, that the employee could challenge the request and bring a claim before the Employment Relations Authority or the privacy commissioner. Cullen also notes that New Zealand privacy laws are soon to be overhauled in response to technological advances.
Full Story

PRIVACY LAW—SOUTH KOREA

Resident Numbers Will No Longer Be Collectable (April 20, 2012)

Websites and companies will no longer legally collect resident registration numbers following the approval of a government initiative for improved data protection, The Korea Herald reports. The Korea Communications Commission, the Ministry of Public Administration and Security and the Financial Services Commission's joint plan has received final approval. It will first prohibit the online sector from collecting resident registration numbers--followed by public and private companies in phases, the report states. The plan responds to a number of major hacking incidents and identity thefts and aims to reduce the amount of personal data collected and used. Additional regulations will come as data protection law is revised later this year.
Full Story

ONLINE PRIVACY

Berners-Lee: “Demand Your Data” (April 19, 2012)

World Wide Web creator Tim Berners-Lee has urged Internet users to demand their personal data from web companies in order to help begin a new era of customized computer services, reports The Guardian. He says consumers have not fully realized the value of their personal data held by online companies. "My computer has a great understanding of the state of my fitness," Berners-Lee said, "of the things I'm eating, of the places I'm at." By taking advantage of such personalized data, services "with tremendous potential to help humanity" could be created, but only if web companies allow users access to their data.
Full Story

DATA LOSS—AUSTRALIA

Commissioner Delays Telstra Report Indefinitely (April 13, 2012)

After extending the January deadline for Telstra to answer questions related to its December 2011 breach, the Office of the Australian Information Commissioner (OAIC) has delayed releasing its report indefinitely, reports The Australian. "The matter is more complex than we originally thought, and we are seeking further information from Telstra. The investigation is ongoing," said an OAIC spokeswoman. The data breach exposed the records of more than 800,000 Telstra customers and may have included some user names, passwords and credit card numbers. (Registration may be required to access this story.)
Full Story

PRIVACY—NEW ZEALAND

Shroff on Enforcement and Public-Sector Breaches (April 13, 2012)

Wellington lawyer Mai Chen interviews Privacy Commissioner Marie Shroff for Stuff.co.nz about breaches, the proposed privacy legislation and the "citizen-state relationship." Shroff talks about her abilities to enforce the current laws and her desire for more enforcement powers. When asked about how seriously organisations are taking their data-handling practices, Shroff says, "Big corporates are taking it very seriously...generally speaking I think it's the public sector that needs to come into the digital environment. They need to pick up their act." Pointing to the recent Accident Compensation Corporation breach, she says this kind of breach "will focus people's minds and make them realise the risk to a public-sector agency is almost as large as to a private-sector agency."
Full Story

PRIVACY LAW—NEW SOUTH WALES

Security Industry ID Cards Get Overhaul (April 13, 2012)

After an investigation into a complaint about birthdates displayed on security industry ID badges that must be worn while on duty, Deputy Privacy Commissioner John McAteer announced that the practice contravenes New South Wales privacy laws. A media release states that the commissioner's office is satisfied with public sector agencies' responses. They are implementing an improved licence and making available a free remedial process for replacement. "The mandatory display of excessive personal information...is a matter of significance when looking to prevent identity theft and other risks to the personal safety and privacy of individuals," said McAteer.
Full Story

DATA LOSS

Security Cameras Broadcast to the Web (April 13, 2012)

Up to 50,000 people who bought security cameras may be affected by a flaw in the cameras that allow the footage to be watched by anyone with an Internet connection, reports The Sydney Morning Herald. In order to fix the problem, customers must download an update from the TRENDnet website, and while some customers have done so, the U.S.-based company is having trouble mitigating the damage because it has no way of finding those customers who didn't register their devices. Chris Gatford of security testing company HackLabs says Australians need to pressure manufacturers to build in high-level security features, adding, "There's no shortage of newly connected devices entering our homes every day."
Full Story

PRIVACY LAW—NEW ZEALAND

Some Say Privacy Bill Doesn’t Do Enough (April 13, 2012)

Some provisions have been cut from the proposed Privacy (Information Sharing) Bill, which will mean easier sharing of government-held data, reports Stuff.co.nz, and some are concerned that the sharing extends to private firms as well. Privacy Commissioner Marie Shroff has said, "It's certainly an issue as to whether business should be allowed some access (to government-held information) to a limited extent," adding, "That's exactly one of the concerns we have about this whole technology environment and the trend to use it and share it more widely, that it's the beginning, potentially, of a slippery slope." According to the report, Shroff will monitor the sharing agreements for their appropriateness.
Full Story

EMPLOYEE PRIVACY—AUSTRALIA

Pilgrim: Employers Should Not Collect Unnecessary Data (April 13, 2012)

The Sydney Morning Herald reports on Gary Coulthart, who runs a private forensic consultancy and says he takes calls from companies every day wishing to retrieve data from their employees' phones. The law on such requests is vague, the report states, though Privacy Commissioner Timothy Pilgrim says employers should not collect unnecessary data from their employees. "Employees should be aware of the implications of using devices owned by employers for personal use. Employees should also take responsibility for their own privacy by deleting all personal information before they return a device to their employer," he says. Coulthart says device data, even once deleted, can almost always be retrieved.
Full Story

ONLINE PRIVACY—AUSTRALIA

Philosopher: Firms Should Report Data They Store (April 13, 2012)

In advance of appearances in Melbourne and Sydney, English philosopher A.C. Grayling has said that commercial organisations that mine data on individuals should be required to regularly "send us a report on what they have got on us," Canberra Times reports. The "complete anarchy" that comes to be when technology revolutionises communication is also restored to order by creating boundaries, Grayling says, adding that civil liberties are increasingly under attack. It should be "very thought-provoking" that governments have the ability to hack into people's personal digital information. The challenge he says, is to allow worthwhile technologies to flourish while protecting people's privacy.
Full Story

EMPLOYEE PRIVACY—NEW ZEALAND

Professor: Leak Breached Privacy Act (April 13, 2012)

An Otago University law professor has weighed in on a privacy breach involving a Maritime Union crane operator, The New Zealand Herald reports. The man's personal details were leaked onto the Internet by his employer, and a Ports of Auckland official apologised for it. But Prof. Paul Roth says the action "undoubtedly" breached the Privacy Act, and "the only issue that is open is whether (the victim) suffered 'significant' humiliation or injury to feelings as a result of the disclosure." Roth added that the employer's apology may be enough to resolve the matter, but if not, "he would be within his rights to bring proceedings before the Human Rights Review Tribunal and seek monetary compensation."
Full Story

PRIVACY LAW—NEW ZEALAND

Shroff Proposes Emergency Data Sharing Code (April 13, 2012)

Building on lessons learned following last year's earthquake in Christchurch, Privacy Commissioner Marie Shroff has released a proposal that would relax data-sharing restrictions upon the declaration of a state of emergency in order to "allow a fast and tailored response during national emergencies." The Civil Defense National Emergency (Information Sharing) Code is closely modeled on the temporary Christchurch earthquake code and is similar to legislation in other nations. The Office of the Privacy Commissioner is seeking public submissions through 25 May.
Full Story

DATA LOSS

American Man Pleads Guilty in Sony Hack (April 13, 2012)

An American man and former member of the hacker group Lulz Security pleaded guilty last week to hacking Sony Pictures Entertainment computers, the Mercury News reports. Cody Kretsinger faces 15 years in prison for federal charges of conspiracy and unauthorised impairment of a protected computer, the report states. Kretsinger was arrested in September 2011 for his role in what was one of the largest data breaches of that year.
Full Story

PRIVACY LAW—NEW ZEALAND

Shroff: Bill Provides Consistent Framework (April 6, 2012)

Privacy Commissioner Marie Shroff on Thursday registered her view on a bill that would let public and private agencies more easily share individuals' personal information, The New Zealand Herald reports. Shroff submitted comments to Parliament's justice and electoral committee, which is considering the Privacy (Information Sharing) Bill. "The bill has strong and practical safeguards, which are absolutely vital, and in my view, they all interact together and are all necessary. Taking one away would potentially spoil the nicely balanced framework that we have," Shroff noted, adding that her office would be involved in reviewing and monitoring sharing arrangements.
Full Story

CLOUD COMPUTING—VICTORIA

Commissioner: Providers Should Adopt PbD (April 6, 2012)

Speaking to the Local Government Forum in Melbourne last month, acting Victorian Privacy Commissioner Anthony Bendall said cloud providers should use Privacy by Design when creating services for government use, iTNews reports. Noting that government use of cloud services is "somewhat inevitable," Bendall called on providers to consider government privacy laws and obligations. Bendall added, "If private organisations want to come to the cloud computing party and provide services to government, they should ensure they are compliant with privacy laws, because ultimately, if something happens, it is the government organisation or council's data (and reputation) that is at stake."
Full Story

DATA LOSS—NEW ZEALAND

NZTA Mistakenly Exposes 1,000 E-mail Addresses (April 6, 2012)

The New Zealand Transport Agency (NZTA) has apologised to nearly 1,000 customers after mistakenly exposing their e-mail addresses in an e-mail alerting customers that their credit card reportedly failed to transfer funds, The New Zealand Herald reports. In its recall message, the NZTA reportedly made the same mistake. Assistant Privacy Commissioner Katrine Evans noted that it's an easy mistake to make but could exact consequences, adding, "Lists of e-mail addresses can be a treasure trove for spammers and scammers."
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

ATM Skimming Attacks on the Rise (April 6, 2012)

BankInfoSecurity reports on the rise of ATM skimming attacks. According to the report, approximately 500 debit accounts have been compromised at ATMs owned by ANZ Bank and National Bank in Auckland, and financial losses have amounted to nearly $1 million. On its website alert, the bank said, "We are still assessing the number of cards that might have been used in the affected ATMs." A representative from a PCI-DSS service provider said, "With no local disclosure laws around card fraud or data breaches, these sorts of incidents seldom get reported here." The bank is also working with affected customers to issue refunds.
Full Story

PRIVACY LAW—HONG KONG

Commissioner Seeks Enforcement Powers (April 6, 2012)

Hong Kong Privacy Commissioner for Personal Data Allan Chiang Yam-wang is seeking additional enforcement power to curb tabloid snooping, The Standard reports. Chiang said, "Once the privacy infringements are confirmed, we hope to have the authority to compensate victims and to fine infringers." Chiang believes the commission should have authority to help victims file civil actions, adding, "We have been fighting for this for the past two to three years, but we have not yet succeeded." Meanwhile, the commissioner's office has served two Hong Kong tabloids with enforcement notices for acquiring and publishing "compromising" photos of celebrities.
Full Story

MOBILE PRIVACY

Study: Majority Use Geolocation, Privacy Concerns Persist (April 4, 2012)

IDG News reports on a study revealing that nearly 60 percent of smartphone users acquire geolocation apps even while the respondents expressed privacy and safety concerns. Conducted by ISACA, the study polled 1,000 smartphone users. Some of the largest concerns for the users, according to the report, are advertisers' access to their data and possible risks to their personal safety. A representative from the Center for Democracy & Technology said, "If you think about it, most of us have one location where we spend our daytime hours at work and one location where we spend our nighttime at home, so after just a day or two of these data points, it's fairly obvious who they describe." Meanwhile, TRUSTe is releasing a new tool to help mobile companies target smartphone users while also allowing users to opt out of in-app advertising.
Full Story

ONLINE PRIVACY

If Web Tracking Is Regulated, What Happens To Revenue? (April 3, 2012)

Reuters reports on big brands' dependence on targeted advertising and fears surrounding the effect do-not-track rules could have on business. L'Oreal, for example, has increased its ability to reach its ideal consumer by 168 percent, according to Nugg.ad, the company that performs its web tracking functions. "There is no way websites will survive without targeting," said a spokesman from the Internet Advertising Bureau. Nugg.ad says it is unclear how much revenue could be lost as a result of requiring users to grant explicit consent in order to be tracked, but it could definitely hurt business.
Full Story

GEO PRIVACY

App Creator Defends “Girls Around Me” (April 2, 2012)

The Wall Street Journal reports that the developer of a mobile app that employs publicly available information from two social networks to give users the locations of women in their vicinity "defended its intentions Saturday after drawing a firestorm of criticism over privacy concerns." Over the weekend, one of the networks the app relies on for data cut off its access, the report states, citing violation of its policies on "aggregating information across venues." "Girls Around Me" app developer i-Free Innovations said it is "unethical to pick a scapegoat to talk about the privacy concerns. We see this wave of negative as a serious misunderstanding of the apps' goals, purpose, abilities and restrictions." (Registration may be required to access this story.)
Full Story

BIOMETRICS

The Rise of Voice Recognition Technology (April 2, 2012)

The New York Times reports on voice recognition technology developed by Nuance Communications. Going beyond dictation, the new technology can extract meaning from and respond to human voice commands and, in addition to computers, could be featured in common household appliances. Privacy advocates worry that the biometric identifier will leave a digital trail for more data mining. The company says its system recognizes individuals' voices by unique codes, not by consumers' names, and its privacy policy states that it only uses consumers' voice data to improve its internal systems. The FTC's David Vladeck said, "Just as we are concerned about the possible applications of facial recognition, there are other forms of biometric identification, like voice, that pose the same kind of problems." (Registration may be required to access this story.)
Full Story