ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

DATA PROTECTION—HONG KONG

Commissioner Reveals Drug Test Vulnerabilities (July 27, 2012)

Hong Kong Privacy Commissioner for Personal Data Allan Chiang has revealed a number of vulnerabilities in a school drug testing system in the territory of Tai Po, China Daily reports. Chiang said no privacy impact assessment (PIA) had been instituted prior to the system’s launch and noted the protocol did not set data retention standards. Chiang said that policies for the drug testing scheme “are not adequate” and has made a list of 15 suggestions for the system, including the initiation of a PIA. Editor's note: The Privacy Advisor recently caught up with Hong Kong Privacy Commissioner for Personal Data Allan Chiang for a Q&A.
Full Story

DATA RETENTION—AUSTRALIA

Uncertainty on Proposal, Hackers Down Gov’t Sites (July 26, 2012)

Attorney General Nicola Roxon recently said she’s “not yet convinced that…we’ve made the case” for the data retention provision in proposed amendments to the Privacy Act, and Greens Sen. Scott Ludlam is voicing concern, saying, despite its claims, the government hasn’t “even attempted” to “strike a balance between people’s privacy and the ability of spy agencies to surveil people.” Meanwhile, hacktivist group Anonymous temporarily took down at least 10 government websites in protest of the proposed data retention requirements, reports Fox News. “Unless the government starts acting in the best interest of its people, it will continue to bring the noise,” said a spokesman from the group.
Full Story

DATA LOSS— AUSTRALIA

Commissioner: Health Organisation Breached Privacy Act (July 26, 2012)

After an investigation, the Australian privacy commissioner has found that Medvet Labratories breached the Privacy Act for failing to protect its customers’ personal information, ZDNet reports. Billing and shipping details were exposed because of multiple security flaws in the software used for its online store, the privacy commissioner found. However, the commissioner has said the company’s actions following the breach were positive steps. They have improved security systems, advertised the violation in newspapers and placed notices on their website.
Full Story

INFORMATION ACCESS—NEW ZEALAND

Law Commission: MPs Should Be Subject to OIA (July 26, 2012)

After a major review of the Official Information Act (OIA), the Law Commission has determined that the legislation should be expanded to include all publicly funded agencies, reports The New Zealand Herald. While ministers have been subject to the act, MPs have not been required to open their expense claims to the public. The report’s lead commissioner, Prof. John Burrows, says changes over the past three decades have made modernising the act necessary. "We think there's a case now for saying if a body is receiving public funding and is performing a public function, it should be accountable under the OIA," Burrows said.
Full Story

PRIVACY LAW—AUSTRALIA

Online Orgs Concerned About Privacy Amendment Bill (July 26, 2012)

The Australian reports that a group of banks, credit providers and online service providers have submitted a joint statement expressing concern that the tabled Privacy Amendment Bill will have adverse effects on the digital economy. The proposed bill introduces a set of privacy principles for the public and private sectors. In the joint statement to the Interactive Advertising Bureau Australia, the Internet companies said, “We recognise the need for organisations to be accountable for the information they share across borders, but the proposed law places digital economy organisations in jeopardy.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Study: Asian Consumers More Willing to Trade Data for Benefits (July 26, 2012)

A study conducted by mobile ad company Amobee has shown Asian consumers are more willing to offer up their personal information for free services or better ads than those in Europe, reports ZDNet. The company polled more than 100 people, asking questions such as “would you share your data if we were to give you five free SMS messages a day?” says CEO Trevor Healy. Respondents in both Asia and Europe negatively reacted to “retargeting” marketing strategies, where ads are repeatedly offered to visitors of a site, prompting Healy to recommend advertisers use “pretargeting” methods focused on analysing user profiles.
Full Story

DATA LOSS—NEW ZEALAND

Health Provider Sorry for Breach (July 20, 2012)

HealthCare New Zealand is apologizing for a breach involving the personal information of dozens of patients, which was discovered on a Merivale street recently, The New Zealand Herald reports. The patient records had been stolen from an employee’s vehicle a few weeks prior. “We’re really sorry about the event,” said HealthCare NZ Community Services Manager Scott Arrol. “It’s not the sort of thing that happens to us.” Police are investigating.
Full Story

PRIVACY—AUSTRALIA

Pilgrim: Keeping Data Can Pose Organisational Risks (July 19, 2012)

The Sydney Morning Herald looks at the risks associated with how personal data is collected and used. Given legitimate requests by organisations for personal data, the report offers suggestions for solutions from Privacy Commissioner Timothy Pilgrim. “I'm saying to organisations, could you just identify the person and, having identified them, not necessarily need to keep a lot of the personal information?” Pilgrim says, adding, “Because once organisations start keeping large amounts of information it doesn't just pose threats for the individual, in terms of increasing the risk of identity theft and fraud, it also starts to increase the risks for organisations themselves.”
Full Story

PRIVACY—QUEENSLAND & VICTORIA

APF Urges Selection of New Commissioners (July 19, 2012)

The Australian Privacy Foundation (APF) sent two letters this week to encourage government officials to appoint new privacy commissioners. In a letter to Queensland Attorney-General and Minister for Justice Hon Jarrod Bleijie, the APF expressed concern that the acting privacy commissioner has been in place too long and the office is losing momentum as a result. “We urge you to make an appropriate appointment at the earliest opportunity, and request your assurance that an appointment is imminent.” In a separate letter, the APF implored the Attorney General of Victoria to select a permanent replacement for former Privacy Commissioner Helen Versey.
Full Story

PRIVACY LAW—AUSTRALIA

FIA Concerned About Privacy Act Changes (July 19, 2012)

Pro Bono Australia reports that proposed changes to the Privacy Act have the Fundraising Institute of Australia (FIA) warning about the potential for “undue distress and confusion” for charitable organisations. In a submission to the Senate Legal and Constitutional Affairs Committee, the FIA writes, “Adequate privacy laws to protect donors' personal data are an essential component of charitable fundraising in this country,” noting that while the “FIA basically supports the Privacy Amendment Bill…there is confusion around the prohibition on direct marketing and lack of clarity around the new requirement for opt-out in each direct marketing communication.”
Full Story

PRIVACY LAW—NEW ZEALAND

ACC Defamation Case Proceeds (July 19, 2012)

A defamation case brought by ACC Minister Judith Collins will proceed, stuff.co.nz reports. Collins has accused MPs Trevor Mallard and Andrew Little of defamation in relation to a leaked e-mail from “ACC claimant Bronwyn Pullar, who blew the whistle on ACC inadvertently releasing her details about thousands of ACC claimants,” the report states. The next court date is set for November and will be a settlement conference where the parties involved can attempt to resolve the issues before trial. A trial date has been scheduled for February.
Full Story

FINANCIAL PRIVACY—AUSTRALIA

Experts Warn Against Posting Credit, Debit Info (July 19, 2012)

After cardholders published images of their new debit and credit cards, privacy experts are urging caution. “Police said scammers could easily use the cards to make phone and online transactions, despite not being able to see the cards’ security codes,” the Herald Sun reports. A Twitter accountholder republished the images, the report states, prompting E-Crime Unit Detective Senior Constable Marty Nicholls to caution, “Using the Internet to purchase things can be safe, but posting a photograph of your credit card in an open source environment is fraught with danger.” (Registration may be required to access this story.)
Full Story

PRIVACY—HONG KONG

Chiang: High Calibre Privacy Professionals Needed (July 19, 2012)

Privacy Commissioner for Personal Data (PCPD) Allan Chiang tells Career Times that his office is actively seeking high-calibre privacy professionals from a variety of backgrounds. The report highlights the work of the Office of the PCPD, noting that candidates with experience in such fields as legal, regulatory affairs and social services have an advantage in the privacy sphere. "At this point, we are looking to build a team of diverse talents who can contribute their expertise as we learn from one another and create new synergy," Chiang notes, adding, "There is certainly plenty of room for quality candidates who want to join the profession." Editor’s Note: In a recent feature for The Privacy Advisor, Chiang discusses the work of his office.
Full Story

BIG DATA—AUSTRALIA

As Data Collection Increases, So Do Company Obligations (July 19, 2012)

An article in The Sydney Morning Herald discusses the risks companies run in chasing big data. “Every time we make a phone call, click on a website link, send an e-mail or swipe a card through an electronic reader, we are creating a record that can be stored and later analysed by computers,” the report states. One executive says he expects such practices to increase as young executives who are comfortable with Internet data collection are promoted. Australian Privacy Commissioner Timothy Pilgrim warns organisations that they must treat customer data responsibly and realise “they are collecting what can be quite powerful sets of information.”
Full Story

ONLINE PRIVACY

YouTube Releases Facial Blurring Tool (July 19, 2012)

YouTube has released a tool allowing people to obscure faces within videos uploaded to the site, The New York Times reports. The feature aims “to help protect dissidents using video to tell their stories in countries with repressive government regimes,” the report states. “Visual anonymity in video allows people to share personal footage more widely and to speak out when they otherwise may not,” said a YouTube spokeswoman, adding that “human rights footage, in particular, opens up new risks to the people posting videos and to those filmed.” YouTube said the feature would also help protect children’s identities. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Skype Looking Into Messaging Bug (July 17, 2012)

Skype is looking into a bug resulting in the voice-Internet service sending instant messages to unintended recipients, CNET News reports. Skype says “in rare circumstances” and stemming from an upgrade last month, users intending to send a message to one contact have found the message has been sent to another, which one user called “a serious breach of privacy.” Skype says it is investigating the matter and hopes to provide a solution soon. “We are rolling out a fix for this issue in the next few days and will notify our users to download an updated version of Skype,” a spokesperson said in an e-mailed statement.
Full Story

DATA THEFT—AUSTRALIA

Customer Passwords Stolen, Published (July 17, 2012)

Surfwear retailer Billabong says it is gathering information about a breach impacting customer passwords, iTNews reports. A company spokesperson said, “We view this attack as an extremely serious matter and have taken urgent action to contain the incident and prevent further attacks occurring.” Hackers published 21,485 stolen clear-text passwords and hashed passwords. “We will take further appropriate measures as new information comes to light,” the spokesperson said. Meanwhile, 3AW Radio reports that a company that went into administration earlier this year failed to protect sensitive data located in office equipment that is to be sold online.
Full Story

PRIVACY—AUSTRALIA

Gov’t Says Access To Data Is Critical (July 12, 2012)

The federal government says it’s important it has access to Australians’ Internet and phone records, AAP reports. Under new proposals being considered by a parliamentary committee, data would be retained for up to two years and government agencies would be given increased access to social media sites like Facebook and Twitter. Assistant Treasurer David Bradbury said it’s important to national security that the government have access, adding, “of course, there is always going to be an important need for us to balance that against the protection of the privacy of the individual.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—AUSTRALIA

Telstra CEO: Customer Trust Will Take Months To Regain (July 12, 2012)

Breaches at Telstra must not happen again, and customers affected by a recent breach are entitled to feel like the company broke their trust, said Telstra CEO David Thodey in an e-mail to staff last week. The Sydney Morning Herald reports on Thodey’s e-mail, which stated that breaches are affecting the brand’s reputation and staff should tell a manager “as a matter of urgency” if they have concerns about a matter that may affect customer privacy. “Some of our customers may feel we have broken their trust, and, frankly, they are entitled to feel that way. The hard reality is it will take months of hard work to win back that trust,” Thodey said.
Full Story

ONLINE PRIVACY—AUSTRALIA

ADMA Says Proposed Opt-Out Provision Harmful to Companies (July 12, 2012)

Certain proposed changes to the nation’s privacy law would have an adverse impact on Australian companies, according to the Australian Direct Marketing Association (ADMA). This week, the group responded to a Senate inquiry suggesting adjustments to the proposed changes, The Australian reports. The group said a proposed requirement for advertisers to include opt-out language would be “virtually impossible to implement,” according to the report. ADMA Chief Executive Officer Jodie Sangster said consumers already have opt-out methods at their disposal. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Firm Says Ad Networks Secretly Track; Facebook Launches New Ad Targeting (July 12, 2012)

The Sydney Morning Herald reports on comments made by a U.S. mobile security firm about ad networks that “secretly collect app users’ contacts or whereabouts and could now have access to 80 million smartphones globally.” The firm’s technology chief said aggressive ad networks are “much more prevalent than malicious applications” and the “most prevalent mobile privacy issue that exists.” Meanwhile, The Wall Street Journal reports on Facebook’s launch of a new type of mobile advertising targeting consumers based on which apps they use, suggesting the company is “pushing the limits of how companies track what people do on their phones.”
Full Story

BIG DATA

Privacy, Economics and “Do Not Collect” (July 12, 2012)

Examining the difference between the low cost of paying a company to find someone online versus the higher costs associated with companies that help people “hide from the Internet,” a paidContent report questions whether the time has come for a “do not collect” law. While suggesting “the ‘pay for privacy’ approach doesn’t acknowledge the new economic imbalance in which personal data is cheap and anonymity is expensive,” the report also questions whether a “do not collect” system “would be enough to put the data genie back in the bottle.”
Full Story

DATA RETENTION—AUSTRALIA

Gov’t Telecomm Inquiry Begins, Committee Seeks Public Opinion (July 10, 2012)

Following up on Attorney General (AG) Nicola Roxon’s request for a review of the Telecommunications (Interception and Access) Act 1979, the Joint Parliamentary Committee on Intelligence and Security has launched its investigation, reports ZDNet. The AG’s department published a discussion paper outlining the proposals put to the committee, which is currently seeking public opinion on data retention and whether the law should be amended to require telecommunication companies to hold certain consumer data for two years. “As Australia’s telecommunications landscape continues to evolve, it is appropriate and timely to consider how best to manage risks to the data carried and stored on our telecommunications infrastructure to secure its availability and integrity in the long term,” said the department.
Full Story

DATA THEFT—AUSTRALIA

Legitimately Collected Data Sold to Fraudsters (July 9, 2012)

The Australian Crime Commission (ACC) has released a report that estimates 2,600 Australians have been duped out of $113 million in the past five years by criminals buying data collected through legitimate methods, such as surveys or competitions, reports COMPUTERWORLD. "Armed with information such as income, superannuation, mortgage and investment details of individuals, organized criminal networks are able to identify those most susceptible to particular schemes," says the ACC report. The ACC also released a list of recommendations to avoid becoming a victim of this kind of crime, including checking the licensing of the company, seeking independent advice before investing money and hanging up on unsolicited calls offering overseas investments.
Full Story 

TRAVELER’S PRIVACY

WiFi-Enabled Cars Can Connect Through Algorithm (July 9, 2012)

Researchers from the Massachusetts Institute of Technology, Georgetown University and the National University of Singapore have developed an algorithm allowing WiFi-connected cars to automatically share Internet connections and data, reports MediaPost. The algorithm would collect data from many cars through a few cars that would then upload it to the Internet--so, by design, data from one car will pass through a nearby car on its way to the Internet--causing the author to opine, "Privacy experts should have a field day with this one." The plan would save consumers money by sharing a 3G connection; however, the author warns of risks of viruses, corrupt data and theft.
Full Story 

PRIVACY LAW—AUSTRALIA

Bill Would Give Commissioner Increased Powers (July 5, 2012)

Parliament is reviewing legislation that would allow the federal privacy commissioner to apply to the federal court to levy fines on individuals and organisations for privacy breaches, reports The Australian. Privacy Commissioner Timothy Pilgrim said it means he could require companies to fix systems and pay for regular privacy audits. He believes “they will start to take their responsibilities around protecting information a lot more seriously once those powers are passed." One lawyer says companies that collect personal information as part of their business model may be nervous about the legislation, adding, those that can’t provide “informed consent” risk breaching privacy principles. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

OAIC To Regulate E-Health System (July 5, 2012)

Australia Privacy Commissioner Timothy Pilgrim will be able to seek civil penalties for breaches of the nation’s new Personally Controlled Electronic Health Records system, reports COMPUTERWORLD. The system will be regulated by the Office of the Australian Information Commissioner, which will have powers to investigate complaints and conduct own-motion investigations. Privacy Commissioner Timothy Pilgrim welcomes the change and has advised consumers to read the terms and conditions, while warning providers to uphold their obligations under the Privacy Act.
Full Story

CLOUD COMPUTING—AUSTRALIA

CEO: Keep Sensitive Info Out of the Cloud (July 5, 2012)

Financial Review reports on comments by Ed Coleman of Unisys in support of keeping “sensitive information inside Australia” amidst moves by some to facilitate storing such data in the cloud. The report notes that Coleman, “whose company supplies biometric security including retina scans and fingerprinting to a range of governments and agencies, said some key data should always remain in Australia despite the lower costs and other benefits brought by cloud computing.” Acting Victorian Privacy Commissioner Anthony Bendall echoed those concerns, adding that should such information leave Australia, “at the very least, there has to be much stronger safeguards around it wherever it gets stored.”
Full Story

ONLINE PRIVACY—AUSTRALIA

Huston: Telstra Acted Outside Telecommunications Act (July 5, 2012)

Geoff Huston, the chief scientist of regional Internet registry Asia-Pacific Network Information Centre (APNIC) and former Telstra employee, says the company acted “way beyond the terms and conditions of the Australian Telecommunications Act” when it collected and sent users’ web behaviours to a Canadian web filtering company, reports ZDNet. Most of the data Telstra sent was anonymised; however, some was not, causing Huston to question why there has been no investigation by the privacy commissioner. A spokeswoman from the commissioner’s office said it is still “waiting on a report from Telstra.”
Full Story 

DATA LOSS—NEW ZEALAND

Opinion: ACC Should Not Overdo Culture Shift (July 5, 2012)

An editorial in The New Zealand Herald says that changing the culture at the ACC will require care to see that such a move doesn’t go too far. The ACC’s chairman, chief executive, two board members and several officials have departed due to fallout from recent data breaches affecting thousands of ACC clients. The minister in charge has made “drastic changes” since the incident, replacing cost containment with improving trust and confidence as the first priority, the report states, adding, however, the ACC should be “sensitive, fair, considerate and dignified in its dealings with people and its discussions about them” and that’s “as far as the culture change need go.”
Full Story

DATA PROTECTION

The Threat of Third-Party Access (July 5, 2012)

In the fourth installment of its series exploring information security issues faced by businesses today, COMPUTERWORLD looks at how third-party access puts company data at risk. Market Analyst Vern Hue notes that when a company shares data with a third party, it is putting faith in that third party’s security practices, adding, “This, in essence, makes the third party the potential chink in the company's information security armour.” Hue recommends conducting a risk assessment “to ensure that the third party's security integrity, controls and standards meet your own organisation's standards” and to only give the third party access to information it needs to conduct its business.
Full Story

PRIVACY LAW—SOUTH KOREA

Gov’t May Take Action Against Search Engine (July 5, 2012)

South Korea's Personal Information Protection Commission says it will file further complaints against Google's Korean subsidiary unless it complies with the commission's request that it improve its privacy policy, The Korea Times reports. The commission can fine Google one percent of its annual proceeds or seek criminal charges, the report states, noting Google failed to comply with the commission's request last month to make three changes to its policy regarding combining users' personal information across 60 of its services, user consent for data storage and the length of data retention. Meanwhile, Forbes reports on "Google Now," a feature that combines user data across platforms to make suggestions.
Full Story  

PRIVACY LAW—HONG KONG

A Q&A with Commissioner Allan Chiang (July 5, 2012)

In this exclusive for The Privacy Advisor, Hong Kong Privacy Commissioner for Personal Data Allan Chiang offers insight into the work of his office, the types of complaints received and the importance of enforcers having the ability to impose sanctions in the event of a breach. In the past year alone, Chiang's office has received nearly 1,500 personal data complaints, but Chiang adds that the existing provisions under the Personal Data (Privacy) Ordinance "are inadequate in safeguarding personal data protection." Chiang shares six amendments to the ordinance that "are expected to pass shortly" and discusses his office's consumer education initiatives. (Must be an IAPP member and logged in to view.)
Full Story 

BIG DATA

The E-Book’s Two-Way Mirror (July 3, 2012)

The Wall Street Journal reports on the rise of big data analytics on consumers' e-reading habits by publishers, providing "a glimpse into the story behind the sales figures, revealing not only how many people buy particular books but how intensely they read them." Now that publishers are employing e-reader data analytics, the formerly private act of reading is becoming "something measurable and quasi-public," the report states. The U.S.-based Electronic Frontier Foundation argues that readers should have the right to opt out of being tracked by publishers, adding, "There's a societal ideal that what you read is nobody else's business." (Registration may be required to access this story.)
Full Story 

PRIVACY LAW—HONG KONG

Council Passes Data Privacy Bill (July 2, 2012)

The Hong Kong Legislative Council has passed the Personal Data (Privacy) Amendment Bill, Privacy Asia reports. The bill creates requirements for personal data in direct marketing as well as in its transfer and sale to third parties. The bill also empowers the privacy commissioner to "provide legal assistance to individuals to seek compensation from companies and organizations if there is a breach" of the data protection ordinance and "imposes heavier penalties for repeated contraventions of enforcement notices and a new penalty for repeated contravention of requirements under the Personal Data (Privacy) Ordinance where enforcement notices have been served," the report states.
Full Story