ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

PRIVACY LAW—AUSTRALIA

Changes Expected To Privacy Act Proposal (September 27, 2012)

The federal government is considering revising its overhaul of the Privacy Act following calls by House of Representatives and Senate committees for changes, The Australian reports. The government is “actively considering” the recommendations, said Attorney General Nicola Roxon. A number of advocates have voiced concerns that people will have difficulty understanding the new law. Meanwhile, Coalition senators say they will recommend softening the law’s provision on breach liability. Currently, the law would grant the privacy commissioner power to fine organisations up to $1.1 million. The coalition wants to limit that if organisations can demonstrate that they’ve taken “all reasonable steps” to prevent a breach. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Data Retention Requirement Concerns Persist (September 27, 2012)

The Australian Federal Police says it supports requirements that telecoms store data for two years but would prefer the data be stored indefinitely, The Sydney Morning Herald reports. Telstra says the requirements will be too costly, and Vodafone has asked for clarification. The proposals put privacy and security “in the balance,” opines Philip Dorling for The Sydney Morning Herald, while ZDNet’s Josh Taylor predicts a slippery-slope effect.
Full Story

PRIVACY LAW—NEW SOUTH WALES

ID Scanning Proposal Raises Privacy Concerns (September 27, 2012)

The Office of the Privacy Commission for New South Wales has said it was not consulted prior to the initiation of an identification data sharing proposal for nightclubs in the Kings Cross area, GovernmentNews.com.au reports. Premier Barry O’Farrell said that “linked ID scanners will be introduced to licensed premises” and that “this means if a person is ejected from one venue, they can be banned from all other licensed venues in the precinct that night.” Details of what kind of personal data would be collected, shared, stored or protected have not yet been revealed.
Full Story

PRIVACY—NEW ZEALAND

OPC Newsletter Highlights Key Issues (September 27, 2012)

The most recent edition of the Officer of the Privacy Commissioner's Private Word highlights several current issues in the privacy sphere. The lead story in the newsletter is an interview with Privacy Commissioner Marie Shroff on the recent ACC breaches. “Data breaches can happen easily--especially in today's digital environment. But, while the investigation showed that the ACC privacy breach was a genuine human error, it occurred due to systemic weaknesses within ACC's culture, systems and processes,” Shroff notes. The issue also includes reports on proposed credit reporting changes and credit code workshops as well as Privacy Forum highlights.
Full Story

SURVEILLANCE—NEW SOUTH WALES

Name-and-Shame Campaign Incites Calls for Tougher Laws (September 27, 2012)

The owner of a pub who recently started a “name-and-shame” campaign by posting pictures of alleged thieves on the Internet says it will help police when it comes to time and resources, ABC News reports. But civil liberties groups say the campaign “undermines the justice process” and are calling for more relevant privacy laws. Cameron Murphy, president of the New South Wales Council of Civil Liberties, says what’s needed are “proper privacy laws; where we know what the boundaries are and we know what people’s rights are, we also know what their responsibilities are.”
Full Story

ONLINE PRIVACY—AUSTRALIA

Users Learn How To Take Privacy Into Their Own Hands (September 27, 2012)

The Sydney Morning Herald reports on Melbourne’s first “Cryptoparty,” a movement that has since spread to Egypt, Germany, the UK and the U.S. At the event, approximately 60 people learned how to become anonymous online by encrypting their online activity. Event organiser Asher Wolf, who calls herself an “information activist,” says she wanted a party “where people learnt how to protect their right to privacy.” Participants were trained how to download a browser that hides users’ locations and prevents web tracking. Many of those in attendance were there because of concerns about current data retention proposals, Wolf said.
Full Story

DATA PROTECTION—ASIA PACIFIC

Balancing Threat-Sharing with Privacy Protection (September 27, 2012)

At a recent conference, a former director of the U.S. National Security Agency said that sharing valuable threat information between public- and private-sector organisations helps combat cyberthreats, ZDNet reports. With the adoption of privacy and data protection laws in several Asia-Pacific nations, threat-sharing could contravene various privacy laws. One expert said organisations must strike a balance to prevent threat-sharing from breaching individuals’ privacy.
Full Story

PRIVACY—SINGAPORE

Expert: Singapore Will Look To Countries with Mature Laws for Guidance (September 27, 2012)

ZDNet reports on Singapore’s forthcoming Data Protection Act. The country will look to jurisdictions with more “mature” data protection laws as it implements its own, said Ilias Chantzos of Symantec. Though early discussions included a provision on security breach notifications, no conclusions have been reached on the topic, the report states. Chantzos advises such discussions not be overplayed, noting that individuals will start to get “notification fatigue” if too many messages are sent from any one organisation.
Full Story 

DATA LOSS

Breach Affects 100,000 IEEE Members (September 27, 2012)

The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach, Help Net Security reports. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin.
Full Story

PRIVACY LAW—NEW ZEALAND

Commissioner Seeks Data Broker Enforcement Powers (September 26, 2012)

New Zealand’s privacy commissioner is seeking additional powers to monitor companies that collect and sell personal data, the Otago Daily Times reports. Assistant Privacy Commissioner Blair Stewart has said the current version of the Privacy Act clears the way for enforcement only after a complaint is filed, but many citizens do not know of the existence of data brokers. The privacy commissioner has supported a Law Commission recommendation to update the law, giving the commissioner powers to serve compliance notices on organizations. Stewart said, “People don’t tend to complain about certain practices, if the sort of practices go on in the background and they can’t see what’s happening.”
Full Story

PERSONAL PRIVACY—AUSTRALIA

Privacy Commissioner: Citizens Concerned About Smart Meter Data (September 24, 2012)

Australian Privacy Commissioner Timothy Pilgrim has said smart meter technology could threaten people’s privacy, The Age reports. “We are starting to see people voicing concern about the level of data that these meters can collect,” Pilgrim said. Customers with smart meters must consent to having their data shared with various third parties, the report states. Pilgrim said companies have an obligation to delete or de-identify personal information that is no longer necessary. An Origin Energy spokesman said its online energy-usage portal is fully compliant with Australian privacy legislation and that the company keeps personal data for tax and compliance purposes.
Full Story

DATA PROTECTION

Risk Report Finds “Sharp Increase” in Browser Exploits (September 21, 2012)

InfoSecurity reports that the results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, "As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data." Editor's Note: The IAPP's recent web conference The Implications of Bring Your Own Device (BYOD) offers additional insights into the issues surrounding BYOD.
Full Story

PRIVACY LAW—AUSTRALIA

House Passes Privacy Act Changes (September 20, 2012)

The House of Representatives has approved sweeping changes to the Privacy Act, following a parliamentary report recommending such action. Attorney General Nicola Roxon said the changes would “give power back to consumers over the way in which organisations used their personal information,” The Australian reports. The bill would increase the privacy commissioner’s powers, giving the office the ability to hand down civil penalties for privacy violations--up to $220,000 for individuals and $1.1. million for companies. The Standing Committee on Social Policy and Legal Affairs noted concern that the changes will cause confusion, the report states.
Full Story

ONLINE PRIVACY—AUSTRALIA

Readers Respond with Privacy Concerns (September 20, 2012)

The Age asked readers about their privacy-related concerns, finding that 20 percent of 150 respondents are concerned about the proposed mandatory data retention period for telecommunications providers; 10 percent are concerned about the growing prevalence of closed-circuit television cameras, and others are concerned about breaches of sensitive information. One respondent said, “I am particularly concerned about the street surveillance cameras, Internet surveillance and road surveillance. I fear the young will not be able to make minor errors without them being held against them for life.”
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

Shroff Clarifies Changes to Privacy Code (September 20, 2012)

Privacy Commissioner Marie Shroff has reiterated that under proposed amendments to the privacy code, lenders must tell existing customers before sharing their “positive” credit information. Lenders may only share such information if given consent. “It’s crucial, in order to maintain customer trust, that borrowers are told of significant changes to the way their personal information is disclosed,” Shroff said. “Several major lenders have already signaled their intention to share positive information with credit reporters, but many other lenders are yet to make a clear move.”
Full Story

DATA PROTECTION—AUSTRALIA

Study: Companies Should Be Liable for Data (September 20, 2012)

The Australian Consumer Data Survey 2012, conducted by iSeek Communications, found that consumers want companies to be held responsible for protecting their data. TechWorld reports that of the 1,009 respondents, 79 percent said companies should be liable for the data they hold while just 26 percent think companies are trustworthy enough to be responsible for their data. iSeek Communications Managing Director Jason Gomersall says the survey should be a “wakeup call” for Australian businesses, adding, "The days of being able to safely house your IT servers in a back room in your office are numbered, and the cloud’s multi-location storage model may soon not comply with Australian law for certain types of data.”
Full Story

SURVEILLANCE—NEW ZEALAND

Shroff Calls for Debate on Drone Use, Regulation (September 20, 2012)

New Zealand Privacy Commissioner Marie Shroff is calling for a debate over the use and regulation of unmanned aerial vehicles, reports TVNZ. While recognising the benefits of drone use in emergency situations, “it’s their wider uses that potentially raise concerns,” Shroff said, adding, “Drones have the potential to be seriously intrusive.'' Stephen Davies Howard, director of aerial imaging company Sycamore, agrees with looking into the possibility of regulating the industry. UAVs are already used by commercial entities, and police are expected to announce whether they will use them in about six months.
Full Story

PRIVACY LAW—AUSTRALIA

Advocates: Australians Have Less Privacy (September 20, 2012)

Officials from two advocacy groups say that Australians’ privacy protections have eroded more than those of citizens’ of other countries in the post-9/11 world, The Sydney Morning Herald reports. “We’ve gone further than most other countries in relation to the scope of counter‑terrorism laws…partly because we have no federal charter of rights which would provide necessary criteria against which to judge the appropriateness of national security laws, whereas in the UK, Canada, the U.S. and every European country, they do,” said Liberty Victoria President Spencer Zifcak. An Australian Privacy Foundation official said the privacy commissioner is “buried inside” the information access office, creating “a potential conflict of interest.”
Full Story

DATA PROTECTION—NEW ZEALAND

ACC Criticized for Policy Changes (September 20, 2012)

After making policy changes to “secure and protect client information,” Accident Compensation Corporation (ACC) has backed off those changes for sensitive claimants, reports The New Zealand Herald. ACC began requiring claimants to collect sensitive documents from ACC offices or have encrypted CDs delivered by courier but then said sensitive claimants could continue to receive copy files at home addresses with “special measures taken in the couriering,” said an ACC spokeswoman. This comes after multiple breach incidents at the organization, and one client says these latest changes are “another example of ACC being consistently inconsistent.”
Full Story

MOBILE PRIVACY

App Tracking and the “Drip Erosion” of Privacy (September 20, 2012)

Privacy experts are calling attention to analytics firms that track app activity on mobile devices, noting, “Absolutely everyone is interested in that information.” The Sydney Morning Herald reports that these firms offer companies the ability to target demographics based on the apps the devices are using. Aldo Cortesi of MobileScope, a new web-based product which, according to the report, is “designed to monitor everything that flows from mobile devices through apps,” says, the ''drip erosion'' of privacy is as dangerous as a data breach because “bits of information being aggregated and analysed” produce digital profiles that can be matched with online databases.
Full Story

ONLINE PRIVACY—AUSTRALIA

Project Founder: Data Subjects Should Take Some Profit (September 18, 2012)

The founder of a large-scale data project says individuals should receive a portion of the profits companies generate by capturing their personal data, reports The Sydney Morning Herald. The Human Face of Big Data aims to create a digital snapshot of the human race, the report states, by using a smartphone app to ask 10 million people for personal details about their lives. “Big Data is a new asset class, and yet the ones creating it seem to have no say in the process,” founder Rick Smolan said. “Why is it everyone is making money off our browser history except us?”
Full Story

SURVEILLANCE—AUSTRALIA

Commissioner Calls for Debate on Drones (September 13, 2012)

As police consider using drones to fight crime, the privacy commissioner has called for a public debate about potential implications, The Sydney Morning Herald reports. Privacy Commissioner Timothy Pilgrim has said he’s “particularly worried that this equipment can be easily purchased and used by individuals in their private capacity,” and such actions wouldn’t be covered by the Privacy Act. “For this reason and because of the potentially intrusive nature of this technology, I think that there needs to be public debate about the use of this technology and whether current regulations are sufficient to deal with any misuse,” Pilgrim said.
Full Story

PRIVACY LAW—AUSTRALIA

Data Retention Proposals Raise Questions, Concerns (September 13, 2012)

The Age reports on concerns about the government’s data retention proposals. The Internet Industry Association has asked for more information on the current proposals, including what data must be collected and retained for two years, and experts have questioned the government’s transparency. Meanwhile, Chris Berg opines that the proposals would result in a “systematic invasion of our privacy.”
Full Story

PERSONAL PRIVACY—AUSTRALIA

Retailers Track Shopper Movements To Maximize Sales (September 13, 2012)

The Sydney Morning Herald reports on an increasing trend among retailers to track their shoppers’ in-store movements. Using heat maps, retailers can increase sales by tracking the most popular areas of a store. The World Privacy Forum’s Pam Dixon says retailers can avoid privacy intrusions by allowing shoppers to opt out of such monitoring. “I think it’s incredibly important to offer consumers this choice about how the information they’re dropping like digital breadcrumbs gets picked up and used,” Dixon says.
Full Story

DATA LOSS—NEW ZEALAND

Work and Income Apologises After Breach (September 13, 2012)

Work and Income has apologised for giving a client’s private details to another client and for its subsequent reaction to the incident, The Dominion Post reports. The breached information included contact details, a client number and weekly income. Work and Income advised the recipient of the information to destroy it herself, the report states. The incident follows a breach at the Accident Compensation Corporation (ACC), in which details on more than 6,000 clients were sent to the wrong recipient. Privacy Commissioner Marie Shroff said the ACC incident should serve as a reminder to agencies that it could “just as easily be them in the headlines.”
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

Individuals Unclear on Credit Data Sharing (September 13, 2012)

Stuff.co.nz reports on confusion over what credit information companies can gather about individuals under new privacy rules. A recent survey found that most individuals could not identify what credit information companies could collect. Four in 10 did not realise they had a credit score, and more than 30 percent believed a criminal record could be included in credit information. Privacy Commissioner Marie Shroff announced a change to the Credit Reporting Privacy Code, which became effective in April and allows credit agencies to acquire personal records from banks and lenders. Customers must be alerted prior to data collection, and the data may be stored for up to two years.
Full Story

PRIVACY LAW—SINGAPORE

Personal Data Protection Bill Introduced to Parliament (September 13, 2012)

Following several rounds of public consultation, the government has introduced the Personal Protection Data Bill in Parliament, TODAYonline reports. The bill will “regulate the collection, use and disclosure of personal data by organisations, and individuals will have to be informed of the purposes for using personal data,” the report states. The bill will establish a Personal Data Protection Commission to enforce the law and includes a provision for a Do-Not-Call Registry, the report states. Penalties will include fines and jail terms. One expert said the law will prevent organisations from inappropriately buying and selling personal data and ensure legitimate data uses.
Full Story

DATA RETENTION—AUSTRALIA

Roxon: Retention Plan Worth Considering (September 6, 2012)

Attorney-General Nicola Roxon recently indicated she may be open to a plan that would see telecos holding customers’ phone and Internet data for up to two years, noting that what’s important is “getting the balance right” between “providing proper protections for the community” and making sure “we’re not reaching too far into the private lives of Australians.” But privacy advocates and the Green Party say the plan puts consumers’ data at risk of misuse, and telcos say the plan will be costly. Meanwhile, Acting Victoria Privacy Commissioner Anthony Bendall says that while he does not support this plan, with the right safeguards in place he may support some form of data retention.
Full Story

CLOUD COMPUTING—NEW ZEALAND

Shroff Voices Concern Over Move to the Cloud (September 6, 2012)

After confirmation from Internal Affairs Minister Chris Tremain that the New Zealand government plans to move to cloud computing, Privacy Commissioner Marie Shroff told The New Zealand Herald she is in discussions with the agencies considering the move, noting that putting data on the cloud is “not risk-free.” Shroff said agencies that put consumer data in the cloud remain responsible for it and asked, “what happens if there’s a data breach” or if the data is held outside of New Zealand. Tremain says the chosen providers are New Zealand-based, and the government is taking a conservative approach until it better understands the industry.
Full Story

PRIVACY LAW—AUSTRALIA

Experts: Privacy Laws Need Review In Light of RPA Use (September 6, 2012)

Professors from the Queensland University of Technology say Australian privacy laws should be reviewed in advance of an increase in the use of remotely piloted aircraft (RPA), PHYSorg Science News Wire reports. Faculty of Law Prof. Des Butler says, "People's rights to privacy are currently protected by a piecemeal collection of diverse state and federal legislation and the common law," and Prof. Bill Lane agrees. According to the report, Lane called the privacy laws around RPA use very complex, adding that appropriate safeguards should be put in place in order to take advantage of the benefits of the technology.
Full Story

DATA PROTECTION—NEW ZEALAND

ACC: New Breach, New Board Members (September 6, 2012)

The New Zealand Herald reports that the Accident Compensation Commission (ACC) sent a customer’s claim information, including details about her injury and compensation, to another customer. This reportedly happened shortly after ACC’s breach of 6,700 customer records, but the company took six weeks to inform the customer of the incident. In the wake of this larger breach, ACC Minister Judith Collins has filled vacated seats on the company’s board, causing one advocacy group spokeswoman to say Collins missed an opportunity. Those appointed “do not bring the perspective and knowledge that consumer groups and unions can bring to the table,” said Hazel Armstrong of ACC Futures Coalition.
Full Story

ONLINE PRIVACY—NEW ZEALAND

Evans Expects Safeguards in 3-D Mapping (September 6, 2012)

Assistant Privacy Commissioner Katrine Evans says she expects the firm Terralink to put privacy protections in place as it creates a three-dimensional map of New Zealand, reports The Dominion Post. While "spatial data doesn't in itself necessarily create a major increase in privacy risk…the technology involves high-resolution imagery,” Evans said. She expects the company would blur or pixelate images to “de-identify people and vehicles." Terralink Managing Director Mike Donald says the company is “capturing what anyone can see walking or driving down the street,” and he does not see any privacy issues with the plan. He adds that the imagery is similar to that of a 2008 project passed through Privacy Commissioner Marie Shroff.
Full Story

MOBILE PRIVACY—AUSTRALIA

Brisbane Council To Collect Bluetooth Data (September 6, 2012)

Brisbane City Hall has introduced a plan to collect data from Bluetooth-enabled devices that aims to give an accurate depiction of the city’s traffic flow, reports The Sydney Morning Herald. The privacy commissioner has not been consulted on the plan, the report states, but Deputy Mayor Adrian Schrinner says the system “does not pick up any personal, private information,” adding, “we can't identify individuals by their phone, but certainly each phone has a unique identifier.” However, a council spokesman has pointed out that the only way to opt out of the plan is to turn off Bluetooth functionality.
Full Story

MOBILE PRIVACY—PHILIPPINES

Opinion: Act Was Needed for Telcos (September 6, 2012)

In the wake of President Benigno Aquino’s signing of the Data Privacy Act of 2012, Marichu Villanueva writes about privacy implications for mobile companies as part of an op-ed for The Philippine Star. Noting she is anticipating “how the telcos would comply with the Data Privacy Act of 2012,” she writes, “This new law puts in place measures to protect and preserve the integrity, security and confidentiality of personal data collected by government and private entities in their operations.”
Full Story

DATA LOSS—HONG KONG

Confidential Data Found in Boxes Near Recycling Firm (September 4, 2012)

The Privacy Commission is investigating the disposal of confidential documents found in boxes near a recycling firm’s offices, The Standard reports. More than 80 boxes were found containing details on hospital patients, application forms for a TV service and receipts from a clothing chain including credit card and mobile phone numbers, the report states. A hospital and a retailer associated with the discarded documents said they had hired the recycling firm to shred the data. The Personal Data (Privacy) Ordinance requires “all practicable steps” be taken to protect personal information on individuals.
Full Story