ANZ Dashboard Digest

“All human beings have three lives: public, private and secret.” Gabriel Garcia Márquez: A Life

The Easter week witnessed the death of one of our greatest authors, Gabriel Garcia Marquez, and tomorrow we commemorate the ANZACs throughout Australia and New Zealand. This is also the second long weekend in a row meaning that, as most people have had 10 days holiday, some are likening us to the land of the Lotus eaters. And if you have been trying to work—it’s a bit like one hand clapping. I have found almost everyone I want to talk to is away. I think that includes a fair bit of media, as there is not much on our favourite topic this week. Just plenty of time for the Royals, which in itself has raised the question of private boundaries, as the Australian press took personal photos of the Royals with long-distance photo lenses. I really do have to wonder about the public interest versus privacy in this instance.

The Marquez quote is to me the essence of why privacy fascinates. The layers, the nuances and the importance for humanity to be able to live without detection is perfectly encapsulated by Marquez.

One of the articles below examines the blurry edges between the public and private lives. Omer Tene and Jules Polonetsky, CIPP/US, discuss the concept of what constitutes “creepy” behavior. The interesting aspect of this is that it changes with circumstance. Whilst it may annoy you when your airline e-mails you about hotel deals at your next destination if you are staying with your family, your reaction could be different if you were in need of accommodation. Reminds me of the story of a woman who was propositioned by a millionaire at a dinner party. Outraged, she asked, “What do you think I am?” To which he replied, “I will give you a million dollars if you spend the night with me.” She acquiesced. The millionaire replied, “Now that we have established what you are, let’s negotiate.”

Perhaps just one of the reasons we have privacy principles rather than laws is to countenance the fluidity of what privacy means to us all. Whatever that baseline is, protections and custodianship of our public, private and secret lives make being a privacy professional a joy.

Enjoy your Dawn Service, your Two Up and your ANZAC Day.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

PRIVACY LAW—AUSTRALIA

Changes Expected To Privacy Act Proposal (September 27, 2012)

The federal government is considering revising its overhaul of the Privacy Act following calls by House of Representatives and Senate committees for changes, The Australian reports. The government is “actively considering” the recommendations, said Attorney General Nicola Roxon. A number of advocates have voiced concerns that people will have difficulty understanding the new law. Meanwhile, Coalition senators say they will recommend softening the law’s provision on breach liability. Currently, the law would grant the privacy commissioner power to fine organisations up to $1.1 million. The coalition wants to limit that if organisations can demonstrate that they’ve taken “all reasonable steps” to prevent a breach. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Data Retention Requirement Concerns Persist (September 27, 2012)

The Australian Federal Police says it supports requirements that telecoms store data for two years but would prefer the data be stored indefinitely, The Sydney Morning Herald reports. Telstra says the requirements will be too costly, and Vodafone has asked for clarification. The proposals put privacy and security “in the balance,” opines Philip Dorling for The Sydney Morning Herald, while ZDNet’s Josh Taylor predicts a slippery-slope effect.
Full Story

PRIVACY LAW—NEW SOUTH WALES

ID Scanning Proposal Raises Privacy Concerns (September 27, 2012)

The Office of the Privacy Commission for New South Wales has said it was not consulted prior to the initiation of an identification data sharing proposal for nightclubs in the Kings Cross area, GovernmentNews.com.au reports. Premier Barry O’Farrell said that “linked ID scanners will be introduced to licensed premises” and that “this means if a person is ejected from one venue, they can be banned from all other licensed venues in the precinct that night.” Details of what kind of personal data would be collected, shared, stored or protected have not yet been revealed.
Full Story

PRIVACY—NEW ZEALAND

OPC Newsletter Highlights Key Issues (September 27, 2012)

The most recent edition of the Officer of the Privacy Commissioner's Private Word highlights several current issues in the privacy sphere. The lead story in the newsletter is an interview with Privacy Commissioner Marie Shroff on the recent ACC breaches. “Data breaches can happen easily--especially in today's digital environment. But, while the investigation showed that the ACC privacy breach was a genuine human error, it occurred due to systemic weaknesses within ACC's culture, systems and processes,” Shroff notes. The issue also includes reports on proposed credit reporting changes and credit code workshops as well as Privacy Forum highlights.
Full Story

SURVEILLANCE—NEW SOUTH WALES

Name-and-Shame Campaign Incites Calls for Tougher Laws (September 27, 2012)

The owner of a pub who recently started a “name-and-shame” campaign by posting pictures of alleged thieves on the Internet says it will help police when it comes to time and resources, ABC News reports. But civil liberties groups say the campaign “undermines the justice process” and are calling for more relevant privacy laws. Cameron Murphy, president of the New South Wales Council of Civil Liberties, says what’s needed are “proper privacy laws; where we know what the boundaries are and we know what people’s rights are, we also know what their responsibilities are.”
Full Story

ONLINE PRIVACY—AUSTRALIA

Users Learn How To Take Privacy Into Their Own Hands (September 27, 2012)

The Sydney Morning Herald reports on Melbourne’s first “Cryptoparty,” a movement that has since spread to Egypt, Germany, the UK and the U.S. At the event, approximately 60 people learned how to become anonymous online by encrypting their online activity. Event organiser Asher Wolf, who calls herself an “information activist,” says she wanted a party “where people learnt how to protect their right to privacy.” Participants were trained how to download a browser that hides users’ locations and prevents web tracking. Many of those in attendance were there because of concerns about current data retention proposals, Wolf said.
Full Story

DATA PROTECTION—ASIA PACIFIC

Balancing Threat-Sharing with Privacy Protection (September 27, 2012)

At a recent conference, a former director of the U.S. National Security Agency said that sharing valuable threat information between public- and private-sector organisations helps combat cyberthreats, ZDNet reports. With the adoption of privacy and data protection laws in several Asia-Pacific nations, threat-sharing could contravene various privacy laws. One expert said organisations must strike a balance to prevent threat-sharing from breaching individuals’ privacy.
Full Story

PRIVACY—SINGAPORE

Expert: Singapore Will Look To Countries with Mature Laws for Guidance (September 27, 2012)

ZDNet reports on Singapore’s forthcoming Data Protection Act. The country will look to jurisdictions with more “mature” data protection laws as it implements its own, said Ilias Chantzos of Symantec. Though early discussions included a provision on security breach notifications, no conclusions have been reached on the topic, the report states. Chantzos advises such discussions not be overplayed, noting that individuals will start to get “notification fatigue” if too many messages are sent from any one organisation.
Full Story 

DATA LOSS

Breach Affects 100,000 IEEE Members (September 27, 2012)

The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach, Help Net Security reports. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin.
Full Story

PRIVACY LAW—NEW ZEALAND

Commissioner Seeks Data Broker Enforcement Powers (September 26, 2012)

New Zealand’s privacy commissioner is seeking additional powers to monitor companies that collect and sell personal data, the Otago Daily Times reports. Assistant Privacy Commissioner Blair Stewart has said the current version of the Privacy Act clears the way for enforcement only after a complaint is filed, but many citizens do not know of the existence of data brokers. The privacy commissioner has supported a Law Commission recommendation to update the law, giving the commissioner powers to serve compliance notices on organizations. Stewart said, “People don’t tend to complain about certain practices, if the sort of practices go on in the background and they can’t see what’s happening.”
Full Story

PERSONAL PRIVACY—AUSTRALIA

Privacy Commissioner: Citizens Concerned About Smart Meter Data (September 24, 2012)

Australian Privacy Commissioner Timothy Pilgrim has said smart meter technology could threaten people’s privacy, The Age reports. “We are starting to see people voicing concern about the level of data that these meters can collect,” Pilgrim said. Customers with smart meters must consent to having their data shared with various third parties, the report states. Pilgrim said companies have an obligation to delete or de-identify personal information that is no longer necessary. An Origin Energy spokesman said its online energy-usage portal is fully compliant with Australian privacy legislation and that the company keeps personal data for tax and compliance purposes.
Full Story

DATA PROTECTION

Risk Report Finds “Sharp Increase” in Browser Exploits (September 21, 2012)

InfoSecurity reports that the results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, "As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data." Editor's Note: The IAPP's recent web conference The Implications of Bring Your Own Device (BYOD) offers additional insights into the issues surrounding BYOD.
Full Story

PRIVACY LAW—AUSTRALIA

House Passes Privacy Act Changes (September 20, 2012)

The House of Representatives has approved sweeping changes to the Privacy Act, following a parliamentary report recommending such action. Attorney General Nicola Roxon said the changes would “give power back to consumers over the way in which organisations used their personal information,” The Australian reports. The bill would increase the privacy commissioner’s powers, giving the office the ability to hand down civil penalties for privacy violations--up to $220,000 for individuals and $1.1. million for companies. The Standing Committee on Social Policy and Legal Affairs noted concern that the changes will cause confusion, the report states.
Full Story

ONLINE PRIVACY—AUSTRALIA

Readers Respond with Privacy Concerns (September 20, 2012)

The Age asked readers about their privacy-related concerns, finding that 20 percent of 150 respondents are concerned about the proposed mandatory data retention period for telecommunications providers; 10 percent are concerned about the growing prevalence of closed-circuit television cameras, and others are concerned about breaches of sensitive information. One respondent said, “I am particularly concerned about the street surveillance cameras, Internet surveillance and road surveillance. I fear the young will not be able to make minor errors without them being held against them for life.”
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

Shroff Clarifies Changes to Privacy Code (September 20, 2012)

Privacy Commissioner Marie Shroff has reiterated that under proposed amendments to the privacy code, lenders must tell existing customers before sharing their “positive” credit information. Lenders may only share such information if given consent. “It’s crucial, in order to maintain customer trust, that borrowers are told of significant changes to the way their personal information is disclosed,” Shroff said. “Several major lenders have already signaled their intention to share positive information with credit reporters, but many other lenders are yet to make a clear move.”
Full Story

DATA PROTECTION—AUSTRALIA

Study: Companies Should Be Liable for Data (September 20, 2012)

The Australian Consumer Data Survey 2012, conducted by iSeek Communications, found that consumers want companies to be held responsible for protecting their data. TechWorld reports that of the 1,009 respondents, 79 percent said companies should be liable for the data they hold while just 26 percent think companies are trustworthy enough to be responsible for their data. iSeek Communications Managing Director Jason Gomersall says the survey should be a “wakeup call” for Australian businesses, adding, "The days of being able to safely house your IT servers in a back room in your office are numbered, and the cloud’s multi-location storage model may soon not comply with Australian law for certain types of data.”
Full Story

SURVEILLANCE—NEW ZEALAND

Shroff Calls for Debate on Drone Use, Regulation (September 20, 2012)

New Zealand Privacy Commissioner Marie Shroff is calling for a debate over the use and regulation of unmanned aerial vehicles, reports TVNZ. While recognising the benefits of drone use in emergency situations, “it’s their wider uses that potentially raise concerns,” Shroff said, adding, “Drones have the potential to be seriously intrusive.'' Stephen Davies Howard, director of aerial imaging company Sycamore, agrees with looking into the possibility of regulating the industry. UAVs are already used by commercial entities, and police are expected to announce whether they will use them in about six months.
Full Story

PRIVACY LAW—AUSTRALIA

Advocates: Australians Have Less Privacy (September 20, 2012)

Officials from two advocacy groups say that Australians’ privacy protections have eroded more than those of citizens’ of other countries in the post-9/11 world, The Sydney Morning Herald reports. “We’ve gone further than most other countries in relation to the scope of counter‑terrorism laws…partly because we have no federal charter of rights which would provide necessary criteria against which to judge the appropriateness of national security laws, whereas in the UK, Canada, the U.S. and every European country, they do,” said Liberty Victoria President Spencer Zifcak. An Australian Privacy Foundation official said the privacy commissioner is “buried inside” the information access office, creating “a potential conflict of interest.”
Full Story

DATA PROTECTION—NEW ZEALAND

ACC Criticized for Policy Changes (September 20, 2012)

After making policy changes to “secure and protect client information,” Accident Compensation Corporation (ACC) has backed off those changes for sensitive claimants, reports The New Zealand Herald. ACC began requiring claimants to collect sensitive documents from ACC offices or have encrypted CDs delivered by courier but then said sensitive claimants could continue to receive copy files at home addresses with “special measures taken in the couriering,” said an ACC spokeswoman. This comes after multiple breach incidents at the organization, and one client says these latest changes are “another example of ACC being consistently inconsistent.”
Full Story

MOBILE PRIVACY

App Tracking and the “Drip Erosion” of Privacy (September 20, 2012)

Privacy experts are calling attention to analytics firms that track app activity on mobile devices, noting, “Absolutely everyone is interested in that information.” The Sydney Morning Herald reports that these firms offer companies the ability to target demographics based on the apps the devices are using. Aldo Cortesi of MobileScope, a new web-based product which, according to the report, is “designed to monitor everything that flows from mobile devices through apps,” says, the ''drip erosion'' of privacy is as dangerous as a data breach because “bits of information being aggregated and analysed” produce digital profiles that can be matched with online databases.
Full Story

ONLINE PRIVACY—AUSTRALIA

Project Founder: Data Subjects Should Take Some Profit (September 18, 2012)

The founder of a large-scale data project says individuals should receive a portion of the profits companies generate by capturing their personal data, reports The Sydney Morning Herald. The Human Face of Big Data aims to create a digital snapshot of the human race, the report states, by using a smartphone app to ask 10 million people for personal details about their lives. “Big Data is a new asset class, and yet the ones creating it seem to have no say in the process,” founder Rick Smolan said. “Why is it everyone is making money off our browser history except us?”
Full Story

SURVEILLANCE—AUSTRALIA

Commissioner Calls for Debate on Drones (September 13, 2012)

As police consider using drones to fight crime, the privacy commissioner has called for a public debate about potential implications, The Sydney Morning Herald reports. Privacy Commissioner Timothy Pilgrim has said he’s “particularly worried that this equipment can be easily purchased and used by individuals in their private capacity,” and such actions wouldn’t be covered by the Privacy Act. “For this reason and because of the potentially intrusive nature of this technology, I think that there needs to be public debate about the use of this technology and whether current regulations are sufficient to deal with any misuse,” Pilgrim said.
Full Story

PRIVACY LAW—AUSTRALIA

Data Retention Proposals Raise Questions, Concerns (September 13, 2012)

The Age reports on concerns about the government’s data retention proposals. The Internet Industry Association has asked for more information on the current proposals, including what data must be collected and retained for two years, and experts have questioned the government’s transparency. Meanwhile, Chris Berg opines that the proposals would result in a “systematic invasion of our privacy.”
Full Story

PERSONAL PRIVACY—AUSTRALIA

Retailers Track Shopper Movements To Maximize Sales (September 13, 2012)

The Sydney Morning Herald reports on an increasing trend among retailers to track their shoppers’ in-store movements. Using heat maps, retailers can increase sales by tracking the most popular areas of a store. The World Privacy Forum’s Pam Dixon says retailers can avoid privacy intrusions by allowing shoppers to opt out of such monitoring. “I think it’s incredibly important to offer consumers this choice about how the information they’re dropping like digital breadcrumbs gets picked up and used,” Dixon says.
Full Story

DATA LOSS—NEW ZEALAND

Work and Income Apologises After Breach (September 13, 2012)

Work and Income has apologised for giving a client’s private details to another client and for its subsequent reaction to the incident, The Dominion Post reports. The breached information included contact details, a client number and weekly income. Work and Income advised the recipient of the information to destroy it herself, the report states. The incident follows a breach at the Accident Compensation Corporation (ACC), in which details on more than 6,000 clients were sent to the wrong recipient. Privacy Commissioner Marie Shroff said the ACC incident should serve as a reminder to agencies that it could “just as easily be them in the headlines.”
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

Individuals Unclear on Credit Data Sharing (September 13, 2012)

Stuff.co.nz reports on confusion over what credit information companies can gather about individuals under new privacy rules. A recent survey found that most individuals could not identify what credit information companies could collect. Four in 10 did not realise they had a credit score, and more than 30 percent believed a criminal record could be included in credit information. Privacy Commissioner Marie Shroff announced a change to the Credit Reporting Privacy Code, which became effective in April and allows credit agencies to acquire personal records from banks and lenders. Customers must be alerted prior to data collection, and the data may be stored for up to two years.
Full Story

PRIVACY LAW—SINGAPORE

Personal Data Protection Bill Introduced to Parliament (September 13, 2012)

Following several rounds of public consultation, the government has introduced the Personal Protection Data Bill in Parliament, TODAYonline reports. The bill will “regulate the collection, use and disclosure of personal data by organisations, and individuals will have to be informed of the purposes for using personal data,” the report states. The bill will establish a Personal Data Protection Commission to enforce the law and includes a provision for a Do-Not-Call Registry, the report states. Penalties will include fines and jail terms. One expert said the law will prevent organisations from inappropriately buying and selling personal data and ensure legitimate data uses.
Full Story

DATA RETENTION—AUSTRALIA

Roxon: Retention Plan Worth Considering (September 6, 2012)

Attorney-General Nicola Roxon recently indicated she may be open to a plan that would see telecos holding customers’ phone and Internet data for up to two years, noting that what’s important is “getting the balance right” between “providing proper protections for the community” and making sure “we’re not reaching too far into the private lives of Australians.” But privacy advocates and the Green Party say the plan puts consumers’ data at risk of misuse, and telcos say the plan will be costly. Meanwhile, Acting Victoria Privacy Commissioner Anthony Bendall says that while he does not support this plan, with the right safeguards in place he may support some form of data retention.
Full Story

CLOUD COMPUTING—NEW ZEALAND

Shroff Voices Concern Over Move to the Cloud (September 6, 2012)

After confirmation from Internal Affairs Minister Chris Tremain that the New Zealand government plans to move to cloud computing, Privacy Commissioner Marie Shroff told The New Zealand Herald she is in discussions with the agencies considering the move, noting that putting data on the cloud is “not risk-free.” Shroff said agencies that put consumer data in the cloud remain responsible for it and asked, “what happens if there’s a data breach” or if the data is held outside of New Zealand. Tremain says the chosen providers are New Zealand-based, and the government is taking a conservative approach until it better understands the industry.
Full Story

PRIVACY LAW—AUSTRALIA

Experts: Privacy Laws Need Review In Light of RPA Use (September 6, 2012)

Professors from the Queensland University of Technology say Australian privacy laws should be reviewed in advance of an increase in the use of remotely piloted aircraft (RPA), PHYSorg Science News Wire reports. Faculty of Law Prof. Des Butler says, "People's rights to privacy are currently protected by a piecemeal collection of diverse state and federal legislation and the common law," and Prof. Bill Lane agrees. According to the report, Lane called the privacy laws around RPA use very complex, adding that appropriate safeguards should be put in place in order to take advantage of the benefits of the technology.
Full Story

DATA PROTECTION—NEW ZEALAND

ACC: New Breach, New Board Members (September 6, 2012)

The New Zealand Herald reports that the Accident Compensation Commission (ACC) sent a customer’s claim information, including details about her injury and compensation, to another customer. This reportedly happened shortly after ACC’s breach of 6,700 customer records, but the company took six weeks to inform the customer of the incident. In the wake of this larger breach, ACC Minister Judith Collins has filled vacated seats on the company’s board, causing one advocacy group spokeswoman to say Collins missed an opportunity. Those appointed “do not bring the perspective and knowledge that consumer groups and unions can bring to the table,” said Hazel Armstrong of ACC Futures Coalition.
Full Story

ONLINE PRIVACY—NEW ZEALAND

Evans Expects Safeguards in 3-D Mapping (September 6, 2012)

Assistant Privacy Commissioner Katrine Evans says she expects the firm Terralink to put privacy protections in place as it creates a three-dimensional map of New Zealand, reports The Dominion Post. While "spatial data doesn't in itself necessarily create a major increase in privacy risk…the technology involves high-resolution imagery,” Evans said. She expects the company would blur or pixelate images to “de-identify people and vehicles." Terralink Managing Director Mike Donald says the company is “capturing what anyone can see walking or driving down the street,” and he does not see any privacy issues with the plan. He adds that the imagery is similar to that of a 2008 project passed through Privacy Commissioner Marie Shroff.
Full Story

MOBILE PRIVACY—AUSTRALIA

Brisbane Council To Collect Bluetooth Data (September 6, 2012)

Brisbane City Hall has introduced a plan to collect data from Bluetooth-enabled devices that aims to give an accurate depiction of the city’s traffic flow, reports The Sydney Morning Herald. The privacy commissioner has not been consulted on the plan, the report states, but Deputy Mayor Adrian Schrinner says the system “does not pick up any personal, private information,” adding, “we can't identify individuals by their phone, but certainly each phone has a unique identifier.” However, a council spokesman has pointed out that the only way to opt out of the plan is to turn off Bluetooth functionality.
Full Story

MOBILE PRIVACY—PHILIPPINES

Opinion: Act Was Needed for Telcos (September 6, 2012)

In the wake of President Benigno Aquino’s signing of the Data Privacy Act of 2012, Marichu Villanueva writes about privacy implications for mobile companies as part of an op-ed for The Philippine Star. Noting she is anticipating “how the telcos would comply with the Data Privacy Act of 2012,” she writes, “This new law puts in place measures to protect and preserve the integrity, security and confidentiality of personal data collected by government and private entities in their operations.”
Full Story

DATA LOSS—HONG KONG

Confidential Data Found in Boxes Near Recycling Firm (September 4, 2012)

The Privacy Commission is investigating the disposal of confidential documents found in boxes near a recycling firm’s offices, The Standard reports. More than 80 boxes were found containing details on hospital patients, application forms for a TV service and receipts from a clothing chain including credit card and mobile phone numbers, the report states. A hospital and a retailer associated with the discarded documents said they had hired the recycling firm to shred the data. The Personal Data (Privacy) Ordinance requires “all practicable steps” be taken to protect personal information on individuals.
Full Story