ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

ONLINE PRIVACY

Deep Packet Inspection Standards Raise Concerns (November 30, 2012)

The United Nations’ International Telecommunications Union has approved a deep packet inspection (DPI) standard that is raising privacy and security concerns, IDG News Service reports. The Center for Democracy & Technology’s (CDT) website says the standard—known as the “Requirements for Deep Packet Inspection in Next Generation Networks,” or Y.2770”—“could give governments and companies the ability to sift through all of an Internet user’s traffic—including e-mails, banking transactions and voice calls—without adequate privacy safeguards.” CDT Chief Computer Scientist Alissa Cooper said, “There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology."
Full Story

CONSUMER PRIVACY—NEW ZEALAND .

Shroff Releases Credit Agencies’ Reports (November 29, 2012)

The New Zealand Herald reports Privacy Commissioner Marie Shroff has made public reports submitted by three credit reporting agencies. They were submitted in accordance with the new Credit Reporting Privacy Code, requiring companies that collect credit and personal information and sell it to third parties to submit reports within three months of the end of the financial year, the report states. Shroff released the reports in an effort to hold credit reporting agencies responsible and says the reports did not indicate any compliance problems. “Each credit reporter shows how the vast amounts of credit information they accumulate on New Zealanders is accurate, secure, lawfully obtained and matched correctly,” Shroff said.
Full Story

DATA LOSS—NEW ZEALAND

Gov’t Staff Fired, Resign Over Breaches (November 29, 2012)

Stuff.co.nz reports that breaches at Immigration New Zealand have resulted in 10 staff members losing their jobs in the past three years; six resigned, four were dismissed and eight were given final warnings. Immigration Minister Nathan Guy said the increase in the number of breaches is due to the fact that staff have become more aware of their duty to report breaches. Inland Revenue, the Accident Compensation Corporation and Work and Income have all reported privacy breaches in recent times. Immigration New Zealand is now under the Business, Innovation and Employment Ministry, which is reviewing its policy on privacy breaches, the report states.
Full Story

DATA PROTECTION—SINGAPORE

Opinion: Telcos Can Monetise Data and Comply with Laws (November 29, 2012)

Telecommunications carriers in Asia can be sure they comply with customer privacy laws while still monetising mobile data by working closely with vendors to establish parameters and permissions when it comes to subscriber data, according to ZDNet. Louis Brun, founder of a mobile data management company, says that data privacy “does not have to clash with the aim for telcos to find new ways to monetise their subscriber data.” Singapore’s new Personal Data Protection Act becomes official in January.
Full Story

DATA PROTECTION—HONG KONG

Company Has Yet To Respond to Commissioner’s Ask (November 29, 2012)

The Standard reports Google has yet to respond to a request to make its Android operating system more secure. Privacy Commissioner Allan Chiang Yam-wang one month ago asked the company to allow users to choose what of their personal data is shared with apps during downloads, the report states. “The potential risk of smartphones can be huge,” Chiang said. “Lack of privacy awareness leading to unintended disclosure of personal data means somebody else, strangers in some cases, will be getting data of your very private life.”
Full Story

PRIVACY LAW—AUSTRALIA

Privacy Commissioner Granted Additional Powers (November 29, 2012)
The Australian Parliament has passed the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, COMPUTERWORLD reports. The law, slated to go into effect in March 2014, will give the nation’s privacy commissioner new powers, including the ability to pursue civil penalties in serious privacy breach incidents. The commissioner will also be granted the right to conduct privacy assessments for both public and private organizations in Australia. Privacy Commissioner Timothy Pilgrim said, “While I will continue to work with agencies and businesses to help them comply with privacy laws, I will not shy away from using these powers in appropriate cases.”

ONLINE PRIVACY

New W3C Mediator Looks To Salvage DNT Process (November 29, 2012)

The New York Times reports on the “acrimonious discussions” within the World Wide Web Consortium’s (W3C) effort to work out a global Do-Not-Track standard and the difficult task facing newly appointed W3C Co-Chair Peter Swire, CIPP/US. “People can choose not to have telemarketers call them during dinner. The simple idea is that users should have a choice over how their Internet browsing works as well,” Swire said, adding, “The overarching theme is how to give users choice about their Internet experience while also funding a useful Internet.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—NEW ZEALAND

Shroff: Gov’t Agencies Must Improve (November 28, 2012)

Privacy Commissioner Marie Shroff says government agencies must improve their privacy practices if they want to regain public trust, Stuff.co.nz reports. That warning is based on the commissioner’s annual report, which indicates public concern about companies’ use of personal information. The commissioner’s office received a record-high 1,142 complaints in the measured year, which ended June 30. Shroff said breaches at the Accident Compensation Corporation and Social Development Ministry indicate a need for government agencies—the subject of the majority of consumer complaints—to take privacy more seriously. “The tech revolution has crept up on them,” Shroff said.
Full Story

PRIVACY LAW—SINGAPORE

Opinion: PDPA Leaves Open Privacy Loopholes (November 28, 2012)

The newly inked Personal Data Protection Act (PDPA) may have “a few holes, and the pace of change in technology could mean it is already out of date,” opines Richard Hartung in TODAYonline. The PDPA mandates that organizations acquire users’ consent prior to data collection and processing, but Hartung notes “organizations may engage reams of lawyers to ensure their documents provide the consent from consumers that the law requires.” According to the bill, data can only be used for purposes that “a reasonable person would consider appropriate,” which leaves a “diverse” set of “interpretations of what is ‘reasonable,’” writes Hartung.
Full Story

PRIVACY LAW—SINGAPORE

Should Data Protection Act Cover Public Entities? (November 27, 2012)

A ZDNet report examines whether Singapore’s forthcoming Personal Data Protection Act (PDPA) should be expanded to cover public agencies in addition to the private sector, making the legislation more “transparent, robust and comprehensive.” The act comes into force in January and includes a do-not-call registry and the creation of a new enforcement agency to regulate private-sector use of personal data. Elle Todd, of the law firm Olswang, said the law does not include government agencies because of an existing regime, which, in some instances, contains rules stricter than that of the PDPA. She added, however, that it may make sense to integrate the laws to have one general act.
Full Story

PRIVACY LAW—AUSTRALIA & NEW ZEALAND

Commissioners Call for Increased Powers (November 26, 2012)

Privacy Commissioners in Australia and New Zealand are seeking increased powers to combat data breaches and other privacy concerns, COMPUTERWORLD reports. At the iappANZ Privacy Summit last week, New Zealand Privacy Commissioner Marie Shroff said regulators must be responsive to privacy incidents and if breaches continue, “people will lose trust.” At the same event, Australian Privacy Commissioner Timothy Pilgrim reported his office received 1,357 privacy complaints in the 2011-2012 fiscal year, adding privacy concerns “remain at the forefront of people’s minds.” Australian Prime Minister Julia Gillard announced the government will conduct an inquiry into “institutional responses to child sex abuse claims” related to the protection of personal information, which New South Wales Privacy Commissioner Elizabeth Coombs says will test the balance between open information and data protection.
Full Story

CLOUD COMPUTING—AUSTRALIA.

Expert: Privacy Law Will Make Cloud Attractive (November 20, 2012)

While one Australian executive touts the benefits of bringing Australian skills and expertise overseas to pair with Asian data-centre infrastructure, U.S. hosting companies Rackspace and Amazon have announced they will create data-centre infrastructure in Australia, reports The Australian. Fujitsu’s Craig Baty says Australia’s new privacy principles will be a key element of the nation’s cloud proposition. “We are getting to the stage where we are going to have world-class regulation and privacy laws, and we have world-class data centres and cloud solutions and world-class people. Why can't we build an industry based on it?" Baty says. (Registration may be required to access this story.)
Full Story

BIOMETRICS—AUSTRALIA

Bank To Employ Voice-Biometric Verification (November 20, 2012)

National Australia Bank (NAB) early next year plans to roll out a voice-biometric security software to speed up the user verification process, reports The Australian. Privacy advocates have voiced concerns over the possibility of fraudulent access, but NAB says the system would be more secure than fingerprint verification. NAB Head of Voice Services Andrew Davis said, "Each person has unique physical attributes that determine the sound of their voice, and we use these to create the biometric print.” Users of the system will also have the ability to add a “liveliness test” where the caller must repeat a random phrase, adding another layer of verification. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Group Working on Privacy Policy Iconography (November 20, 2012)

A group of lawyers, coders and industry representatives have begun an experiment to make privacy policies “more palatable” to online users, The New York Times reports. The goal is to comb through the privacy policies of 1,000 websites and assign corresponding icons to educate users on how a website uses, shares and retains personal information. Mozilla Chief Privacy Officer Alex Fowler, whose firm is housing the experiment, said, “We are in a model now where no one reads privacy policies…Does icon-ifying them make it of interest to the user? We have a ways to go.” (Registration may be required to access this story.)
Full Story

GEO PRIVACY—AUSTRALIA

Expert: Maybe We Need A “Do-Not-Follow” List (November 16, 2012)

SBS World News reports on one privacy expert’s call for a “do-not-follow list” as location-based technologies proliferate. Mapping applications have made it possible to see 75 percent of the Earth in high-resolution images, and future technologies will use smartphone features to enable views inside of parked cars, skyscrapers, airports and shopping centers. Privacy technologies researcher Suelette Dreyfus says because laws can’t keep pace with technology, the government should take the public’s pulse. “Maybe we now need a ‘do-not-follow’ list,” Dreyfus says, where data logged is anonymous.
Full Story

SURVEILLANCE—VICTORIA

Pedestrian Monitoring Project Moves Forward (November 15, 2012)

“Melbourne is quickly becoming Australia’s smart city,” reports The Australian Financial Review. The city’s pedestrian-monitoring project uses censors and cameras to track pedestrians and vehicles, and while privacy groups are voicing concerns over the surveillance, Melbourne Chief Information Officer Colin Fairweather says it’s an important tool to help plan the city’s future.
Full Story

PRIVACY LAW—HONG KONG

Ordinance’s Amendments Roll Out in Phases (November 15, 2012)

Patrick Peng of Edwards Wildman Palmer, LLC, reports on amendments to Hong Kong’s data privacy regime. The Personal Data (Privacy) (Amendment) Ordinance came into force in July, but the amendments will be introduced in three phases. From 1 October, rules on outsourcing personal data processing, disclosure of personal data without data user consent and a strengthening of the privacy commissioner’s enforcement powers take effect. Phase two brings rules on direct marketing, while phase three will see the implementation of rules on legal assistance to “aggrieved individuals.”
Full Story

PRIVACY

DPAs Discuss Self-Regulation, Cross-Border Rules (November 15, 2012)

Hogan Lovells’ Christopher Wolf reports for The Privacy Advisor on the recent gathering of privacy authorities and professionals at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay. While Article 29 Working Party Chair Jacob Kohnstamm announced that future conferences will consist of private meetings between data protection authorities unless the conference’s host country decides otherwise, Wolf says the conference’s public sessions are very useful, including the “informal interactions in the hallways and at meals among the public and official participants.” The conference saw discussions about APEC’s Cross-Border Privacy Rules, self-regulation versus formal regulations and the proposed EU Data Protection Regulation, among other topics.
Full Story

ONLINE PRIVACY

Government Requests for Online Data Increase (November 14, 2012)

Google has released its sixth Transparency Report since 2009 outlining requests from government agencies and others to access data and remove content. BBC News reports that in the first six months of 2012, governments across the globe have made almost 21,000 requests to access data held by Google. The U.S. government made the most requests, totaling 7,969, with Turkey leading the requests for content removal at 501 requests. "This is the sixth time we've released this data, and one trend has become clear: Government surveillance is on the rise," Google said in a blog post. "Our hope is that over time, more data will bolster public debate about how we can best keep the Internet free and open."
Full Story

BEHAVIORAL TARGETING

Study Examines Marketing and Privacy (November 14, 2012)

The Edelman Privacy Risk Index, produced with The Ponemon Institute, has found that 60 percent of 6,400 marketing executives from 20 countries believe “their companies don't consider privacy a priority, and more than half don't believe that a data breach would adversely affect their corporate reputations,” Direct Marketing News reports. Edelman found, however, that “eight in 10 consumers would leave banking institutions that accessed their personal information without permission,” the report states. Larry Ponemon, CIPP/US, suggests that while most direct marketers do respect privacy, marketers should identify their customers who are most concerned about privacy “and make it very easy for them to opt in or out of communications.”
Full Story

PRIVACY LAW—AUSTRALIA

Proposed Laws Face Delays for Revisions (November 8, 2012)

The Australian reports on potential delays in new privacy laws. A spokeswoman for the Attorney-General says the government is “actively considering” changes to a bill that could see companies facing fines of up to $1.1 million for privacy breaches. "In particular, a number of recommendations would give additional power and rights to consumers,” the spokeswoman said. “For example, allowing corrections to be made to an individual's credit report if their financial difficulty occurred as a result of natural disasters, fraud or mail theft.” The Office of the Privacy Commissioner has been a proponent of the bill. (Registration may be required to access this story.)
Full Story

PRIVACY—NEW SOUTH WALES

Office Releases Annual Report (November 8, 2012)

The Information and Privacy Commission (IPC) has released its annual report. The report discusses the office’s focus in the 2011-2012 year toward reviewing and promoting legislation as well as forming the IPC into a “one-stop shop.” In 2011, the office saw the introduction of Elizabeth Coombs as the new privacy commissioner. Coombs’ position is unique in that it is horizontal to that of Information Commissioner Deirdre O’Donnell, in order to address privacy and access to government information issues that overlap. The office has also established an Information and Privacy Advisory Committee, which will provide advice to the commissioners on “the implications of new technologies, records management and information governance practices,” the report states.
Full Story

DATA LOSS—NEW ZEALAND

Bennett Says WINZ Performance Was “Atrocious” (November 8, 2012)

Social Development Minister Paula Bennett has said she’s embarrassed by the “atrocious” performance of Work and Income staff who ignored warnings that customers using public computer kiosks were at risk for privacy breaches, The New Zealand Herald reports. Bennett said a recently released Deloitte report into the breaches—which states security was not adequately considered in the kiosks’ design—indicates a major failure by the ministry and illustrates the right processes were not in place. She added that senior staff were not informed of the breaches, which she called “incredulous.” In total, 1,432 individuals were affected.
Full Story

BIG DATA—AUSTRALIA

Big Banks Use Brokers To Glean Fuller View of Clients (November 8, 2012)

Australian Financial Review reports on big banks’ use of Big Data to get a fuller picture of their clients. “We see transactions that tell us very clearly what’s happening in the customer’s life,” said National Australia Bank’s (NAB) head of analytics and research operations. An NAB subsidiary will launch a website this month to unveil consumer spending habits using one billion transactions by NAB customers over a four-year span. “Some banks are really going to push the boundaries of what customers expect from the bank,” one expert said.
Full Story

DATA LOSS—AUSTRALIA

Breach Victim: Reports Will Help Corporation Overcome Problems (November 8, 2012)

A campaigner for the Accident Compensation Corporation (ACC) says recent reports on the corporation’s breach will help it overcome problems, Otago Daily Times reports. Dr. Denise Powell says some claimants felt they were not receiving the same privacy rights as other citizens, adding, recent reports into the breach “were likely to have far-reaching implications,” the report states. Powell was one of those affected by the ACC list of 6,275 individuals mistakenly e-mailed to an Auckland resident. An ACC spokeswoman said the ACC has begun making progress on recommendations for improvement issued in the reports.
Full Story

BEHAVIORAL TARGETING—SINGAPORE

Telcom To Study Customer Demographics (November 8, 2012)

Asia One reports on the information that telecommunications companies collect on their subscribers. StarHub has announced it will work with data analysis firms in order to conduct targeted marketing. StarHub says any shared data is anonymous; names, ID numbers, phone numbers and home addresses are not included. It added its customer data security and use comply with regulations.
Full Story

ONLINE PRIVACY

Google Releases Chrome with Improved Privacy Controls (November 8, 2012)

Google has updated its browser to Chrome 23, which includes easier access to privacy controls such as the ability to delete cookies and block sites from tracking users online, reports Webmonkey. “The new drop-down menu also has options to control a website’s permissions for features like geolocation, pop-ups, plugins, fullscreen mode, camera/microphone access and more,” the report states. While these features have been available on past versions of Chrome, the interface has been moved from three levels deep to a drop-down menu next to the URL. Chrome is the last browser to provide support for Do Not Track, and like many others, it is activated on an opt-in basis, the report states.
Full Story

DATA LOSS—AUSTRALIA

Restaurant Reports Website Hack (November 7, 2012)

Pizza Hut Australia has confirmed a layer of its website has been hacked, Gizmodo reports. The company’s general manager says it has notified the Office of the Australian Privacy Commissioner and is working with its website provider to conduct an investigation. Despite hackers’ claims in a message to Pizza Hut that they took 240,000 Australian customers’ credit cards, the company says “absolutely no credit card information was stolen and there is no need for concern regarding credit cards.” The report states that, per PCI-DSS rules, credit card numbers were sent to a third party to process and store transactions.
Full Story

SOCIAL NETWORKING

Facebook Releases Privacy Tool for New Users (November 5, 2012)

The Washington Post reports on Facebook’s rollout of a tool for new users. The tool, which is in part a result of talks with the Irish data protection authority (DPA) following its audits of the company, “gives users specific instructions on Facebook’s default settings, sharing permissions, policies on data access, rules about apps, games and third-party websites, advertisements, photo tags and the way the site finds fiends and connections for new users,” the report states. Facebook Chief Privacy Officer Erin Egan said in a statement that the company is committed to helping users understand their online sharing options and thanked the Irish DPA for its work. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—NEW ZEALAND

Commissioner Looking Into Police Plate Tracking (November 1, 2012)

The Office of the Privacy Commissioner is working with police to determine whether a program that automatically photographs numberplates and checks them against a list of “vehicles of interest” contravenes privacy laws, reports Stuff.co.nz. Police have been testing automatic plate recognition for two years, and changes have been made to better protect privacy, but Assistant Privacy Commissioner Katrine Evans says she’s in discussions with police about appropriate uses of the information, if any. "Key things…are to make sure it's correctly targeted and effective, that people are told what's going on wherever possible and that data relating to irrelevant vehicles is wiped very quickly," Evans said.
Full Story

DATA LOSS—NEW ZEALAND

IRD, ACC and Prison Records Exposed (November 1, 2012)

Otago Daily Times reports that the Inland Revenue Department (IRD) has experienced 32 breaches involving the personal information of 6,300 people over the past year and notified 638 of those affected. While Revenue Minister Peter Dunne opined "32 breaches out of 25 million is a pretty small number, but one breach is too many," Deloitte Dunedin tax partner Peter Truman said, the IRD needs to “do what they can to make sure there are no breaches” because “taxpayers may become less willing to deal openly with the IRD as they otherwise might do.” Meanwhile, Accident Compensation Corporation sent criminal records of a client to the wrong person, and a prisoner in a South Otago prison posted personal details of 52 fellow inmates on Facebook.
Full Story

INFORMATION ACCESS—NEW ZEALAND

Jeffries Wants Amendment to Privacy Act (November 1, 2012)

Former Justice Minister Bill Jeffries is seeking a change to the Privacy Act that would allow lawyers to protect the sources of their information similar to the allowance made for the media, reports Stuff.co.nz. A district court this week upheld Jeffries’ right to withhold source information based on his "reasonable excuse" argument that he understood “at the time he received the information the law would not make him betray his source,” the report states.
Full Story

PRIVACY—AUSTRALIA

Opinion: “Privacy?...That’s a Good One…” (November 1, 2012)

Red Symons writes for The Sydney Morning Herald about the prevalence of public figures getting in trouble for telling off-color jokes, noting, “these people need to realise that not everything is funny to everybody and there is no privacy.” Symons goes on to say, “You're living in the last millennium if you think that anything short of whispering in the shadows is private. The stable doors are open; the horse has bolted, gone to the knackery and now feeds the rose garden of social media with the blood and bone of the unwary.”
Full Story

CONSUMER PRIVACY—HONG KONG

PCPD: Complaints About Direct Marketing on the Rise (November 1, 2012)

The Office of the Privacy Commissioner for Personal Data (PCPD) has announced a “big upsurge in the number of complaints about direct marketing and the unauthorised transfer of data." South China Morning Post reports the office received 1,507 complaints between April 2011 and March 2012, almost double the amount filed four years ago, and the office is “under pressure to do more with less.” Next year’s changes to the privacy ordinance that require companies to notify consumers of data-handling practices will likely mean an increase in the PCPD’s workload, the report states.
Full Story

ONLINE PRIVACY—AUSTRALIA

Experts: Consumer Education Is Key to Data Protection (November 1, 2012)

Matthew Hall talks to experts about how consumer data is the “ever-evolving online privacy conflict of interest” for The Sydney Morning Herald. One media chief says he sees data as the future of his industry but also feels a responsibility “to ensure that people are well-informed about what types of data and what types of trace they are leaving.” Siobhan MacDermott, chief policy officer for anti-virus software company AVG, says consumers should bear the responsibility for protecting their data. “Government might not have your best interests at heart. Should it be a company?...We don't think companies should have that responsibility, either,” she says, adding, “Consumers should be educated.”
Full Story

MOBILE PRIVACY

Study: Free Apps Present More Privacy Risks (November 1, 2012)

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps, the San Jose Business Journal reports. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401 percent more likely to track location and 314 percent more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.”
Full Story