ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

SOCIAL NETWORKING—NEW ZEALAND

Police Using Tool To Speed Web-Scanning (December 20, 2012)

A tool trialed at the 2011 Rugby World Cup is now being used by police to scan social media for real-time information in order to prevent crimes and increase public safety, reports stuff.co.nz. Authorities say the software, Signal, scans only publicly-available postings and they are using it to search for keywords and hashtags in order to monitor large group activity. Signal will identify where messages are being sent from if Internet users have geolocation activated on their device. A privacy commission spokeswoman verified that the software appears to access only public information.
Full Story

PRIVACY—NEW ZEALAND

Opinion: Society Needs Limits on Intrusions (December 20, 2012)

Auckland human rights lawyer Tim McBride writes for The New Zealand Herald about what privacy is and isn’t in the minds of New Zealanders. Through the years, surveys have shown New Zealanders “place a high value on their privacy,” he writes, adding, “To be a truly free and democratic society there must be respect for the autonomy of individuals, and limits on the activities of both state and private agencies which may intrude on that autonomy.” Citizens should be able to live their lives without unwanted surveillance, McBride says, but “Even the privacy protections and legal limitations on surveillance that do exist at present are being progressively undermined.”
Full Story

PRIVACY LAW—EU & NEW ZEALAND

NZ Privacy Act Receives EU Adequacy (December 20, 2012)

The European Commission has announced that New Zealand’s Privacy Act meets adequacy standards set forth in EU data protection law. New Zealand Privacy Commissioner Marie Shroff welcomed the news, saying, “The European decision is a vote of confidence in our privacy law and regulatory arrangements. This decision establishes New Zealand, in the eyes of our trading partners, as a safe place to process personal data.” According to a New Zealand Office of the Privacy Commissioner (OPC) press release, the agency has spent years working toward adequacy. OPC Assistant Commissioner Blair Stewart said, “Europe and New Zealand share a common commitment to upholding human rights.”
Full Story

ONLINE PRIVACY

Users, Lawmaker React to Instagram Policy Changes (December 19, 2012)

The Washington Post reports on reactions following Instagram’s announcement that it would change its terms of use to share images uploaded to the site without permission or compensation. Many users indicated fears they might see their images used in advertisements created by Instagram or Facebook, which bought Instagram earlier this year. An Instagram spokesman said in a blog post yesterday, “To be clear: it is not our intention to sell your photos. We are working on updated language in the terms to make sure this is clear.” U.S. Rep Ed Markey (D-MA) said, “A picture is worth a thousand words; posting one to Instagram should not cost you your privacy.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Scientist Develops “Identity Mixer” (December 18, 2012)

A lead scientist at IBM’s Zurich Research Center has developed an “Identity Mixer” aimed at facilitating e-mail and Internet shopping without excessive disclosure of personal information, International Business Times reports. “The idea is to authenticate only the minimally necessary information for authentication,” said IBM Fellow Jan Camenisch. “We want to deal with a digital society that requires electronic authentication.” The Identity Mixer issues “'electronic tokens’ that verify user information contained in a third-party database,” the report states. The mixer has been piloted in Greece at the Research Academic Computer Technology Institute, and IBM hopes to employ it in the EU’s FutureID, introduced last month to protect personal data related to government-issued identity cards.
Full Story

PRIVACY LAW

Delegates Reject Proposed Internet Treaty (December 14, 2012)

An alliance of Western countries including the U.S., UK and Canada has rejected a proposed treaty saying it would give repressive governments too much power over the Internet, CNET News reports. Representatives from the Netherlands, New Zealand, Denmark, Sweden, Poland and the Czech Republic also said they would not support the International Telecommunication Union (ITU) Treaty. Some representatives questioned whether the UN was the proper organization to oversee Internet-related issues, the report states, adding, “a key concern is that putting topics related to Internet speech and surveillance to a majority vote of ITU’s 192 member nations may not end well.”
Full Story

DATA PROTECTION

Center Releases Accountability Tool (December 14, 2012)

As part of the Global Accountability Project, the Hunton & Williams Centre for Information Policy Leadership has released an accountability self-assessment tool, reports Hunton & Williams’ Privacy and Information Security Law Blog. “In collaboration with experts…we’ve outlined the key elements of a sound program to help organizations take the concrete steps necessary to be accountable,” said Marty Abrams, the centre’s president. As accountability plays a larger role in legislation, “The results of the survey may be useful in demonstrating to regulators and other interested constituencies the design of an organization’s privacy program,” added Paula Bruening, vice president of Global Policy at the Centre.
Full Story

ONLINE PRIVACY

Company Launches Social Login Privacy Seal (December 14, 2012)

Adweek reports on the launch of a social privacy certification and seal that aims to reassure consumers logging into an application or website via a social login such as Facebook or Twitter that their data “will not be abused or compromised.” Following a survey in which nearly half of respondents said they would be more comfortable using a social login if a short message indicated what information the site was collecting, Gigya collaborated with the Future of Privacy Forum (FPF) to develop its SocialPrivacy Certification. FPF Director Jules Polonetsky, CIPP/US, will chair Gigya’s recently established Privacy and Safety Advisory Board.
Full Story

BIOMETRICS—AUSTRALIA

Rules on Facial Scans Changed (December 13, 2012)

Biometric facial scans taken for passports, driver’s licences or nightclub entry can be stored in police databases under recent changes to the Privacy Act, the Herald Sun reports. Police will also have the ability to ask businesses to share patrons’ facial scans, though a spokeswoman for the Attorney-General’s Office said businesses would not be compelled to share the data under the act. “Information can only be shared with law enforcement agencies in strictly limited circumstances with increased privacy protections,” she said. Revisions to the Privacy Act classify biometric data as “sensitive data,” requiring law enforcement to apply special safeguards.
Full Story

DATA PROTECTION—AUSTRALIA

Minister Aims To Open Data to Researchers (December 13, 2012)

A report in The Age discusses Labor Sen. Kim Carr’s plans to make government information available to researchers in the name of improving social services. Carr aims to share data stored in a database possessing Centrelink payments, Medicare payments, pharmaceutical benefits payments, rehabilitation support and child support. Researcher Fiona Stanley has been given access to anonymised data from the Perth government for 35 years and says in all that time, “we have never once had a privacy breach.” Executive Director of the Australian Institute Richard Denniss recognises there are privacy concerns but says safeguards can prevent risks.
Full Story

FINANCIAL PRIVACY—AUSTRALIA & NEW ZEALAND

Authority Issues Guide on Offshoring, Banks Keep Quiet on Sharing (December 13, 2012)

The Australian Prudential Regulation Authority has identified offshoring as a key weakness in banks’ data management policies, The Age reports. Offshoring sensitive data increases the risk of it being mismanaged, the authority says in a newly published draft guide. The national secretary of the Finance Sector Union said regulations should be created to require consumer consent for data to be transferred overseas. Meanwhile, New Zealand banks have denied a request to provide information about how often they give customer information to police. The New Zealand Herald reports that a legal loophole allows police to obtain banking information under a provision of the Privacy Act waiving confidentiality to aid “maintenance of the law.”
Full Story

DATA PROTECTION—AUSTRALIA & UK

Hoax May Have Violated Law (December 13, 2012)

The Guardian reports a recent prank call to a UK hospital may have violated the Data Protection Act barring the obtaining or disclosure of personal records. The two Australian radio DJs who made a prank call to the hospital obtained personal data about a patient “without the consent of the data controller, which in this case is the King Edward VII hospital,” said one expert. Australian Federal Privacy Commissioner Timothy Pilgrim’s office has deferred to the Australian Communications and Media Authority. Green Sen. Scott Ludlam has urged a privacy tort, saying it would protect someone from having their medical information “improperly sought while they were in the hospital,” reports The Sydney Morning Herald.
Full Story

DATA THEFT

Authorities Arrest 10 for Data Theft (December 13, 2012)
International authorities have arrested 10 individuals from around the world for allegedly operating a network of infected computers for the purpose of stealing personal data from millions of users, The New York Times reports. Law enforcement authorities were aided in their investigation by Facebook, the report states. The Butterfly botnet allegedly spread malicious software to compromise the security of PCs, allowing the suspects to acquire personal information, including credit card numbers. The U.S. Justice Department said variations of this type of malicious software have infected approximately 11 million computers and caused more than $850 million in damages, the report states. (Registration may be required to access this story.)

SOCIAL NETWORKING

Facebook Updates Privacy Settings (December 13, 2012)

Facebook has made changes to its privacy settings by giving users more control and clarity over what personal data is shared and by removing users’ ability to remain hidden from its main search tool, The Wall Street Journal reports. A new control, called Privacy Shortcuts, will allow people to alter who can see their posts and who can contact them through the site. Facebook Director of Product Samuel Lessin said, “We’re taking the most critical things and putting them in context across the whole site.” Electronic Privacy Information Center Executive Director Marc Rotenberg said, “Facebook’s decision not to allow people to hide themselves from search appears to violate the settlement” reached with the Federal Trade Commission earlier this year. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Microsoft Standing By Do-Not-Track Default (December 13, 2012)

Despite criticism from online advertising firms, Microsoft says it will stand by its decision to make its Do-Not-Track (DNT) feature the default in its latest Internet Explorer browser. “We crossed the Rubicon and are completely comfortable being on the other side of the river,” said Microsoft General Counsel Brad Smith. “We have no intention of going back and have no intention of engaging in discussion on that possibility.” Some advertisers have said they will ignore the browser’s privacy signals. Smith said Microsoft is willing to talk with advertisers about tweaks to how it describes DNT to users and how the setting can be altered.
Full Story

ONLINE PRIVACY

Initiatives Could Impact the Future of User Privacy (December 11, 2012)

An op-ed in The Economist discusses two initiatives that could affect Internet users’ expectations of privacy in years to come. The first is a U.S. Senate bill that would update the Electronic Communications Privacy Act of 1986. The bill would require law enforcement agencies to obtain a warrant to access e-mails that have been opened or are more than six months old; now, only a subpoena is required. “Bringing online privacy requirements into an age of cloud computing is only fit and proper, and long overdue,” the report states. The second is the International Telecommunications Union’s effort to rewrite its treaty for regulating telecommunications companies worldwide by defining the Internet as a form of telecommunication.
Full Story

DATA PROTECTION—NEW ZEALAND

Shroff: Recent Report Indicates Need for Strong Leadership (December 6, 2012)

Privacy Commissioner Marie Shroff says a recent Deloitte report on the Ministry of Social Development (MSD) “makes it very clear that there is a need for strong leadership by senior management on the way client information is handled within MSD.” The report looked into the data breach at Work and Income’s public access kiosks. Shroff said it’s “not enough” for employees to keep privacy and security in mind; leadership must ensure various parts of the ministry are working together. Meanwhile, MSD plans to roll out new public kiosks in May.
Full Story

DATA LOSS—NEW ZEALAND

Breach Reports Up This Year, Two More To Add (December 6, 2012)

Stuff.co.nz reports that self-reported data breaches have tripled this year and public complaints about breaches rose as well. The New Zealand Herald reports on another breach adding to the total: The Bay of Plenty District Health Board has fired an employee who inappropriately accessed 48 patients’ medical records. The board has apologised to patients for the breach, but one employee is questioning their decision to allow the worker to access her computer throughout the investigation. Meanwhile, the federal Corrections Department sent a man’s criminal records to the wrong recipient, prompting a Labour Party spokesman to say the department has an insufficient regard for privacy, the APNZ reports.
Full Story

MOBILE PRIVACY

Advocates Say Recent Arrest Highlights Mobile Risks (December 6, 2012)

The Sydney Morning Herald reports on how a tech millionaire was found using location-based data and the ways such incidents concern privacy advocates. John McAfee was located in Guatemala after a photo of him—which contained embedded details about his specific longitudinal and latitudinal location—was posted to the web by journalists. A hacker was able to unveil the embedded details. Privacy experts say smartphone users frequently have no idea how easily their mobile data may be collected, shared or stolen. The rules governing mobile data are “few and often unclear,” the report states.
Full Story

PRIVACY LAW—AUSTRALIA

OAIC Pushes for Breach Notification, Others Voice Concerns (December 5, 2012)

The Office of the Australian Information Commissioner and advocacy groups have submitted to the attorney general their support for mandatory data breach notification—a provision not included in last week’s amendments to Australia’s privacy law, reports CIO. Other groups, however, say that “notification fatigue” and the recent amendments to the law may mean a notification requirement is not the right course of action. "We suggest that the effectiveness and consequences (both intended and unintended) of those amendments should be experienced and properly considered before further amendments are made," said a Law Council of Australia spokeswoman.
Full Story

SOCIAL NETWORKING

U.S. Judge Approves Facebook Settlement, Policy Voting Open (December 4, 2012)
A U.S. judge has given preliminary approval of Facebook’s proposed settlement to a class-action lawsuit claiming the company violated privacy rights, Reuters reports. The judge says the settlement, Facebook’s second attempt, “falls within the range of possible approval as fair, reasonable and adequate.” Class members and others will have an opportunity to object to the settlement before it goes to final approval. A fairness hearing is scheduled for June 28, 2013. Meanwhile, the company has opened voting for its latest proposal to change user privacy settings. The vote is open until Monday, December 10, to all Facebook users and may determine whether its roughly one billion users will have the ability to vote on privacy changes going forward; the vote is only binding if 30 percent of users participate. The Electronic Frontier Foundation and the Center for Digital Democracy have written to Facebook CEO Mark Zuckerberg urging him to “withdraw the proposed changes” as they “raise privacy risks for users, may be contrary to law and violate your previous commitments to users about site governance.”

PRIVACY LAW

Conference on UN Internet Treaty Begins (December 3, 2012)
Regulators from 193 countries are in Dubai for the World Conference on International Telecommunications, and some say the discussions may threaten the future of the Internet, reports BBC News. EU Digital Agenda Commissioner Neelie Kroes tweeted, “The Internet works; it doesn’t need to be regulated by ITR treaty,” and Google representatives say the conference is a threat to the “open Internet.” But the report states that the UN International Telecommunications Union says action is needed to ensure investment in infrastructure and insists that, rather than a majority view, common ground is needed before any changes will be made to the treaty. Editor’s Note: For more on this topic, see “Privacy worries surround UN Internet regulations” from the September issue of The Privacy Advisor.

BEHAVIORAL TARGETING

Rosen: Why You Should Care About Profiling (December 3, 2012)

George Washington University Law Prof. Jeffery Rosen writes for The New York Times, “As personalization becomes ubiquitous, the segmented profiles that advertisers, publishers and even presidential candidates use to define us may become more pervasive and significant than the identities we use to define ourselves.” Rosen creates two distinctive online identities for himself on different browsers, compares the ads he sees and—through data aggregator BlueKai, which sorts consumers into market segments—views their profiles. Rosen says such profiles lead to an uneven playing field for consumers but says “there is more at stake…the possibility of not only shared values but also a shared reality becomes more and more elusive.” (Registration may be required to access this story.)
Full Story