ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

DATA PROTECTION

A Look at Acxiom’s Privacy Team (April 30, 2013)

With growing consumer awareness and regulatory scrutiny of so-called “data brokers,” companies such as Acxiom rely heavily on their privacy teams for company-wide success. In this exclusive, Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, tells The Privacy Advisor about the work she and her team of “privacy consultants” perform within the company and the role they play in shaping and launching Acxiom’s new products and services.
Full Story

ONLINE PRIVACY

Data Cache Delivers Predictive Analytics (April 30, 2013)

CNN reports on Google’s predictive search feature, Google Now, which uses the cache of data Google stores on individual users to target them with the information it deems most relevant to their needs at any given moment. The feature was rolled out for iPhones and iPads this week and is based on users’ search histories, location information and Gmail confirmations for flights, hotel bookings or restaurants, for example. “We’re providing answers before you’ve even asked the question,” said Google’s director of product development.
Full Story

DATA THEFT

50 Million Passwords Hacked (April 29, 2013)

Cyberthieves have breached LivingSocial, accessing the passwords of more than 50 million users, PC Magazine reports. It is not yet known how the attackers breached the systems, but the passwords were salted and hashed, the report states. With the passwords, the hackers potentially had access to user names, e-mail addresses and birthdays; credit card and other financial data were not affected. LivingSocial CEO Tim O’Shaughnessy said the company is “redoubling efforts to prevent any issues in the future.”
Full Story

PRIVACY LAW—AUSTRALIA

Privacy Week Sees Calls To Prepare for Changes (April 29, 2013)

At the launch of the Office of the Australian Information Commissioner’s (OAIC) Privacy Awareness Week, Privacy Commissioner Timothy Pilgrim and Australian Attorney-General Mark Dreyfus cautioned businesses to prepare for impending privacy reforms, ZDNet reports. "Now is the time to change existing systems and practices…The sooner these changes are embedded, the easier it will be to comply with the new measures in March 2014," Dreyfus said. The OAIC has released guidance to help covered entities better protect personal information. While not binding, Pilgrim said the guidelines send a “clear message about my expectations in this area.” A survey commissioned by McAfee found that 59 percent of employees responsible for managing customers’ personal information were unaware or unsure of the changes.
Full Story

PERSONAL PRIVACY

Researcher: Internet of Things Is “Bit of a Wild West” (April 26, 2013)

The Globe and Mail reports on the growth of Internet-connected devices known as “the Internet of Things”—washing machines, overhead lights, smart scales and more that can all be controlled by owners’ mobile devices. The Organisation for Economic Co-operation and Development estimates the average household with two teenagers will own around 50 Internet-connected devices by 2022. “The vast majority of the future devices of this type don’t exist today,” says Stephen Prentice of Gartner. “If you can measure it, then someone is going to have a device to do that and someone will find a use for that data.” Prentice cautions that the regulatory environment isn’t keeping pace with technology, saying, “At the moment, it’s a case of buyer beware.” Editor’s Note: Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, recently wrote about the Internet of Things in a Privacy Perspectives blog post.
Full Story

PRIVACY LAW—NEW ZEALAND

Justice Minister To Review Privacy Act Amendment (April 25, 2013)

Radio New Zealand reports that Justice Minister Judith Collins is considering a revision to the Privacy Act following the revelation that it barred a mother from discovering her child’s killer’s criminal record. Thirteen-year-old Jade Bayliss was killed in 2011 by Jeremy McLaughlin, her mother’s ex-boyfriend, and it was later discovered that in 1997 McLaughlin had been convicted of manslaughter in Australia. Following McLaughlin’s conviction last week, Collins said she was “getting advice on whether or not we need to amend the law” and stressed “safety must come first."
Full Story

PERSONAL PRIVACY—AUSTRALIA

Google Glass Worries Privacy Commissioner (April 25, 2013)

Australian Privacy Commissioner Timothy Pilgrim is expressing concern about Google Glass, a new technology that gives wearers of the glasses a camera, video capability and an Internet connection, reports Australian Financial Review. Compliance with surveillance legislation and storage of personal information on Google servers are key concerns of privacy advocates, motivating Pilgrim to request a privacy briefing from Google. The company says Google Glass is still a “work in progress,” but Pilgrim remains concerned, stating, “along with benefits, these technologies also present a number of potential risks to privacy, especially when combined with other emerging technologies.”
Full Story

DATA LOSS—AUSTRALIA

ACMA Gives ISP Formal Warning (April 25, 2013)

COMPUTERWORLD Australia reports that Internet service provider (ISP) AAPT has received a “formal warning” from the Australian Communications and Media Authority (ACMA) in the wake of a 2012 data breach. “According to ACMA, the ISP failed to protect the privacy of some of its small business customers’ personal information from unauthorised use or disclosure as required by the Telecommunications Consumer Protections Code,” the report states. ACMA Chairman Chris Chapman said the formal warning was to ensure consumers are confident that their information is “stored securely with appropriate access restrictions,” adding AAPT has improved its processes since the incident.
Full Story

SURVEILLANCE—NEW ZEALAND

New Legislation Would Allow Spying, Prof. Says (April 25, 2013)

The New Zealand Herald reports on comments made by Otago University Prof. Hank Wolfe raising concerns that new legislation governing the secret service will allow the Government Communications Security Bureau (GCSB) to spy on citizens. The legislation “will inhibit free thought and association,” Wolf said, “This has been demonstrated historically time and again.” Prime Minister John Key’s office released a paper saying “the basic premise that the GCSB not spy on New Zealanders would only apply to its ‘foreign intelligence activities.’”
Full Story

PRIVACY LAW—HONG KONG

New Direct Marketing Restrictions (April 25, 2013)

On 1 April, the new Personal Data Privacy Amendment went into effect, restricting the activities of direct marketers, reports The Standard. After public outcry over the sale of 2 million users’ personal data by Octopus Holdings in 2010, the privacy commissioner enacted new, tougher regulations. “The new law criminalises companies that do not notify customers about using their personal data for direct marketing,” the report states. According to one expert, the new regulations will protect consumers and make them “feel more confident in allowing businesses to use their data.” Meanwhile, in a letter to the South China Morning Post, Secretary for Constitutional and Mainland Affairs Philomena Leung explains the changes made to the Personal Data Privacy Law.
Full Story

PRIVACY LAW

Privacy Officers Discuss the Path from Policy to Practice (April 25, 2013)

The EU’s proposed data protection regulation and the numerous amendments that have been proposed mean significant questions, as was highlighted during the IAPP Europe Data Protection Intensive breakout session, “Paving the Way from Policy to Practice.” Moderated by LexisNexis Privacy and Data Protection Senior Director Emma Butler, the session featured privacy officers from Proctor & Gamble, Siemens and Facebook outlining how they see the looming regulation affecting their operations and what they’re doing to prepare. This exclusive for The Privacy Advisor highlights their perspectives on “reading the tea leaves” of the thousands of pages of amendments still to be decided. Also at the intensive, Stephen Deadman, group privacy officer and head of legal for privacy, security and content standards at Vodafone Group, suggested that if privacy regulators and consumers want transparency and accountability from corporations, companies need more than a stick: They need a carrot, too.   
Full Story

CYBERSECURITY

Data Breach Studies Highlight Risks (April 23, 2013)

IDG News Service reports that Verizon will soon publish its 2013 Data Breach Investigations Report, which compiled information from over 47,000 security incidents and 621 confirmed data breaches. The study explored financially motivated criminal attacks as well as cyber espionage. Analysts noted that in “four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network” and that mobile devices and cloud technologies were not major targets. Meanwhile, the British Department for Business, Innovation and Skills says small- and medium-sized businesses (SMBs) are increasingly the targets of cybersecurity attacks, and it will extend its Innovation Vouchers scheme to SMBs, allowing them to apply for funding to invest in cybersecurity.
Full Story

DATA LOSS—AUSTRALIA

Council Inadvertently E-mails 10 years of Complaint Data (April 18, 2013)

Queenstown's district council regulatory organization has announced that it accidentally e-mailed to a local chef the details of every complaint it has received for the past 10 years, reports The New Zealand Herald. The e-mail was sent in response to a request for a complaint form and included the names and phone numbers of the complainants and the names of whom they're complaining about, as well as the details of the complaint. The council has apologised and is reviewing its systems to prevent future mishaps. Meanwhile, a blogger has defied an injunction taken out by the Earthquake Commission to block unnamed parties from revealing thousands of claimant records it accidentally sent to an insurance advocate.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Staff Disciplined for Violating Patient Privacy (April 18, 2013)

The Auckland City Hospital has disciplined 33 staff members for violating a patient’s privacy. Stuff.co.nz reports that individuals were fired, given verbal warnings, written warnings and final written warnings after a six-month investigation revealed no legitimate reason for accessing patient files. The bulk of the privacy breaches involve looking at radiology images without a valid reason, but some extend to the distribution of the information to the public and media, the report states. Meanwhile, the West Coast District Health Board is investigating two staffers for inappropriately accessing a cricket player’s medical files. While the board initially expressed confidence that similar breaches had not happened in the past, it now acknowledges the possibility this is not an isolated incident.
Full Story

SURVEILLANCE—NEW ZEALAND

Shroff Tells Citizens To Ask for GCSB Files (April 18, 2013)

Privacy Commissioner Marie Shroff is recommending those who suspect they may be amongst the 88 people monitored by the Government Communications Security Bureau (GCSB) to ask for their information from the agency. Stuff.co.nz reports that Shroff’s suggestion is the result of a report that the GCSB may have illegally monitored citizens at the request of the police and Security Intelligence Service. "If they (citizens) don't receive the information they've asked for, as they're entitled to under the Privacy Act, then they can complain to me and I can consider…the reasons that those files may have been withheld," Shroff said.
Full Story

DATA PROTECTION—AUSTRALIA

Brankovic: Data Miners Have Responsibility To Protect (April 18, 2013)

University of Newcastle, New South Wales, Prof. Ljiljana Brankovic highlights the “big responsibility” that companies mining, analysing, trading and selling data have to protect that data. "Now we have laws coming in, and it's very hard to keep up," Brankovic says, referring to the 2012 Privacy Amendment Bill—which, starting in 2014, will require more accountability for data protection in the private sector. Brankovic points to specific ways to protect data, like restriction and adding noise, noting that regardless of the techniques used, the onus to protect the data lies with those who collect it.
Full Story

BIG DATA—AUSTRALIA

The Pros and Cons of the Era of Data Analysis (April 18, 2013)

The Australian reports on the advent of the era of Big Data: “a world which is set to revolutionise the way governments provide services; a world which allows businesses to build intimate relationships with customers, but a world which will ignite an intense debate on the issue of citizen privacy.” The report offers examples of how large corporations use Big Data to increase profits and how governments use it to improve services and catch criminals. Chief Analytics Officer at SAS Australia Evan Stubbs notes, “increasingly everybody is going to have to reconsider how we manage privacy in a fundamentally digitised world,” adding, “the positives and negatives are sufficiently complex that there is no simple answer.”
Full Story

BIG DATA—NEW ZEALAND

Opinion: Gov’t Database Will Provide Better Services (April 18, 2013)

A Stuff.co.nz column asserts the government’s plan to merge each agency’s data into one main database is less “Orwellian” than it may have seemed. What the government is considering, according to Tom Pullar-Strecker, is setting up a warehouse for anonymised data where it could then be analysed for insight on ways the government could better provide services. Deputy State Services Commissioner Ryan Orange said, "we could track something across a cohort of people and put dollar values against all the services that have been utilised.” Pullar-Strecker acknowledges the privacy concerns—even with anonymised data—but contends, “that risk seems mainly theoretical.”
Full Story

ONLINE PRIVACY

The Intersection of Privacy and Hate Speech (April 18, 2013)

With recent tragedies in Boston and overseas, Future of Privacy Forum Founder and Co-Chair Christopher Wolf asks, “What motivates people to burn with hate to such a degree that they take innocent lives?” In this latest installment of the IAPP’s Privacy Perspectives blog, Wolf, who also serves on the board of the Anti-Defamation League, explores the intersection of online privacy and hate speech and whether privacy should sometimes “take a backseat” in order to curtail hate speech.
Full Story

ONLINE PRIVACY—EU

If Google Cares About Cookie Consent, So Should You (April 17, 2013)

In light of news that Google has posted language about its cookie use on websites in the EU, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, writes, “This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon…the implications become huge” for several reasons.
Full Story

MOBILE PRIVACY

Google Releases Glass App Developer Guidelines (April 17, 2013)

The New York Times reports that Google has released “extensive” guidelines for software developers aiming to build apps for the company’s wearable, Internet-connected glasses. According to the report, the guidelines are “much more restrictive” about Google Glass than has been the case with other products because of perceived consumer privacy concerns. Developers cannot sell ads, collect user data or share data with ad companies. A Forrester analyst said, “What we find is the more intimate the device, the more intrusive consumers perceive advertising is.” Google said to developers, “Be honest about the intention of your application, what you will do on the user’s behalf and get their explicit permission before you do it.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—CHINA

Opinion: Guidelines Help, But Lack Enforcement (April 17, 2013)

China’s guidelines for personal information protection for public and commercial services “not only shed some much-needed light on the mainland’s data privacy regime, but also pave the way for more comprehensive regulation in the future.” That’s according to Scott Thiel of DLA Piper Hong Kong, who says in South China Morning Post that the guidelines are the mainland’s “first significant attempt at defining data privacy concepts for more general application,” but adds the application is limited in scope as it only applies to personal information stored in computer networks and only to the private sector. Additionally, the guidelines are not enforceable by law, but are instead a voluntary national standard.
Full Story

PRIVACY COMMUNITY

A Tragedy We Can’t Ignore (April 16, 2013)

While there are privacy issues inherent in any national tragedy, this installment in the IAPP’s Privacy Perspectives is not about privacy per-se, but about the recent tragedy marring the historic running of the Boston Marathon, how this event hit close to home here at the IAPP and our shared sadness for all those whose lives have been forever changed by this act of violence.
Full Story

DATA LOSS

93 Percent Knowingly Breach Company Data Policies (April 16, 2013)

A recent breach affecting St. Louis-based Schnucks supermarket chain was exacerbated by the company’s inability to detect the source, COMPUTERWORLD reports. As a result, the number of credit and debit cards exposed continued to grow, capping at about 2.4 million. The company has hired a third party to investigate. Meanwhile, Global Payments, Inc., says it is closing its investigation of a March 2012 breach that exposed 1.5 million debit and credit cards. The breach cost the company $92.7 million in expenses. And Financial Times reports on a recent survey of 165,000 employees indicating nine out of 10 knowingly breach employers’ data policies.
Full Story

BEHAVIORAL TARGETING

Product Stops Third-Party Tracking (April 16, 2013)

The New York Times reports on a California start-up’s product allowing individuals to view which companies are tracking them online. The browser extension, Disconnect, aims to help users safeguard browsing history. First-party trackers are still permitted to follow a user, but the data won’t be shared with third-party websites, and ads won’t be served based on such data. “We are stopping that flow of data as you bounce around the web,” said the company’s co-founder. “Third-party retargeters are not going to have information about you.” The filters are distinct from Do-Not-Track signals. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Tech Firms Unveil Ad-Blocking Tools (April 15, 2013)

Two tech companies have started offering ad-blocking tools for mobile users, AdAge reports. Evidon is delivering the Ad Choices icon and the opt-out system for users, while TRUSTe has upgraded its real-time bidding system so that advertisers know prior to bidding that the user cannot be targeted for behavioral data, the report states. The moves come before the Digital Advertising Alliance (DAA) has published any mobile guidelines. DAA Counsel Stu Ingis said those guidelines could come “this spring—a few weeks to a couple of months.” TRUSTe’s Kevin Trilli said, “That is why we didn’t wait, and why we just started to build.”
Full Story

PRIVACY

Getting More Privacy Pros Into HR (April 15, 2013)

In a recent column in The Globe and Mail, an employee poses a question to human resource experts about her company’s changing internal policy on criminal background checks and her discomfort with those changes. This IAPP Privacy Perspectives blog post explores how a privacy pro or department could both assuage employee concerns and help roll out difficult, but often necessary, company policies.
Full Story

ONLINE PRIVACY

The Right To Be Remembered? (April 12, 2013)

Google announced yesterday on its Public Policy Blog a new service it’s calling Inactive Account Manager. What it essentially allows is for customers to designate “trusted contacts” to receive their Google data in the event of their death or inability to access their Google products. It also, however, allows users to decide to have their information deleted automatically following a specified period—three, six, nine or 12 months—of inactivity. Kashmir Hill notes in Forbes that some have already taken to calling the service “Google Death Manager” and wonders how you’ll use it.
Full Story

BIG DATA—NEW ZEALAND

Government Plans Centralized Database for Citizens’ Info (April 11, 2013)

Radio New Zealand is reporting that the government is strongly considering a plan to centralise citizens’ information into one hub, making the information accessible across agencies and private-sector organisations. Deputy State Services Commissioner Ryan Orange says “health, justice, welfare and education authorities have to work together in order to get better outcomes for people,” adding, “Big Data work is not interested in specific individuals and services, and names will be removed and birthdates and geographical details altered.” The Treasury also maintains that only those with the proper authorisation would be allowed to access the hub.
Full Story

DATA PROTECTION—NEW ZEALAND

Commish: More Can Be Done To Prevent Breaches (April 11, 2013)

Speaking before Parliament's Social Services Select Committee, Privacy Commissioner Marie Shroff said more can be done to prevent privacy breaches such as the highly-publicised incidents last year at the ACC. While no system is perfect, she indicated processes “could be improved to reduce the likelihood of people making mistakes,” Stuff.co.nz reports. Shroff noted, “I have to take a measured approach within my resources and capabilities and assess which of those breaches will require more action... I do think we've reached a point where something needs to be looked at.”
Full Story

DATA LOSS—NEW ZEALAND

Novopay May Face Financial Penalties (April 11, 2013)

A recent privacy breach by payroll system Novopay has resulted in an apology issued by the Ministry of Education, reports the Otago Daily Times. A Talent2 staff member mistakenly e-mailed information covering 5,600 transactions to payroll administrators at 1,600 schools. While the contract with Talent2 requires they meet the requirements of the privacy law, according to Secretary of Education Peter Hughes, “They have failed to meet those requirements, and there are a range of things we can do under the contract, including financial penalties.” Meanwhile, a breach involving a letter sent to the wrong e-mail address has also been reported at the Ministry of Education.
Full Story

DATA LOSS—NEW ZEALAND

Council Breach Announced; EQC Files Injunction (April 11, 2013)

The Medical Council accidentally e-mailed a spreadsheet containing the names, addresses and payment information of 2,900 doctors last year, reports Radio New Zealand. The Medical Council says it was “upfront” about the breach, notifying the Offices of the Privacy Commissioner and Minister of Health as well as issuing a formal apology two weeks after the incident. In a separate ongoing breach incident, the Earthquake Commission has taken out a court injunction to block the insurance advocate it accidentally sent thousands of claimants' records to from using the data.
Full Story

SURVEILLANCE—HONG KONG

PCPD Expresses Concern Over MTR Surveillance (April 11, 2013)

The Office of the Privacy Commissioner for Personal Data (PCPD) is following up on its Guidance Note of 2010 advising operators of closed-circuit television (CCTV) surveillance practices with its inspection of MTR Corporation, reports The Standard. In its report, the PCPD made a number of recommendations, and stated, “MTR Corporation should improve the content and location of…CCTV notices as well as enforcement of MTRC’s policy on the handling and erasure of the CCTV records and footages.”
Full Story

PRIVACY

Art Exhibit Puts Spotlight on Online Privacy and Surveillance (April 11, 2013)

Stuff.co.nz reports how an art exhibit at the Parson New School for Design in New York City entitled the “Public Private” is showcasing what happens when technology, privacy and art collide. The exhibit contains pieces such as photos from unsuspecting people’s social media profiles that were obtained through a software glitch and life-size cutouts of individuals captured through Google’s Street View. The show’s curator maintains that the exhibit is not meant to be a comment on social media and privacy but is intended to make visitors think about the lines that do or do not exist between the two.
Full Story

ONLINE PRIVACY

Mozilla Readies Cookie Blocker, Announces “Nuanced” DNT (April 11, 2013)

In a preview version of its Firefox 22 web browser, Mozilla has included an automatic third-party cookie blocker, putting the company “on a collision course with the online ad industry,” COMPUTERWORLD reports. Some trade groups say the new feature, called Aurora, is “dangerous and highly disturbing” and warn that users will experience more ads as a result. Stanford University graduate student Jonathan Mayer, creator of the code, tweeted, “The new Firefox cookie policy has migrated to Aurora!” Firefox 22 is expected to fully release in late June. Meanwhile, Firefox has announced its “more nuanced approach” to implementing its Do-Not-Track setting and efforts to provide additional user choice.
Full Story

ONLINE PRIVACY

Privacy Focus Remains in Microsoft’s Ad Campaign (April 11, 2013)

The third phase of Microsoft’s marketing campaign targeting Google’s privacy practices suggests Google is “more interested in increasing profits and power than protecting people’s privacy and providing unbiased search results,” The Boston Globe reports. The story suggests the ads, which one observer calls typical of an industry underdog, “say as much about the dramatic shift in the technology industry’s competitive landscape as they do about the animosity between the two rivals.” The new "Scroogled" ads, which began this week, criticize Google for sharing personal information gathered about purchasers of apps “designed to run on smartphones and tablet computers powered by Google’s Android software,” the report states.
Full Story

BEHAVIORAL TARGETING

EBay To Open Data to Marketers (April 10, 2013)
EBay will now allow advertisers to target consumers based on what that consumer has bought, similar to Amazon. The company has used such data to promote products to users, but it will now commercialize “that capability for the benefit of other marketers who want to reach shoppers,” said an eBay spokesman. “That’s something new this year.” But AdWeek reports eBay knows it risks alarming consumers and has protections in place so advertisers don't have direct access to personal information. Customers rightly “expect eBay not to tell anybody else who they are,” said a company spokesman.

DATA PROTECTION

Exploring High-Level Talks and Risks for Privacy Officers (April 10, 2013)

In this recent IAPP Privacy Perspectives blog post, Profs. Dierdre Mulligan and Kenneth Bamberger discuss their research in which they interviewed hundreds of leading privacy officers, regulators and privacy pros. They explore “a caution raised by privacy officers in both the public and private sector regarding particular risks created by attempts to ensure that privacy is part of high-level deliberations within a corporation—risks that must be managed in developing policy.” Editor’s Note: Bamberger will be a speaker at the breakout session Debunking Myths of European and U.S. Privacy: New Data on Corporate Privacy Management at the IAPP Data Protection Intensive in London, UK.
Full Story

PRIVACY LAW—HONG KONG

PCPD Condemns s for Deceitful Practices (April 9, 2013)

The Office of Privacy Commissioner for Personal Data (PCPD) has found that an insurance broker and a body-check service obtained personal information through deceitful means for direct marketing purposes, reports The Standard. After receiving complaints from consumers, the PCPD investigated the companies and found that Hong Kong Preventive Association Limited had collected personal data from about 360,000 people under false pretenses, which it then sold to Aegon Direct for direct marketing. Privacy Commissioner Allan Chiang Yam-wang said while he hoped Octopus’s contraventions would serve as a “wake-up call…in many recent investigation cases, including this one, it was found that the data users still fell short of meeting customer expectations and compliance with the requirements of the ordinance."
Full Story

DATA LOSS—AUSTRALIA

Company To Launch Data Breach Insurance (April 9, 2013)

Australian Financial Review reports insurer Beazley Group plans to roll out data breach insurance in Australia at the end of this year. “There is certainly growing interest in this sector,” said Beazley Chief Executive Andrew Horton, noting data breach notification laws could get tougher. He added that data breaches happen in forms other than cyber threats, including when data is simply lost when a business moves from one location to another. The company launched the product in the U.S. five years ago and in the UK earlier this year.
Full Story

BIOMETRICS

Baidu Can Do Wearable Facial Recognition, Too (April 5, 2013)

It’s been hard to miss reports of Google Glass, the headset computer that has led to privacy concerns surrounding facial recognition and otherwise. Reuters now reports that Chinese search giant Baidu has a similar wearable product in the pipeline, known internally as Baidu Eye. The device, which is still just a prototype, reportedly leverages the company’s strengths in image and facial recognition, allowing for voice searches, along with an ability to bounce images and faces off a central database for potential matches.
Full Story

MOBILE PRIVACY

Facebook Feature Maps User Moves (April 5, 2013)

Forbes reports on Facebook’s latest mobile release, a “digital skin that you will slide your phone into” which will turn the phone into a “slideshow version of the Facebook news feed.” The feature, called “Home,” means Facebook may be able to consistently collect users’ location information—an attractive situation for advertisers, the report states. GigaOM’s Om Malik noted the privacy issues involved, including that Facebook may be able to deduce a user’s home address by monitoring where the phone most often idles. Facebook says the feature will have the same privacy policy as the rest of the site.
Full Story

DATA LOSS—NEW ZEALAND

Official, MP React to EQC, Immigration Breaches (April 4, 2013)

Prime Minister John Key called privacy breaches “inevitable” following recent Earthquake Commission (EQC) incidents, reports The New Zealand Herald. Key called the breaches the “result of human error, not systemic failure,” saying the EQC had been “under huge pressure” to respond to a large number of claims. An audit is underway to ensure “systems to protect privacy are appropriate and robust.” Meanwhile, Immigration NZ mistakenly revealed the e-mail addresses of more than 200 people, prompting MP Darien Fenton to comment, “If the government can’t even get the basics right like protecting the personal e-mail addresses of Immigration NZ clients and stakeholders, how can the public have confidence that their privacy is being protected?” Meanwhile, the Ministry for the Environment has apologised for sending 150 each others’ private e-mail address.
Full Story

INFORMATION ACCESS—QUEENSLAND

Open Data Plan Raises Concerns (April 4, 2013)

Queensland Premier Campbell Newman has unveiled the “Queensland Globe,” expected to better inform taxpayers and provide business opportunities. But the computer program’s reliance on multiple government data sets and plans for the release of previously classified information has raised privacy concerns. Newman says, however, that protecting the public’s privacy is paramount. “No private information will be released. We’ll be working with the privacy commissioner to ensure that the use of multiple data sources doesn’t inadvertently pinpoint one individual,” he says, adding “information is indeed the new currency,” and open data can help businesses gain the information they need to develop commercial applications.
Full Story

DATA PROTECTION—NEW ZEALAND

Opinion: Agencies Must Do More (April 4, 2013)

In a column for Scoop, Clare Curran calls for New Zealand’s government agencies to “develop strong leadership and a culture of respect for privacy, as well as day-to-day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation.” Citing Privacy Commissioner Marie Shroff’s comments last week about the public’s trust being eroded by government agency privacy breaches, Curran says that requiring agencies to disclose data breaches would put New Zealand in line with other nations’ privacy practices.
Full Story

ONLINE PRIVACY—HONG KONG

Privacy Chief: Keep Proof of Opt-Out Request (April 4, 2013)

The Office of the Privacy Commissioner for Personal Data is implementing new regulations over direct marketing, including a provision for legal assistance and the requirement of notification and consent to use consumers’ personal data. Violating the new law is a criminal offense subject to large fines and up to five years imprisonment. Privacy Commissioner Allan Chiang Yam-wang is urging consumers to keep records of their opt-out requests, South China Morning Post reports, as proof of an opt-out request will be required for noncompliance complaints against companies going forward.
Full Story

ONLINE PRIVACY

Euro Task Force Initiates Google Enforcement Measures (April 3, 2013)
A taskforce of data protection agencies has begun follow-up measures against Google, alleging the company failed to fix flaws in a new privacy policy, The Washington Post reports. The taskforce is led by France’s data protection authority, the CNIL, and includes authorities from the UK, Germany, Italy, Spain and The Netherlands. The CNIL says it has notified Google of the inspection’s initiation, which follows a March 19 meeting between the company and the regulators that ended in deadlock. “The authorities’ goal is not to fine Google,” said a CNIL spokeswoman. “The goal is for Google to be in line with what we demand.” Meanwhile, the company’s forthcoming “Google Glass” is raising privacy concerns in the U.S. (Registration may be required to access this story.)

DATA PROTECTION

Thinking Accountability? Here’s One Suggestion (April 3, 2013)

“Over the past 10 years, the components of an accountable privacy program have evolved through a combination of privacy professional best practices,” scholarship and regulatory action, writes Intel Global Privacy Officer David Hoffman, CIPP/US, in the latest IAPP Privacy Perspectives blog post. With a waning notice-and-consent model still in the marketplace, Hoffman suggests that consumer education is a major component toward the accountability model. “There is no better network poised to navigate privacy cultures and raise the collective consciousness of privacy than privacy professionals,” Hoffman writes, providing a number of suggestions for privacy pros.
Full Story

ONLINE PRIVACY

Google Privacy Chief Stepping Down (April 2, 2013)

Google’s first director of privacy plans to retire, Forbes reports. Alma Witten, named director of privacy in 2010 following controversy over Google’s Street View and Buzz services, was tasked with overseeing product development at the company to prevent against future privacy mishaps. She led the privacy team that saw the merging of Google’s 70-plus privacy policies into one. Whitten will be replaced by Google engineer Lawrence You, who will now take over a privacy team consisting of several hundred individuals.
Full Story

DATA RETENTION—AUSTRALIA

Report: Law Would Put Small ISPs at Disadvantage (April 2, 2013)

The Australian reports on the impact of proposed data retention legislation on small Internet service providers (ISPs). While the comments had not been made public previously, the government was cautioned a year ago by a Department of Broadband Communications and the Digital Economy adviser that small ISPs “faced the heaviest financial burden under data retention laws being sought by law enforcement bodies,” the report states. The proposed legislation is the subject of an inquiry by the Joint Parliamentary Committee on Intelligence and Security. Law enforcement officials have said they are not attempting to extend their powers, but advocates caution the laws are “too intrusive on privacy of innocent civilians,” the report states. (Registration may be required to access this story.)
Full Story

PRIVACY

Insights from the Field: Women in Privacy (April 2, 2013)

In this exclusive for The Privacy Advisor, trailblazers including Sandra Hughes, Jennifer Barrett Glasgow, CIPP/US, and Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, discuss the proliferation of women in the field of privacy and their thoughts on reasons behind it. Glasgow opines, for example, that the profession requires skills more common in women than in men. Editor’s Note: For a closer look at the work of privacy professionals in the field today—both men and women—access the IAPP’s 2013 Privacy Professionals Role, Function and Salary Survey in the Resource Center.
Full Story

ONLINE PRIVACY

Why Consumer Privacy Decisions Aren’t Always Rational (April 1, 2013)
The New York Times profiles the work of Carnegie Mellon behavioral economist Alessandro Acquisti. Acquisti’s research “has shown that despite how much we say we value our privacy—and we do, again and again—we tend to act inconsistently,” the report states. Policy-makers, his research has proposed, should learn more about how consumers actually behave because, as consumers, “we don’t always act in our own best interest”—suggesting that user control can sometimes be an illusion. Samford University Prof. Woodrow Hartzog said, “His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” adding, “We have too much confidence in our ability to make decisions.” (Registration may be required to access this story.)