ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

PRIVACY LAW

CA Signs Do-Not-Track Disclosure Law, Plus Other Legal News (September 30, 2013)
In this week’s Privacy Tracker legislative roundup, read about California’s continued push toward privacy protections including Gov. Jerry Brown signing into law an amendment to the California Online Privacy Protection Act that requires websites to disclose in privacy policies how they react to Do-Not-Track signals, the passing of the “eraser law” and movement on a bill that would extend the employee social media law to public agencies. Meanwhile, a Minnesota court has determined the state is not responsible for an employee’s alleged inappropriate accessing of driver’s license records, and the Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff saying his Facebook “Like” is protected by the First Amendment. Plus, read about legislative activity in the EU, Singapore, Australia and South Africa. (IAPP member login required.)

SURVEILLANCE

Spying Leads to Calls for “Privacy Havens” (September 30, 2013)

The Wall Street Journal reports today on new data privacy trends inspired by Edward Snowden’s NSA revelations, including a new “Email Made in Germany” service created by three of Germany’s largest Internet service providers. "We can say that we protect the e-mail inbox according to German law," says Jorg Fries-Lammers, a spokesman for one of the German companies, 1&1 Internet AG. "It's definitely a unique selling point." Facebook COO Sheryl Sandberg pronounced herself “nervous” about these kinds of developments. "It means fragmenting the Internet and putting the economic and social opportunities it creates at risk." President of Brazil H. E. Dilma Rousseff even went so far as to call for “the establishment of a civilian multilateral framework for the governance and use of the Internet and to ensure the effective protection of data that travels through the web” in a speech before the United Nations. The NSA news is leading to tech innovation as well. John McAfee announced this week he is developing personal gadgetry that will protect the user from NSA spying. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

PGP Creator Warns About E-mail Privacy (September 30, 2013)

Creator of the e-mail encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine.
Full Story

PRIVACY LAW—SINGAPORE

New Data Protection Guidelines Issued (September 27, 2013)

Singapore’s Personal Data Protection Commission has issued new data protection guidelines for businesses operating in the country, Out-Law.com reports. Failure by consumers to opt out can signal consent to process data in certain circumstances, according to the new 18-page guidance note. The guidelines have been published to complement the Personal Data Protection Act—introduced in January and which goes into effect next July. One technology law expert said, “With the issuance of these advisory guidelines, the whistle has blown for organizations to kick off their compliance programs if they have not done so.”
Full Story

PRIVACY REGULATION

Frameworks Emerging Around the World, But Is Enforcement? (September 27, 2013)

AdAge reports on privacy frameworks in regions around the globe—particularly in Latin America and India. Nations including Chile and Brazil are currently exploring new data protection rules, similar to that of the EU, which consider privacy as a human right. India is also grappling with emerging privacy issues, even though culturally, “Your expectation of privacy is nil,” one expert said, adding, “The Indian outsourcing industry needs to instill a sense of confidence … in how it respects U.S. and EU data.” VP of Privacy Certified at the Entertainment Software Rating Board Dana Fraser said when navigating global privacy rules, “We have to figure out what’s the highest bar we have to uphold … It can actually impact your rollout dates for an app.” Several privacy experts agreed, however, that enforcement is a hurdle outside the U.S. “I think it is true that the U.S. enforces more than anyone else,” Covington & Burling’s Matthew DelNero said.
Full Story

DATA LOSS—AUSTRALIA

Health Department Denies Breach (September 26, 2013)

The Australian Department of Health has responded to claims of a data breach saying even if it did mistakenly send login details to someone, the information is useless on its own, reports ZDNet. A man who hasn’t come forward to the department told ABC News he was sent a “private login password” leading to questions about whether it was using plain text passwords to protect patient data. While the department can’t determine whether the breach actually occurred, a spokesperson has said, “The code is used once in combination with other information, and then the person sets their own password. The code cannot be used without the additional information or used more than once.”
Full Story

PRIVACY LAW—AUSTRALIA

New APP Guidelines Released for Comment (September 26, 2013)

The second stage of Australian Privacy Principle (APP) guidelines have been released for public comment, ComputerWorld reports. APPs one through five were published in August, and this next set addresses “new requirements for agencies in how they use or disclose personal information, undertake direct marketing activities and send data off-shore,” according to Privacy Commissioner Timothy Pilgrim. Noting specific concerns related to APP 8, Pilgrim said, “These new requirements provide a compelling business case for organisations to protect their business when planning to send personal information overseas." The Office of the Australian Information Commissioner will accept submissions until 21 October.
Full Story

PRIVACY LAW—NEW ZEALAND

Tech Firm Criticising Gov’t for Ignoring Privacy (September 26, 2013)

New Zealand’s new so-called spy bill fails to address privacy concerns, according to big tech firms like Google and Microsoft. International Business Times reports that Google claims the current bill is “unable to balance between the legitimate concerns of the authorities” and it’s users’ security. The bill will define how Internet service providers and telecoms allow the Government Communications Security Bureau (GSCB) and other such agencies to monitor communications, and some say it may contravene laws of the U.S. and other countries. The Commerce Committee responded saying service providers will have to take “reasonable steps” to assist agencies, but Kim Dotcom says the bill could mean companies like his would have to unencrypt user data, which may not be possible.
Full Story

SURVEILLANCE—AUSTRALIA

Electronic Frontiers Australia Signs Principles Against Spying (September 26, 2013)

Electronic Frontiers Australia (EFA) has joined organisations around the world as a signatory of 13 privacy principles to protect citizens’ privacy and human rights when it comes to Internet spying and surveillance, Computerworld reports. The principles, which outline a framework for governments to assess whether national surveillance laws align with human rights, have been endorsed by 270 signatories, the report states. “For the last dozen years, we have witnessed the systematic erosion of civil liberties in the name of national security. It’s time to reassess the balance to ensure that we haven’t dismantled that which we seek to protect,” EFA Chair David Cake said.
Full Story

DATA LOSS—NEW ZEALAND

Opinion: High-Profile Breaches Bring Warnings for All (September 26, 2013)

In the past 18 months, New Zealand has seen breaches at the ACC, EQC and West Coast and South Canterbury District Health Boards. In light of these events, Mark Hargreaves and Belinda Sidnam clear up some possible misconceptions in this Lexology report. Highlighting that “Privacy is not just a public sector issue” and it’s not just about “sensitive” information, the authors outline some key provisions of the Privacy Act, how to comply with it and what happens when you don’t.
Full Story

DATA GOVERNANCE

Is Your Biz Viewing Privacy Through the Right Lens? (September 26, 2013)

For many consumers and businesses, privacy and data protection remain a top concern, “But are business leaders looking at the glass half empty?” asks PricewaterhouseCoopers Data Protection and Privacy Manager Rafae Bhatti, CIPP/US. “By considering only what privacy safeguards can prevent—customer loss, brand damage, fines and litigation—they are missing a big opportunity,” he writes. In this post for Privacy Perspectives, Bhatti provides some suggestions on what companies can do to “find the right balance between protecting data and enabling its use in new ways.” Editor’s Note: PwC’s Aaron Weller, CIPP/US, CIPP/IT, will speak in the breakout session “How To Get the C-Suite on Board (and Make Them Think It Was Their Idea)” at next week’s IAPP Privacy Academy in Seattle, WA.
Full Story

PRIVACY

Survey: Orgs Lacking Comprehensive Privacy Programs (September 26, 2013)

A new survey by Gartner has found the “perceived level of maturity attached to organizations’ privacy activities has decreased since 2011,” CIOL reports. While 43 percent of organizations have a comprehensive privacy management program in place, more than a third of organizations “still ‘consider privacy aspects in an ad hoc fashion,’” the survey found. And while 90 percent of organizations do have at least one person responsible for privacy, only 66 percent have a defined privacy officer role.
Full Story

BIG DATA

“Master Profiles” Will Connect Online, Offline Data (September 24, 2013)
Financial Times reports that Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. Editor’s Note: Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, will speak in the breakout session Taming Big Data at next week’s IAPP Privacy Academy in Seattle, WA. (Registration may be required to access this story.)

BIG DATA

The Misconceptions of Defining Data Brokers (September 24, 2013)

“The marketing industry has come under fire recently for its use of consumer data to provide ads and offers,” writes Epsilon Privacy Manager Nicole Tachibana, CIPP/US, adding, “There are a number of misconceptions at the heart of the issue.” She notes that Federal Trade Commissioner Julie Brill has said that data brokers are using user profiles to “determine the rates we pay (and) even what jobs we get.” In this Privacy Perspectives post, Tachibana writes, “However, the reality is that marketing data brokers use information for marketing purposes only,” and she parses out misperceived definitions of what marketing data brokers do with consumer data.
Full Story

MOBILE PRIVACY—AUSTRALIA

Commissioner To Release Mobile Guidelines (September 24, 2013)

Australian Privacy Commissioner Timothy Pilgrim plans to release new mobile privacy guidelines for app developers next week, and according to IT News Australia, the guidelines will focus on third-party data sharing. Pilgrim has been consulting with industry and advocacy groups since draft guidelines were released last April. Pilgrim noted that app developers can expect more scrutiny of app industry privacy practices from regulators and the marketplace itself, the report states. The new guidelines are expected to be released next Monday.
Full Story

PRIVACY

On What Rock and Privacy Might Have In Common (September 23, 2013)

Near the end of the 1960s, rocker Jim Morrison and The Doors recorded a blues jam called “Rock is Dead.” The phrase, however, isn’t particular to the music world, as it’s a phrase often spoken when discussing privacy, “especially in light of what some are calling the ‘Summer of Snowden,’ which has brought on a new chorus of reports, blogs and posts exclaiming the death knell of privacy,” writes Jedidiah Bracy, CIPP/US, CIPP/E. Though our world is rapidly changing in many ways, some things stay the same, highlighted in part by a Newsweek cover story from 1970 asking if privacy is dead. This Privacy Perspectives post explores that article and excavates many of the similar arguments and concerns that still resonate today.
Full Story

BEHAVIORAL TARGETING

Industry Reacts to Google Cookie Alternative (September 20, 2013)

The Wall Street Journal reports on the ad industry’s reaction to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. (Registration may be required to access this story.)
Full Story

BIOMETRICS

Facedeals To Use Facial Recognition for Targeted On-Site Advertising (September 20, 2013)

In an interview with MarketingLand, Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—“ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal?
Full Story

SURVEILLANCE

Group Wants Countries To Disclose Data Requests (September 20, 2013)

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests, The Hill reports. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

eHealth System Called “Shambolic” (September 19, 2013)

The Australian reports the country’s “billion-dollar e-health system is in danger of becoming an expensive white elephant with doctors refusing to use it.” One key government adviser quit last month, calling the system “shambolic,” the report states, and the medical software industry is saying the National E-Health Transition Authority “lacks the skills” to its job, cautioning “patient safety could be at risk.” Meanwhile, the Department of Health is endeavoring to “allay concerns over the alleged leak of confidential eHealth login details, stating that even if it had mistakenly sent login details to the wrong person, they are useless without further details” after an Adelaide man mistakenly received someone else’s confidential eHealth login information.
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner Discusses Complaint Assessment Delays (September 19, 2013)

The Sydney Morning Herald reports Privacy Commissioner Timothy Pilgrim “has blamed the federal government for long delays in assessing breach-of-privacy and freedom-of-information complaints.” Privacy complaints are taking 19 weeks longer than the expected four-week period, the report states. Currently, the Office of the Australian Information Commissioner (OAIC) “is allocating privacy complaints received in April and freedom-of-information complaints and reviews from February,” the report states. Pilgrim cited increased complaints and lack of staff as reasons for the delay. “The OAIC…undertakes a triage process and if an urgent matter is identified, then it will be expedited to a case officer,” Pilgrim noted.
Full Story

HEALTHCARE PRIVACY—NEW ZEALAND

Insurer Settles Over Privacy Violation (September 19, 2013)

An insurance firm has reached a settlement and agreed to change internal policies after the Office of the Privacy Commissioner (OPC) found the company had violated a former customer’s medical privacy, Stuff.co.nz reports. The man brought the case to the OPC after the insurance firm pulled five years of the man’s medical history. Privacy Commissioner Marie Shroff said, “It was the company’s policy to request a medical report containing five years of medical notes in any case where more than two issues were identified,” adding, however, that the insurer “should only have requested information relating to the three issues it had identified.”
Full Story

DATA LOSS—AUSTRALIA

Pharmacy Apologises for Dumping Records (September 19, 2013)

Amcal Pharmacy has apologised after the accidental dumping of “hundreds of private medical records, including cancelled and out-of-date prescriptions, at a recycling depot,” The Canberra Times reports. A Territory and Municipal Services (TAMS) officer “who inspected the centre's recycling cage did not find any medication but discovered a box of medical records containing hundreds of private details,” the report states. The pharmacy’s manager has apologised, noting, “It is a genuine error. When my staff were cleaning out the storage, they did not realise that boxes of old records were in there.” The Office of the Australian Information Commissioner is making inquiries, the report states.
Full Story

CONSUMER PRIVACY—AUSTRALIA

Bar-Scanning Bill Raises Red Flags (September 19, 2013)

The Guardian reports on a bill being considered that would require patrons of venues in Sydney’s Kings Cross to have their identity scanned and stored to monitor and enforce entrance bans on individuals who have committed serious crimes. The legislation would enforce ID scanning at 35 “high risk” venues and would collect names, dates of birth, addresses and photographs. Australia Privacy Foundation’s Roger Clarke said, “The measure doesn’t only affect the targeted individuals, it represents a serious imposition on all patrons of the venues that the government brings within its scope.”
Full Story

BEHAVIOURAL TARGETING—AUSTRALIA

Move To Combine Supermarket and Banking Raises Privacy Concerns (September 19, 2013)

Supermarket chain Coles may enter the banking market, The Sydney Morning Herald reports, which could give it the “ultimate” data bank of consumer information, raising concerns among privacy advocates. Pulse Marketing Founder Lauren Fried said, “With this data, retailers would know absolutely every movement we had, and then they could target us effectively.” A representative from the Australian Privacy Foundation said there are no existing laws to prevent the company from combining its data on shoppers and banking clients.
Full Story

BIOMETRICS—NEW ZEALAND

NZ Authorities To Share Fingerprint Data With U.S. (September 19, 2013)

The New Zealand Herald reports that New Zealand police will provide U.S. authorities with legal access to the nation’s fingerprint database to help curb crime and terrorism. The U.S., under specified conditions, will provide similar access to New Zealand authorities. Under the data-sharing agreement, both nations also laid out future plans to share DNA data as well. The Agreement on Enhancing Co-operation in Preventing and Combating Crime is reportedly being tabled by Parliament and will be referred to the Foreign Affairs and Defense Committee for ratification, the report states.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Photography, Privacy Violations and the Law (September 19, 2013)

Mondaq looks at the questions surrounding photography and privacy. In Australia, the report states, the law says it is “legal to take photos in a public place. There is no right to privacy that forbids you taking a person's photo so long as you are standing on public property. You can even take a photo of someone in their house or backyard so long as you don't step on their private property.” But, the report notes, “Using a photo for commercial purposes is different” and requires approval. It is illegal to take photographs on private property without permission, but when it comes to using drones, “the law is still to catch up,” the report states. 
Full Story

DATA LOSS—NEW ZEALAND

EQC, Health-Related Breach Reported (September 19, 2013)

MSN NZ reports on “yet another privacy breach at the Earthquake Commission (EQC), with letters sent to the wrong claimants.” The most recent breach, which involved 260 New Zealand customers’ information being compromised when letters were incorrectly addressed, follows unrelated breach reports earlier this year. Earthquake Recovery Minister Gerry Brownlee said EQC is handling the issue appropriately, noting, “It appears to be a human error. I guess when they're dealing with that level of correspondence, things can happen.” Meanwhile, a New Zealand nurse who illegally accessed patient details and texted another person about them has been suspended.
Full Story 

ONLINE PRIVACY

Study: Whois System’s Privacy Controls Being Abused (September 19, 2013)

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused, ZDNet reports. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information.
Full Story

ONLINE PRIVACY

Is Google Set To Do Away with Cookies? (September 18, 2013)
USA TODAY reports on a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future.

PRIVACY TECHNOLOGY

Why Privacy Pros Must Embrace Technology (September 18, 2013)

“As privacy professionals, we have the opportunity to help companies restore the balance in the personal data ecosystem by considering the business needs of our employers as well as those of the individual,” writes UnboundID Product Marketing Director Nick Crown, CIPP/IT. To provide more user control over personal data, “our industry needs to look beyond static, ‘detective’ approaches to privacy practices,” he notes, and “embrace technology as an enabler of preventative privacy controls.” In this installment of Privacy Perspectives, Crown presents four phases that outline how businesses can better provide transparency, choice and control to their customers in relation to the collection, processing and transfer of their personal information.
Full Story

PRIVACY RESOURCES

Consumer-Facing Privacy Policies: What Should Yours Look like? (September 18, 2013)

With privacy becoming more of a competitive advantage in business, it’s important that organizations communicate their data collection and handling practices with consumers in an easily digestible manner. But with the amount of legal jargon in most policies, many consumers don’t read them, or if they’ve tried, they can’t understand them anyway. In this IAPP Resource Center Close-Up, see examples of successful policies, guidance on creating plain-language and layered policies and what to pay attention to when making changes to your policy. (IAPP member login required.)
Close-Up: Creating a Privacy Policy

MOBILE PRIVACY

Operator Calls for Consistent Privacy Approach (September 18, 2013)

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry, Marketing Week reports. Vodafone Global Privacy Counsel Kasey Chappelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states.
Full Story

ONLINE PRIVACY

NSA Program Monitors Credit Card Transactions (September 17, 2013)

Spiegel reports on the U.S. National Security Agency’s (NSA) “Dishfire” program, which collects information on credit card transactions from 70 banks worldwide. The NSA targets transaction information from large credit card companies such as VISA and MasterCard on customers in Europe, the Middle East and Africa, the report states, adding that credit card data and related text messages made up 84 percent of NSA financial database Tracfin in September 2011.
Full Story

ONLINE PRIVACY

Tumblr Inks Deal With Analytics Biz (September 17, 2013)

TechCrunch reports that Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.”
Full Story

SOCIAL NETWORKING

Will Going Public Diminish Privacy on Twitter? (September 16, 2013)

News that microblogging site Twitter plans to go public has prompted some to ask whether certain privacy functions on the site will have to go by the wayside to help generate revenue. Blouin News reports the company plans to exact a $15 billion IPO on $500 million of revenue and, to help boost its bottom line, Twitter may have to do away with its Do-Not-Track option. The report also questions whether Twitter may cease publishing its transparency reports and how much it will comply with foreign government requests to remove or share user data. “As the social media company executes its plans to expand abroad,” the report states, “it has much less of an incentive to get into spats with foreign governments over user data.”
Full Story

PRIVACY

A Look at the “Age of Context” (September 16, 2013)

In an article for Forbes, Rawn Shah reviews Age of Context: Mobile, Data, Sensors and the Future of Privacy by Shel Israel and Robert Scoble. The book looks at the state of technology in 2013 with regard to healthcare, transportation, mobile devices and understanding customers, among others. Context is important when it comes to wearable technologies, the book notes. The kind of information collected, how its processed and cross-referenced with other sources and the responses they produce are all important questions, the authors note, calling such data points “Little Data.” Editor’s Note: Sam Pfeifle interviewed Israel last month in anticipation of his keynote address at IAPP Privacy Academy, in Seattle, September 30 to October 2. The interview contains a free download of the book’s chapter on privacy.
Full Story

SURVEILLANCE

Law Enforcement Surveillance Tools Abound (September 16, 2013)

Ars Technica reports on BlueJay—a “Law Enforcement Twitter Crime Scanner.” The program provides real-time access to the “firehose” of public tweets so police can track suspects, keywords, locations, public events, social unrest and department mentions. The Verge reports on Italian-based firm Hacking Team and how the small tech security firm started from two programmers who created a suite of hacking tools. The Milan police eventually contacted the programmers with the intent of purchasing their hacking tools. Hacking Team now boasts 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.” Meanwhile, a recent Foreign Intelligence Surveillance Court opinion states the Edward Snowden leaks “have engendered considerable public interest and debate about Section 215.”
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Doctors Snapping Smartphone Photos of Patients’ Conditions (September 12, 2013)

A study of one large Australian hospital has found that half of all doctors and nurses take photos of patients—one in five using their personal smartphones, The Sydney Morning Herald reports. Steve Hambleton of the Australian Medical Association says three committees are now developing guidelines for doctors. Hambleton says taking a photo to transfer to other doctors, for example, can be helpful for patient care or for teaching. But doctors need guidance on how to best protect such images. “Doctors need to be aware of the magnitude of the risk,” he says.
Full Story

SURVEILLANCE—AUSTRALIA

NSW Database Prompts Concerns (September 12, 2013)

ABC reports on New South Wales police creating “a giant database storing more than 200 million photographs of cars using roads across the state.” In this feature, NSW Privacy Commissioner Elizabeth Coombs comments, “To my mind, this issue raises things which are fundamental in the legislation, and that's about transparency and accountability.” Coombs has said she is “eager” to clarify how much data is being collected and stored, and whether the practice violates privacy law.
Full Story

INFORMATION ACCESS—NEW ZEALAND

Council: “Test and Retest” Privacy Rules (September 12, 2013)

The Early Childhood Council is asking journalists to "test and retest" the Teachers Council Disciplinary Tribunal’s privacy rules, The New Zealand Herald reports. The Teachers Council is reviewing the rules following a finding by Parliament’s Regulation Review Committee, prompting comments by the Early Childhood Council’s Peter Reynolds indicating he has no faith in the Teachers Council conducting its own review, the report states. Reynolds has said teachers’ disciplinary proceedings should be open to the public unless “a very compelling reason” exists for the proceedings to be closed.
Full Story

SURVEILLANCE—AUSTRALIA

Victoria’s Principals Call for CCTV in Schools (September 12, 2013)

The Sydney Morning Herald reports on principals in Victoria calling for the installation of CCTV cameras in “all state school foyers to prevent staff from being harassed and threatened.” Australian Principals Federation President Chris Cotching said he receives daily calls about issues in the schools, noting, “At the moment you've got people going into the foyers of schools and abusing people.” An Education Department spokesman said, “While schools, in consultation with their school communities, make their own decisions regarding the installation of security measures, they must adhere to strict privacy regulations when using additional security measures such as CCTV.”
Full Story

SOCIAL NETWORKING—AUSTRALIA

Victoria Raising Awareness of Digital Footprints (September 12, 2013)

Victoria’s state government is renewing its efforts to help young people understand that while mistakes are inevitable, “documenting our lives on social media is making them harder to forget.” The government has released a short film created by a pair of high school teachers who have witnessed how social media has impacted students at school in an effort to “make young people aware of the dangers of leaving behind a potentially dangerous digital footprint,” The Sydney Morning Herald reports. Minister for Youth Affairs Ryan Smith notes that “if you've posted something inappropriate online there's a chance a prospective employer may have found the post and made a judgement before they've even met you.”
Full Story

SURVEILLANCE

NSA Fallout Continues; Latest News Involves Israel (September 12, 2013)

The U.S. National Security Agency (NSA) continues to make headlines, most recently with a report the NSA “routinely shares raw intelligence data with Israel without first sifting it to remove information about U.S. citizens,” The Guardian reports. Citing a document released by Edward Snowden, the report describes an intelligence-sharing deal between the NSA and its Israeli counterpart. Meanwhile, Yahoo CEO Marissa Mayer and Facebook’s Mark Zuckerberg are hitting back at critics of tech companies, saying “U.S. government did a 'bad job' of balancing people's privacy and duty to protect.” Tech executives did not tell the public about the NSA surveillance because, Mayer said, "Releasing classified information is treason” and would mean incarceration. Meanwhile, an editorial in Wanganui Chronicle asks when it comes to tracking data to stop terrorist attacks, “Is this worth a potential risk to the privacy of any New Zealand citizen?”
Full Story

PRIVACY ENGINEERING

Is 2013 the Year of the Privacy Engineer? (September 12, 2013)

With the recent introduction of a new master’s degree by Carnegie Mellon and an influx of privacy engineering job openings by large tech firms, will this be the year of the privacy engineer? “Though the term privacy engineering has been around since at least 2001,” writes Robert Jason Cronk, CIPP/US, “only recently has the computer science community tried to use it in a concrete and systematic way.” In this Privacy Perspectives post, Cronk, a privacy engineering consultant for Enterprivacy Consulting Group, delves into the work of privacy engineers and why they “must be in place to identify user-centric risks and help design solutions” to help organizations mitigate risks while improving data flows. Editor’s Note: Cronk, along with MITRE’s Stuart Shapiro, CIPP/US, CIPP/G, will lead the preconference workshop Privacy Engineering Primer later this month at the IAPP’s Privacy Academy in Seattle, WA.
Full Story

ONLINE PRIVACY

Which Companies Top the ‘Privacy-Friendly’ List? (September 12, 2013)

Forbes reports on the “most privacy-friendly companies” according to privacy experts. Lee Tien of the Electronic Frontier Foundation cites Microsoft, Google, Tumblr and Facebook, while Chris Hoofnagle of Berkeley’s Center for Law & Technology cites B2B services “such as Salesforce, which explicitly says that the data you load into their service is yours, that you can encrypt it and that they will never sell it.” Boston attorney Sarah Downey says Twitter’s “Do-Not-Track” policy puts it at the top, and a number of experts cited companies such as DuckDuckGo, which doesn’t track users’ searches.
Full Story

BIOMETRICS

U.S. To Expand Data Sharing Overseas (September 12, 2013)

The Department of Homeland Security plans to expand foreign biometric data sharing, FCW reports. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals.
Full Story

BIOMETRICS

Apple Releases Include Fingerprint Sensor (September 11, 2013)

The New York Times reports on Apple’s release of two new iPhones Tuesday, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

When “All About You” Isn’t About You at All (September 10, 2013)

Acxiom’s release of AboutTheData.com has been touted as a step forward for online data transparency, as it’s now possible to know what Acxiom and other data brokers likely know about you. But people are finding that Acxiom doesn’t seem to know much about them at all. And what they do know is wrong. In this installment of Privacy Perspectives, Jedidiah Bracy, CIPP/US, CIPP/EU, explores the impact the bizarro world of data brokerage could have on public perceptions of behavioral advertising and online tracking, and why this whole thing just might backfire.
Full Story

ONLINE PRIVACY

New Apps Give Posts a Shelf Life (September 10, 2013)

Reuters reports on the proliferation of mobile apps that allow users to control who sees their content on social media sites—and for how long. Secret.li, for example, allows iPhone users to post a photo to Facebook knowing it will be automatically deleted either an hour, a day or a week after it’s posted and giving them control over with whom it will be shared. Another app, Spirit, allows users to hashtag tweets so they will auto-delete after a time period of the users’ discretion. "With the ongoing privacy scares, people are thinking about what they put out there now and looking for ways to have more control," said Spirit’s developer.
Full Story

PRIVACY LAW

The OECD Heralds the Arrival of the Privacy Profession (September 9, 2013)
For anyone following the field of privacy policymaking, the past two years have seen a flurry of activity unsurpassed in any other legal arena. Fittingly, the first reform process to come to fruition is that of the OECD Privacy Guidelines, which date back to 1980 and contain the first internationally agreed upon iteration of the now ubiquitous Fair Information Privacy Principles (FIPPs). Together with the expected result of the major reform processes in the U.S. and EU, the revised guidelines, slated to be launched later today on the OECD website and with a reception at the Canadian embassy in Washington, DC, are set to become the second generation of information privacy laws. As such, it is important to assess what has changed since their inception more than 30 years ago. In this installment of Privacy Perspectives, Omer Tene, who served as rapporteur for the Expert Group advising the OECD, examines the potential impact of the new guidelines.

DATA PROTECTION

When It Comes to Success, PIAs Should Not Be Underrated (September 9, 2013)

Privacy impact assessments (PIAs) are likely to become the most vital item in the privacy professional’s toolkit. That’s according to Eduardo Ustaran, CIPP/E, who writes for Field Fisher Waterhouse’s Privacy and Information Law Blog that PIAs are an effective tool that can be used to send a powerful message within an organization that the privacy pro is “on the side of the organization” as far as innovation and progress while “coming up with sensible ways of preventing unjustifiable risks” for everyone’s benefit. PIAs are especially relevant when it comes to global compliance, as they reach outside of the legal obligations of a given regime, Ustaran writes. Editor's Note: Want tools and templates for conducting PIAs? See Close-Up: PIAs.
Full Story

PRIVACY COMMUNITY

Accountability Is About Values (September 6, 2013)

“Over the past year, I reflected on why I have been doing privacy for nearly a quarter of a century,” writes Martin Abrams. “And after reflection, I decided it is time for me to focus on the role of values in privacy.” In this Privacy Perspectives blog post, Abrams discusses his new role as leader of the Information Accountability Foundation and how organizations can institutionalize accountability “in businesses’ practices, regulatory oversight and the next generation of privacy law.” Editor's Note: For more information on accountability see Close-Up: Accountability in the IAPP Resource Center.
Full Story

PRIVACY LAW—AUSTRALIA

Expert: Businesses Out of Time for Compliance (September 5, 2013)

ZD Net reports on comments by Symantec Principal Consultant John Reeman at this week’s Symantec Symposium that when it comes to privacy-law changes on the horizon, “Businesses are out of time.” The report cites the privacy commissioner’s fining powers and the passage of mandatory data breach notification legislation through the Lower House, with an expectation it will go before the Senate in November. “This law is coming. The fines are significant. There are no excuses anymore. You need to do something,” Reeman said.
Full Story

GEO PRIVACY—AUSTRALIA

ANPR Trial Capturing Vehicle Locations (September 5, 2013)

Police are using “GPS technology to capture the location of more than a million vehicles on Queensland roads at any one time” as part of the Automatic Number Plate Recognition (ANPR) trial slated to end next June, The Courier Mail reports. ANPR uses GPS and cameras in police vehicles, and if a motorist drives past, the vehicle’s position is recorded. “It will be stored for a year and one day,” the report states, noting the information will be used to assist in solving crimes.
Full Story

FINANCIAL PRIVACY—AUSTRALIA

APRA Guidance Lacks Privacy Reference (September 5, 2013)

The Australian Prudential Regulation Authority (APRA) has urged a “cautious and measured” approach when it comes to offshoring data, The Age reports, but stopped short of following Privacy Commissioner Timothy Pilgrim’s recommendation “to draw banks' attention to their obligations under the Privacy Act.” Following privacy concerns related to the offshoring of financial services, Pilgrim recommended APRA refer to the National Privacy Principles in its guidance, but “APRA's guidance note to banks—which is intended to identify potential problem areas—did not mention either ‘privacy’ nor ‘personal information’. Instead, it focused on potential risks to the financial system from data management,” the report states.
Full Story

DATA LOSS

Treating Breaches as Customer Issues (September 5, 2013)

In a world rife with data breaches affecting organizations large and small, businesses should treat these events as customer issues rather than compliance issues, writes Experian Data Breach Resolution Group VP Michael Bruemmer, CIPP/US. Bruemmer points out that organizations often smoothly handle the technical and regulatory sides of a breach response, but he adds, “as I’ve seen time and time again, what you might be falling behind on is the consumer engagement side of breach response, and that’s when your customers start making calls.” In this Privacy Perspectives installment, Bruemmer offers a number of ways businesses can go beyond a “compliance-only response.”
Full Story

SURVEILLANCE

NSA Review Board To Meet with Advocates, Tech (September 5, 2013)

The surveillance review board recently named by the White House is slated to meet with privacy advocates and representatives from technology companies in two separate meetings Monday, The Hill reports. A White House spokeswoman said it is not a “White House meeting” and a list of who will be attending has yet to be disclosed. Additionally, President Barack Obama addressed European Union concerns about the National Security Agency (NSA) surveillance program disclosures. “I can give assurances to the publics in Europe and around the world that we’re not going around snooping at people’s e-mails or listening to their phone calls.” Meanwhile, Brazilian telecom regulator Anatel is reviewing contracts between national operators and foreign businesses to investigate possible privacy breaches in the wake of the NSA disclosures.
Full Story

BIG DATA

Information Pollution and the Internet of Things (September 4, 2013)

As we get closer to a super-connected world of devices and sensors—estimates posit that by 2020 there will be between 30 to 50 billion connected devices—privacy professionals will be faced with the massive issue of data access. In this Privacy Perspectives post, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, CIPM, looks into this underlying problem, writing, “when so much information is collected—and across so many devices—how can we provide individuals with meaningful access to information in a way that is not totally overwhelming?”
Full Story

PRIVACY RESOURCES

What Do You Need To Build a Privacy Program? (September 4, 2013)

Privacy professionals looking to build a privacy program may need to call on “proactive strategies, persuasion, political savvy, adaptability and a passion to get an exciting new organizational function up and running”—never mind knowledge of relevant laws and how to comply with them—to get the job done. That’s according to the IAPP’s guide book, Building a Privacy Program: A Practitioner's Guide, one offering in this IAPP Resource Center Close-Up. You’ll also find freely accessible guides from the Massachusetts Office of Consumer Affairs and Business Regulation, an outline of IAPP award-winner Vodafone’s privacy program and articles to help you get buy-in from your organization.
Close-Up: How To Build a Privacy Program

SOCIAL NETWORKING

Pro-Privacy Attorney Leaving Twitter (September 4, 2013)

Twitter attorney Alex Macgillivray has announced his plans to leave the company, The Guardian reports. Macgillivray is credited with being aggressively pro-free speech and is described as being Twitter’s “conscience-in-residence,” turning the company into “one of the fiercest defenders of user privacy in cyberspace,” the report states. Macgillivray’s departure may have industry wondering whether Twitter will “now have a less robust defence against government requests for user data and compromise its position on free speech and privacy online,” the report states.
Full Story

PRIVACY SCHOLARSHIP

Academics Explore the Intersection of Privacy and Big Data (September 4, 2013)

In anticipation of next week’s Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” Editor's Note: Look for IAPP coverage of the event next week.
Full Story

PRIVACY LAW

South Africa Gets a Law; Breach Notification Goes Into Effect in the EU, and More (September 3, 2013)

Last week saw a new law in South Africa, new guidelines from the Australian privacy commissioner, a new breach notification requirement in effect in the EU and U.S. states tackling big issues like e-mail and location privacy in the absence of forward motion on a federal level. In this week’s Privacy Tracker legislative roundup, you’ll get more in-depth information on all of the above and more—including a series of cases in Minnesota questioning the liability of government agencies when an employee violates the Driver’s Privacy Protection Act. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Project Aims To Educate About Digital Footprints (September 3, 2013)

GigaOm reports on a National Science Foundation-funded project called Teaching Privacy and a related online tool that lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not” tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity.
Full Story