|
Stay on top of the latest privacy and FOI news from the national regulator |
|
|
|
|
|
|
|
Notifiable Data Breaches Report
|
|
|
Malicious or criminal attacks including cyber incidents remain the leading cause of data breaches involving personal information in Australia, with almost one in three breaches linked to compromised login credentials, figures published today show.
The Notifiable Data Breaches Report for July to December 2019 warns organisations about the risks associated with storing sensitive personal information in email accounts, as well as the risk of harm to individuals whose personal information is emailed to the wrong recipient.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said accidental emailing of personal information to the wrong recipient was the most common cause of human error data breaches over the period, accounting for 9% of all breaches.
“Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts. Organisations should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files.”
|
|
|
|
|
|
|
|
|
|
Action plan for health service providers
|
|
|
Our latest Notifiable Data Breaches Report also shows health service providers continue to report more data breaches to the OAIC than any other sector.
Following the release of our Guide to health privacy, we’ve published a four-step action plan specifically aimed at the health sector to help them contain and manage data breaches, including those involving the My Health Record system.
The resource has been developed in partnership with the Australian Digital Health Agency, Australian Cyber Security Centre and Services Australia.
|
|
|
|
|
|
|
|
|
|
Consumer Data Right update
|
|
|
The OAIC has released guidelines for business on how to safeguard consumers’ privacy under the Consumer Data Right (CDR).
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the guidelines aim to help businesses participating in the CDR system understand their privacy obligations to consumers.
“Strong privacy protections have been built into the Consumer Data Right system, which will strengthen consumers’ rights to control and use their data, and enable greater competition, consumer benefits and economic growth,” Commissioner Falk said.
The CDR will be implemented in the banking sector from July 2020 and will allow consumers to safely transfer their data to accredited recipients so they can compare services. It will then be extended to other sectors of the economy, starting with energy and telecommunications.
|
|
|
|
|
|
|
|
|
|
Appointment of new Assistant Commissioner
|
|
|
This month we welcomed a new Assistant Commissioner, Dispute Resolution to lead the OAIC’s privacy dispute resolution and enquiries teams, Commissioner initiated investigations, and notifiable data breaches area.
David Stevens brings more than 20 years’ experience working in prominent legal and investigations-related roles in Australia and overseas, as Assistant Commonwealth Director of Public Prosecutions, Head of Chambers of the International Criminal Court in The Hague, and at the NSW Crown Solicitor’s Office and NSW Electoral Commission. He is an experienced change leader, an accredited mediator and has also worked as a law lecturer and training officer.
David will work alongside Assistant Commissioner, Regulation and Strategy, Melanie Drayton, and Assistant Commissioner, Corporate, Ruth Mackay.
You can read more about our executive on our website.
|
|
|
|
|
|
|
|
|
|
|
Members of our Information Contact Officers Network (ICON) should save the date for our next information session for government agency staff, to be held in Canberra on 7 April 2020 from 9.30am to 11.30am.
More details for the event will be shared with ICON members shortly.
|
|
|
|
|
|
|
|
|
|
|
Earlier this month, Commissioner Angelene Falk made an appearance at a Parliamentary Joint Committee on Intelligence and Security hearing in relation to its review of the mandatory data retention regime.
The Commissioner’s opening statement addressed the regulatory role of the OAIC and outlined key privacy considerations for the Committee. These include reducing the potential for personal information to be collected outside what is intended by or is reasonably necessary under the regime, as well as the need to consider reducing the retention period and introducing a warrants-based access system.
Following the hearing the OAIC provided a supplementary submission to the Committee outlining four additional matters. The supplementary submission is now available on our website.
|
|
|
|
|
|
|
|
|
|
Privacy Awareness Week 2020
|
|
|
This year we are celebrating Privacy Awareness Week (PAW) from 4 to 10 May. Sign up now to be a PAW 2020 supporter and show your organisation’s support for good privacy practice and the importance of protecting personal information.
Stay tuned for more information, including this year’s theme, events and digital resources, which we’ll share with supporters in coming weeks. For the latest PAW updates, you can also keep an eye on our Facebook, Twitter and LinkedIn pages.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Global Privacy Assembly (GPA) has launched a call for interest to participate in the GPA Reference Panel.
The GPA Reference Panel will be a contact group involving a variety of external stakeholders from around the world with expert knowledge on data protection and privacy, developments in information technology, and related issues.
They are seeking representatives from relevant civil society organisations, academic institutions, think tanks, non-privacy supervisory authorities, public authorities and the private sector who have an interest in the vision and mission of the GPA.
The call for interest is open until Friday 20 March 2020.
|
|
|
|
|
|
|
|
|
|
|
|
|
We’re holding a one-day training session to build the practical skills of staff performing Privacy Officer functions on behalf of Australian Government agencies. The training program will help officers understand how to carry out their role under the Australian Government Agencies Privacy Code.
This course is for staff from Australian Government agencies only and is suitable for those who are new to the role.
The next training session will be held on Thursday, 19 March 2020, 9am to 5pm.
|
|
|
|
|
|
|
|
|
|
|
|
|
Amendments to the Credit Reporting Code 2014 (the CR Code) came into force earlier this month, making the system fairer for consumers.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the changes should facilitate an efficient credit reporting system while ensuring the privacy of individuals is respected.
The amendments benefit consumers by making it easier for people to prevent identity and credit fraud and limiting the types of information that can be included on credit reports.
|
|
|
|
|
|
|
|
|
|
|
|
|
You can catch up with our submissions on a range of legislative and other issues through our website, including our recent comments in relation to the draft Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020.
|
|
|
|
|
|
|
|
|
|
Information Commissioner decisions
|
|
|
Information Commissioner review decisions and privacy determinations are listed on our website and published in full on AustLII. Recent Information Commissioner decisions include:
- 'RO' and Department of Home Affairs (Freedom of information) [2020] AICmr 3
Request for access to policies and procedures used to determine Class 600 visitor visa applications at the Australian High Commission in Pretoria, South Africa — Whether reasonable steps taken to locate documents — Reviewable decision set aside
- United Firefighters Union of Australia Aviation Branch and Airservices Australia (Freedom of information) [2020] AICmr 4
Request for access to documents relating to the use of fire-fighting foams and the spread of per- and poly-fluoroalkyl substances — Whether a practical refusal reason exists — Whether work involved in processing the request would substantially and unreasonably divert Airservices’ resources from its other operations — Reviewable decision set aside and substituted
- RP' and Department of Defence (Freedom of information) [2020] AICmr 5
Request for access to submissions made by an ex-service organisation regarding the emblazoning of Vietnam battle honours on unit colours — Whether disclosure of personal information is unreasonable — Whether contrary to the public interest to release a conditionally exempt document — Reviewable decision varied
|
|
|
|
|
|
|
|
Please do not reply to this message as you will not get a response. We welcome your feedback at [email protected].
If you would prefer not to continue receiving this monthly newsletter, you can unsubscribe below.
If you have been forwarded this newsletter by someone else, we invite you to subscribe.
|
|
|
|
|
|
|
|
|
|
|
|
