Privacy Commissioner issues draft data breach notification guide

The Australian Privacy Commissioner has issued a draft Voluntary Information Security Breach Notification Guide for consultation.

The Guide aims to assist agencies and organisations to minimise the possibility of an information security breach breach occurring and how to prepare for and respond effectively to any breaches if and when they do occur.

An information security breach occurs when personal information is exposed to unauthorised access, use, disclosure or modification as a result of a breach of an agency's or organisation's information security.

At present there are no specific requirements under the Privacy Act for agencies and organisations to notify individuals of an information security breach. However, a proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission in its Review of Privacy.

Submissions on the draft Guide can be made until 16 June 2008.

April 15, 2008 in Privacy | Permalink | Comments (1) | TrackBack

Cross border data flows: Data Privacy Pathfinder projects

Special Minister of State, Senator The Hon John Faulkner has outlined in a speech the steps Australia is taking to ensure organisations provide protections to personal information sent off-shore.

As part of its work on the APEC Data Privacy Sub-Group Australia, through the Office of the Privacy Commissioner, is working on eight specific projects covering issues ranging from the development of self-assessment tools for businesses to the role of regulators in ensuring businesses are held accountable for the handling of personal information.

The projects will produce a privacy contact officers directory, templates to assist in making cooperative arrangements between privacy enforcement authorities in our region, and a common complaint handling form to promote the timely handling and referral of cross-border privacy complaints.

April 10, 2008 in Privacy | Permalink | Comments (0) | TrackBack

New privacy guidance to assist private health service providers

The Australian Privacy Commissioner, Karen Curtis, has issued new privacy guidance materials for medical practitioners and other health service providers and the public.

The guidance materials consist of five information sheets for healthcare in the Australian private sector, and seven FAQs for members of the public.

The information sheets address the following issues:

  • Fees that can be charged for patients to access their records.
  • Use and disclosure of health information for managing a health service.
  • Sharing health information within a treating team.
  • Sharing health information with relatives of an incapacitated patient.
  • Denial of access to health information due to a serious threat to life or health.

The FAQs answer questions relating to: patients accessing their medical records, who doctors can disclose patient information to, and whether doctors need to obtain the patient's consent.

March 11, 2008 in Privacy | Permalink | Comments (0) | TrackBack

Queensland Freedom of Information Review

The Freedom of Information Independent  Review Panel has released a discussion paper reviewing Queensland's Freedom of Information (FOI) laws.

The discussion paper is intended to raise the major issues that will be considered by the Panel in recommending ways to improve and modernise Queensland’s Freedom of Information Act 1992.

According to the Panel, "The discussion paper challenges core legislative presumptions and current paradigms in the administration of FOI to shake out what matters most and what resonates best in the problemsolving puzzle."

Public submissions close on 7 March 2008.

The Panel will jointly host a FOI Public Seminar with the Australian Law Reform Commission on 6 March 2008.

The panel is scheduled to submit its final report and recommendations for cabinet consideration by the end of May.

The government intends to introduce proposed changes to the state's FOI laws before the end of the year.

January 30, 2008 in Business Planning, Privacy | Permalink | Comments (0) | TrackBack

Privacy Commissioner calls for mandatory reporting of major data security breaches

The Australian Privacy Commissioner, Karen Curtis, has called for compulsory notification of major data security breaches by Australian organisations.

In a submission by her Office to the Australian Law Reform Commission (ALRC) in response to its Discussion Paper 72: “Review of Australian Privacy Law”, she proposes that reporting would need to be proportional to the severity of the breach.

January 30, 2008 in Privacy | Permalink | Comments (0) | TrackBack

National Health ID system

The Federal Government has announced the National E-Health Transition Authority has contracted for the development of a new national healthcare identifier service.

It will identify a person's name, date of birth, address and the names and addresses of their practitioners, and is the first step towards establishing a shared electronic health records system.

Federal Minister for Human Services, Joe Ludwig, says it is not an access card and people can decide whether or not they want to be part of the service.

January 15, 2008 in Privacy | Permalink | Comments (0) | TrackBack

Privacy in Australia

Privacy International's 2007 International Privacy Rankings have charged Australia with "systemic failure to uphold safeguards".

Here's their analysis in detail. (Note that the Access Card has now been scrapped).

UPDATE: 8 January 2008: Page 124 of The Parliamentary Library Briefing Book (pdf)contains a summary of likely changes to privacy regulation under the new government.

January 2, 2008 in Privacy | Permalink | Comments (0) | TrackBack

UK Financial Services Authority fines Norwich Union Life £1.26m for privacy breach and anti-fraud failure

The UK Financial Services Authority (FSA) has fined Norwich Union Life £1.26 million (AUD 2.95M) for not having effective systems and controls in place to protect customers' confidential information and manage its financial crime risks. These failings resulted in a number of actual and attempted frauds against Norwich Union Life's customers.

The weaknesses in Norwich Union Life's systems and controls allowed fraudsters to use publicly available information including names and dates of birth to impersonate customers and obtain sensitive customer details from its call centres. They were also, in some cases able to ask for confidential customer records such as addresses and bank account details to be altered. The fraudsters then used the information to request the surrender of 74 customers' policies totalling £3.3 million in 2006.

During its investigation, the FSA found that Norwich Union Life had failed to properly assess the risks posed to its business by financial crime, including fraudsters seeking to obtain customers' confidential information. As a result, its customers were more likely to fall victim to financial crimes such as identity theft.

Norwich Union Life also failed to address the issues, highlighted by the frauds, in an appropriate and timely manner even after they were identified by its own compliance department.

BBC News

December 19, 2007 in Financial Services, Privacy | Permalink | Comments (0) | TrackBack

Privacy case notes 25-27, 2007

The Privacy Commissioner has released three new case notes:

  • In W v Telecommunications Company [2007] PrivCmrA 25, it was found that the customer's residential address had been improperly disclosed by the telecommunications provider even though a fee had been paid to suppress it.

    The Commissioner also found that the complainant had attempted to resolve the matter with the telecommunications company a number of times, but the company did not take timely action to correct the error once they were informed of it.

    The complainant subsequently agreed to a settlement proposed by the telecommunications company.
  • In X v Transport Company [2007] PrivCmrA 26, the Office investigated whether there was an improper disclosure of personal information relating to a medical assessment. It was found that the transport company advised the employees that someone had failed the medical assessment.  However, the company did not disclose who had failed the assessment, or for what reasons. In this case, the Commissioner was not satisfied that the information disclosed by the transport company was sufficient to make it likely that the workers could identify the complainant as the individual who had not passed the medical assessment. However, the Commissioner also advised the transport company to adopt additional security measures to minimise the possibility that any such incidents may occur in the future.
  • In Y v Ticketing Company [2007] PrivCmrA 27, the issue of the security of personal information including credit card information was considered.The ticketing company stated that the information was for purposes of identification and to minimise the incidence of fraud. It held that this is a common practice across a number of industries.

    The ticketing company also informed the Commissioner that it used a merchant EFTPOS facility provided by a banking institution and it was this facility that printed full credit card details on the receipt.

    The Commissioner reached the view that the ticketing company had not interfered with the privacy of the individual as it appeared that the company was fulfilling its obligations under National Privacy Principle 4.1 by providing customer credit receipts directly to the credit card holder only, and that steps were taken to secure the merchant copy of the receipt held by the ticketing company.

December 18, 2007 in Privacy | Permalink | Comments (0) | TrackBack

AML stage 2 starts: case studies and privacy issues

To coincide with AML stage 2 which starts on 12 December, Austrac has released its Typologies and Case Studies Report 2007 which identifies some key money-laundering methodologies and gives 51 case studies, highlighting:

  • what crime or civil proceeding was involved
  • the type of customer involved in perpetration of the offence
  • the industry category through which transactional activity was conducted
  • the specific method through which the offenders perpetrated transactional activity
  • the location through which the transactional activity was facilitated
  • the specific designated service
  • the red flag activity contained within each case example.

The Privacy Commissioner, Karen Curtis, has reminded businesses to carefully consider their privacy obligations when collecting personal information for AML/CTF purposes.(More)

December 11, 2007 in Anti-money laundering, Privacy | Permalink | Comments (0) | TrackBack

Changes to Commonwealth Ministerial and department responsibilities

As new Ministers get up to speed, pending website updates, information about administrative arrangements and portfolio responsibilities is being obtained from media articles and the few official documents such as the Ministry List (pdf) the Administrative Arrangements Order (pdf). (thanks to Open and Shut for the link)

Page 33 of the AAO records that the Department of the Prime Minister and Cabinet is taking responsibility for the Freedom of Information Act and the Privacy Act.

December 5, 2007 in Business Planning, Privacy | Permalink | Comments (0) | TrackBack

Privacy update

The Office of the Privacy Commissioner has published recent speeches by its officers.

Of particular interest are:

December 5, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Free Speech in Australia

A media coalition (the Right to Know Coalition) has sponsored The Independent Audit of the State of Free Speech in Australia (pdf).

Putting aside potential biases about the role of the media, the 336 page report is a useful collection of research material on :

  • access to information by media
  • protecting whistleblowers
  • freedom of information
  • anti-terrorism and sedition
  • restrictions on court reporting
  • privacy and defamation.

November 7, 2007 in Business Planning, Compliance, Privacy | Permalink | Comments (0) | TrackBack

Privacy Commissioner's 2006-07 Annual Report

The Privacy Commissioner has published The Operation of the Privacy Act Annual Report 2006-07

The summary (pdf) contains data on enquiries received, complaints received and policy submissions made.

The Commissioner has forecast her office taking a more proactive approach.

November 1, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Data security

The calling of the election means that the Privacy (Data Security Breach Notification) Amendment Bill 2007 has lapsed.

But the issue of who is liable for protecting the personal information of customers and whether customers should be notified in the event of a security breach (previously discussed here and here) will not go away.

Last week in  California (which already has a data breach disclosure law) Governor Schwarzenegger vetoed a Bill which would have forced retailers who experience a data breach or loss to reimburse California banks for the costs of debit and credit card replacement and consumer notification.

October 17, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Impact on small business privacy obligations of anti-money laundering laws

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) amends the Privacy Act 1988 (the Privacy Act) so small businesses that will be reporting entities for the purposes of AML/CTF, will also be subject to the Privacy Act in regard to their obligations under the AML/CTF Act. This includes small businesses that may be exempt from obligations under the Privacy Act in terms of other business activities they undertake.

The Privacy Commissioner has issued a FAQ brochure (PDF) for affected small businesses and has suggested they consider applying the NPP obligations to all their business activities.

October 12, 2007 in Anti-money laundering, Privacy | Permalink | Comments (0) | TrackBack

ALRC releases privacy discussion paper

The Australian Law Reform Commission (ALRC) has released Discussion Paper 72, Review of Australian Privacy Law, containing 301 proposals for overhauling Australia’s complex and costly privacy laws and practices.

The ALRC proposes there be a single set of privacy principles for information-handling across all sectors, and all levels of government. This will make it easier and less expensive for organisations to comply, and much more simple for people to understand their rights.

Other issues discussed include:

  • The protection of personal information stored or processed overseas
  • a new system of data breach notification
  • the removal of the exemption for political parties from the Privacy Act.
  • introducing a new statutory cause of action where an individual’s reasonable expectation of privacy has been breached
  • abolishing the fee for ‘silent’ telephone numbers
  • expanding the enforcement powers of the Privacy Commissioner
  • imposing civil penalties for serious breaches of the Act
  • introducing a more comprehensive system of credit reporting.

The ALRC is seeking community feedback on these proposals before a final report and recommendations are completed in March 2008.  Submissions close on 7 December 2007.

September 12, 2007 in Privacy | Permalink | Comments (0) | TrackBack

ALRC proposes a more comprehensive credit reporting regime

The Australian Law Reform Commission (ALRC) has proposed the introduction of a more comprehensive credit reporting regime, in a Discussion Paper released as part of its major review of Australian privacy law and practice.

The ALRC proposes that:

  • the types of information that may be recorded on a credit file be expanded, to include information about current credit accounts, the dates those accounts were opened and closed, and the credit limits of each.
  • an individual who has been a victim of identity theft should be able to advise credit reporting agencies and request that this be flagged on their file, so that any prospective credit provider is aware that an applicant for credit may be an impostor.
  • any credit provider who lists debt defaults on credit information files must be part of an external dispute resolution scheme to provide a fast, simple process for consumers who wish to dispute a default listing.

The ALRC is seeking community feedback on these proposals before the final report and recommendations are presented to the Attorney-General in late March 2008. Submissions close on 7 December 2007.

September 12, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Scanning Proof of Identity Documents

The practice of scanning 'proof of identity' documents is becoming more common.

A business may only scan customers' identity documents if it is necessary for its functions or activities. In the first instance businesses should consider whether identification is required and, if so, whether simply sighting a 'proof of identity' document without scanning it would be sufficient.

Privacy Commissioner's Information Sheet

August 31, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Privacy case notes 21-24, 2007

The Privacy Commissioner, Karen Curtis, has released four new case notes:

  • In S v Accounting Firm [2007] PrivCmrA 21, it was alleged that Tax File Numbers were improperly disclosed to a debt collection firm and a law firm for collection of outstanding fees. Although the Federal Police took no action,the Privacy Commissioner considered that the accounting firm disclosed the complainants’ Tax File Numbers to the debt collection firm and the legal firm in a manner not authorised under taxation, assistance agency or superannuation law. The Commissioner therefore found that the accounting firm breached paragraph 2.4 of the Tax File Number Guidelines 1992. The accounting firm offered the complainants compensation for the interference with their privacy. Both the law firm and the debt collection firm advised that they had destroyed the Tax File Number information from their records.   
  • In T v Retailer [2007] PrivCmrA 22, the Office investigated the improper listing of a payment default on an individual’s consumer credit information file even though the consumer had properly cancelled a door to door sale contract. After conciliation, at the retailer's request, the payment default listing was removed from the complainant's consumer credit file.
  • In U v Newspaper Publisher [2007] PrivCmrA 23, it was alleged that a newspaper inappropriately published personal information. The Commissioner dismissed the complaint.
  • In V v Medical Practitioner [2007] PrivCmrA 24, the complainant sought access to their medical records which had been used in legal proceedings. The medical practitioner refused on the grounds they were relevant to legal proceedings. The commissioner ruled that as the proceedings were complete, the medical pratitioner must provide the documents.

August 30, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Privacy (Data Security Breach Notification) Amendment Bill 2007

Senator Stott Despoja introduced the Privacy (Data Security Breach Notification) Amendment Bill 2007 into the Senate on 16 August 2007 as a Private Senator's Bill.

This Bill, if passed, would require organisations and Commonwealth Government agencies to notify affected individuals of a data security breach involving their personal information.

August 26, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Privacy of health information examined: HCF cleared

The Privacy Commissioner, Karen Curtis, has found that private health insurance company HCF did not breach the Privacy Act when it disclosed the personal and sensitive information of its clients to McKesson Asia Pacific as part of its 'Helping Hands' program.

It had been alleged in media reports that HCF had given McKesson the contact details, gender, age, the broad type of mental illness, and the number of hospital admissions for 370 of its members without their consent.

The OFPC investigation established that HCF wrote to members inviting them to participate in the 'Helping Hands' program based on their claims history. The letters described the program's purpose and background, setting out McKesson's role in administering the program and the contact process. Participation in the 'Helping Hands' program was entirely voluntary and involved telephone-based case management and support.

In addition, the HCF Privacy Policy advises members that it may use the personal information it collects to provide further health services where the member has consented or would reasonably expect HCF to do so.

July 29, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Banking and financial services: privacy case studies

The Banking and Financial Services Ombudsman's Bulletin 54 (pdf) discusses the application of the National Privacy Principles to a range of banking procedures:

Identification to cash cheques: the BFSO’s view is that the taking of identification from a person presenting a cheque for cash payment is necessary for one or more of the functions and activities of the drawer’s bank.

Names and contact details of third parties required on credit applications: The BFSO suggests that the applicants who provide third party information advise the third parties of that fact.

Collection of sensitive information (eg health) without consent and without adequate notice of collection: the BFSO cites a case where a bank wrongly copied qnd retaiuned a document that contained both financial and health information.

Use and disclosure: According to the BFSO Claims made to BFSO range from cases in which correspondence is sent to wrong addresses to serious breaches in which individuals say their personal safety is put at risk.

Many cases investigated by BFSO where a breach is found, appear to have resulted from failure to use up-to-date information, carelessness and, in some cases, misplaced attempts by staff to assist family members or friends of the customer.

BFSO has also considered cases where wrongly addressed mail has led to serious repercussions for the customer (eg acrimonious family law property proceedings). These quite serious cases are relatively uncommon. However, where a financial services provider is on notice of potential danger or conflict where information about a customer is revealed to a third party, then compensation may be substantial where such information is disclosed in breach of the NPPs.

Access to information: it is the view of BFSO that, where a financial services provider asserts that an individual is its customer, the individual is entitled to access information that the provider holds or purports to hold about him or her.

Credit reporting: BFSO receives and investigates a number of disputes about credit reporting. The most common cause for complaint is default or serious credit infringement listings.

BFSO’s view is that, where a credit provider intends to list a default the intention to list should be brought to the attention of the individual at the time that the demand for payment is made. BFSO also takes the view that the amount listed should be limited to the amount which can be demonstrated to have been overdue for 60 days.

Where a credit provider relies on an acceleration clause in a contract to demand that the remaining loan balance be repaid by a customer, BFSO is of the view that the full amount must have been demanded by the credit provider and remain unpaid for 60 days from the date of expiry of the demand before a listing may be made and that this should be made clear and unambiguous in the demand.

In respect of serious credit infringement listings (which last for 7 years) it is the view of BFSO that simply being unable to locate an individual cannot form the basis of a “reasonable opinion” that the individual has indicated an intention to no longer comply with the credit contract.

BFSO also expressed the view that it is not appropriate for any listing to be made claiming fraud unless the individual has been found guilty of a fraud offence by a court.

July 3, 2007 in Financial Services, Privacy | Permalink | Comments (0) | TrackBack

Privacy Commissioner releases more case notes

The Privacy Commissioner, Karen Curtis, has released seven new case notes, the first release for 2007.

Most of the cases deal with complaints of improper disclosure of personal information, with respondents including a computer repairer, a licensed club, a government agency, a bankruptcy trustee firm and an insurance company.


May 25, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Privacy Commissioner investigation response timeframe shortened

The Privacy Commissioner has reduced the standard timeframe given to respondents and complainants to address investigation and preliminary view letters. Responses will now be expected within 21 days, not 28 days. In reasonable circumstances, including complex matters, the Commissioner will agree to respondents and complainants having more time to respond.

May 21, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Do Not Call Register opens for consumer registration

In anticipation of a 31 May 2007 start date, the Do Not Call Register has started accepting consumer registrations.

Individuals will be able to register their numbers either online at https://www.donotcall.gov.au/or by post. Telephone registrations will be available soon.

Only the relevant account holder for the telephone number being listed, or someone nominated by the account holder can register the number.

Only Australian telephone numbers used primarily for private and domestic purposes can be listed on the Do Not Call Register. These include fixed (or landline) numbers, mobile phone numbers and voice over internet protocol (VoIP) numbers.

Businesses will not be able to register their numbers. Fax numbers will also not be accepted.

Individuals will not have to pay to register their telephone numbers.

Registration will only last for three years. You will need to contact the Do Not Call Register to re-register if you wish to continue your listing after this time. You can remove your registration at any time.

The legislation applies irrespective of where the call originates. Telemarketers operating outside Australia will face the same penalties as telemarketers operating within the country, if they call a number on Australia’s Do Not Call Register.

You can learn more about the register under frequently asked questions.

UPDATE 21 May: telephone registrations open

Do Not Call Register Index

May 3, 2007 in Do Not Call Register, Marketing, Privacy | Permalink | Comments (0) | TrackBack

Do Not Call Register: telemarketing standards explained for businesses

The Do Not Call Register is expected to be operational by 31 May 2007.

For a business, the core obligation is not to make an unsolicited telemarketing call to a number on the Register and ensure that any agreements you make to outsource telemarketing comply with the Act (Sections 11 and 12).

If a number is not on the Register, a business may call it provided the business (or its provider) complies with the telemarketing standards.

What's a telemarketing call?

A telemarketing call is a voice call to a telephone number, where, having regard to:

(a) the content of the call; and
(b) the presentational aspects of the call; and
(c) the content that can be obtained using the telephone numbers, URLs or contact information (if any) mentioned in the call; and
(d) if the telephone number from which the call is made is disclosed to the recipient (whether by calling line identification or otherwise)—the content (if any) that can be obtained by calling that telephone number;
it would be concluded that the purpose, or one of the purposes, of the call is:
(e) to offer to supply goods or services; or
(f) to advertise or promote goods or services; or
(g) to advertise or promote a supplier, or prospective supplier, of goods or services; or
(h) to offer to supply land or an interest in land; or
(i) to advertise or promote land or an interest in land; or
(j) to advertise or promote a supplier, or prospective supplier, of land or an interest in land; or
(k) to offer to provide a business opportunity or investment opportunity; or
(l) to advertise or promote a business opportunity or investment opportunity; or
(m) to advertise or promote a provider, or prospective provider, of a business opportunity or investment opportunity; or
(n) to solicit donations; or
(o) a purpose specified in the regulations.

The Regulations exclude the following from the definition of a telemarketing call:

  • product recall calls;  
  • fault rectification calls;  
  • appointment rescheduling calls;  
  • appointment reminder calls;  
  • calls relating to payments;  
  • solicited calls (eg returning a call for information); and  
  • calls not answered by the person to whom the call is made.

Schedule 1 of the Act defines designated telemarketing calls which are also exempt from the prohibition in section 11 (but not the telemarketing standards). These are calls made by Government bodies, religious organisations and charities, political parties, independent members of parliament, candidates and educational institutions.

Even if a telephone number is not registered on the Do Not Call Register, telemarketers will have to comply with the new Telemarketing Standard.

The standard applies to:

  • all telemarketing calls made to an Australian number to offer, advertise or promote goods, services, interests in land, business opportunities or investments, or to solicit donations
  • all research calls to conduct opinion polling and to carry out standard questionnaire-based research, and        
  • calls made for the above purposes by public interest entities (such as charities, registered political parties, and religious organisations) who are exempt from the general prohibition on calling numbers listed on the Do Not Call Register when making specific types of telemarketing calls.

The standard establishes minimum standards in four main areas:

        1. The standard provides clear and enforceable rules including restrictions on hours of calling. A caller must not make or attempt to make:

  • a telemarketing call on a weekday before 9 am or after 8 pm        
  • a research call on a weekday before 9 am or after 8.30 pm        
  • a telemarketing or research call on a Saturday before 9 am or after 5 pm        
  • a telemarketing or research call on Sunday or a nationally recognised public holiday.        

        2. Under the standard, contact information and the purpose of the call must be provided by the person making a telemarketing call as well as revealing, on request, the source from which the caller obtained the telephone number.

        3. The standard requires the caller to terminate the call where the call recipient asks for the call to be terminated or otherwise indicates that he or she does not want the call to continue.       

4. The caller is also required to ensure that calling line identification is enabled at the time that the caller makes or attempts to make a call

Resources

April 12, 2007 in Do Not Call Register, Marketing, Privacy | Permalink | Comments (0) | TrackBack

Do Not Call Register update

ACMA has been engaged in consultation on steps necessary for the Do Not Call Register to be fully operational by 31 May 2007.

The latest discussion paper relates to the cost of access to the Register by telemarketers.

It will generally be unlawful to make telemarketing calls to numbers placed on the Register.  However, the Act allows persons (such as telemarketers) to submit their contact lists to the Register Operator for checking against the Register.  Upon submission of the list and payment of the appropriate fee (if any), the Register Operator must inform the access seeker which of the numbers in their list (if any) are, or are not, on the Register. This process of ‘washing’ contact lists will assist telemarketers to comply with the Act when it commences.

April 2, 2007 in Do Not Call Register, Marketing, Privacy | Permalink | Comments (0) | TrackBack

GST and internet-based businesses

The status of eBay Australia as a Switzerland-registered company that does not issue invoices to Australian merchants with GST included has forced the ATO to look at the question: if a transaction happens in cyberspace, which government collects the tax? (via Mark Jones)

The Australian looks at the issue from 2 angles: firstly, whether eBay should pay GST in Australia and secondly to determine if sellers are avoiding GST or were wrongly claiming GST credits.

March 14, 2007 in Compliance, Privacy | Permalink | Comments (0) | TrackBack

Airport policing and security

As a result of Sir John Wheeler's Review of Airport Security and Policing in 2005, the Government has introduced the AusCheck Bill.

The Bill provides for background criminal and security assessment for applicants for the Aviation Security Identity Card (ASIC) and the Maritime Security Identity Card (MSIC).

The Senate Legal and Constitutional Affairs Committee is currently conducting an inquiry into the Bill.

The Privacy Commissioner has released the OFPC's comments.

February 28, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Reform of personal property securities

In November 2006, the Australian Attorney-General released a discussion paper on the proposed national personal property securities (PPS) register,Registration and Search Issues.

The discussion paper is the first in a series of three discussion papers dealing with key PPS reform policy issues. The second discussion paper will deal with priorities, conflict of laws, insolvency and enforcement issues.The third discussion paper will deal with issues specific to possessory security interests.

This review is about the creation of a national register that will consolidate all security interests that are created by a contractual agreement and which are held over personal property.

The Privacy Commissioner has released her comments on the first discussion paper.

She observed that:

Currently, it would be difficult for a casual browser to obtain all the pieces of information required to build a comprehensive profile of any one person with regard to security interests held over their personal property. The proposed register would consolidate this information into one centralised database which may allow a casual browser to more easily know all or most of the security interests held over the personal property of an individual.

The Office has some reservations about the privacy implications that may arise from the ability to develop a financial profile of any one individual, either in relation to the personal property they hold or in relation to the extent of their indebtedness or, in some cases, the extent of the security interests a particular individual holds.

February 23, 2007 in Compliance, Financial Services, Privacy | Permalink | Comments (0) | TrackBack

Do Not Call Register Act

The Do Not Call Register is still being set up. (Here's the Do Not Call Register Act 2006).

ACMA's Home Page and the  Privacy Commissioner's Do Not Call Register page give useful updates.

February 16, 2007 in Do Not Call Register, Marketing, Privacy | Permalink | Comments (0) | TrackBack

Nationwide Building Society fined over security breaches.

Nationwide Building Society (UK) has been fined £980,000 by the Financial Services Authority (FSA) over security breaches. (FSA Media Release, BBC News)

Nationwide was fined for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year.

During its investigation, the FSA found that the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime.

The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.

Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. The FSA will not reveal exactly what was on the laptop as it has still not been recovered.

via Tim Travers

February 15, 2007 in Compliance, Privacy | Permalink | Comments (0) | TrackBack

Taxpayer privacy

Minister for Revenue and Assistant Treasurer, Peter Dutton MP, has announced details of changes to the taxation law arising out of the Government’s Review of Taxation Secrecy and Disclosure Provisions.

Tax secrecy and disclosure provisions from 22 different tax acts will be standardised into a new framework within a single piece of legislation.

The standardised secrecy framework will maintain existing disclosures, and the Australian Taxation Office (ATO) will also now be able to release taxpayer information in limited circumstances where the public interest benefits exceed the impact on taxpayer privacy.  

“New disclosures will include  allowing the ATO to disclose more information to law enforcement agencies.”

“For example, an important part of tackling organised crime or tracking supporters of terrorist organisations may require releasing information on the specific tax matters of individuals,” Mr Dutton said.

The ATO will also be able to provide additional information to the Australian Securities and Investments Commission in support of its role in corporate and insolvency regulation.

The new secrecy and disclosure legislation is expected to be introduced into Parliament in 2007.

January 17, 2007 in Privacy | Permalink | Comments (0) | TrackBack

Website compliance, pricing errors and ecommerce update

I have previously commented on how companies such as Dell and Bramleys have responded to website pricing errors.

If you have a business website, doing business on-line requires compliance with e-business rules as well as the standard laws, even if you think your site is just a "brochure" or information site.

To assist you, I have modified my report on financial services websites to cover business-to-consumer (B2C) websites generally and am pleased to make it available to readers at no charge. Download the Business website compliance report (pdf). I would appreciate any comments.

Other links:

Website legal compliance
Online contracts (pdf)

January 7, 2007 in Business Planning, Compliance, Financial Services, Marketing, Privacy, Trade Practices | Permalink | Comments (0) | TrackBack

Business and customer security

I recently discussed protecting customer data.

Here's an example of a company not doing that well:

"In the first week of December, a laptop was stolen from an employee's car," Boeing spokeswoman Kelly Danaghy said. "That laptop had files that contained Social Security numbers for about 382,000 past and present employees, and in most cases it also included a home address, phone number and date of birth."

This isn't the first time the theft of a laptop has compromised security for Boeing employees.

In April, the personal information of about 3,600 employees was compromised when a laptop was taken from a Boeing human resources employee at an airport. In November 2005, a similar theft put the personal data of about 161,000 employees in jeopardy. Source: seattlepi.com

But other companies are learning:

Visa has created a new $20 million incentive program under which it will monetarily reward "acquiring" financial institutions if their members are fully compliant with Payment Card Industry (PCI) data security standard requirements by Aug. 31, 2007. At the same time, acquiring banks that fail to ensure compliance by Sept. 30, 2007, will be assessed fines starting at $5,000 a month for each noncompliant merchant. The fines increase to $25,000 per month for each noncompliant merchant after Dec. 31, 2007.

As part of the compliance validation process, merchants will need to show that they have purged all magnetic stripe data, Card Verification Value data and PIN data from their point-of-sale (POS) and other systems. Source: Computerworld

January 1, 2007 in Compliance, Financial Services, Privacy | Permalink | Comments (0) | TrackBack

Protecting customer data: a compliance essential as well as a competitive advantage

Customer privacy is no longer just an add-on for businesses; protecting confidential confidential information is now an essential part of anti-money laundering and counter-terrorism financing programs as well as a key factor in customer attraction and retention.

According to strategy + business, in the United States a proposed law would require that companies with at least 10,000 digital files on individuals design a security system to protect sensitive records from unauthorized access. In addition, these companies would have to publish their data privacy procedures and conduct routine audits to evaluate vulnerabilities. Failure to follow these rules would result in fines and possible federal prosecution.

Customer privacy is much more than keeping customer information private. It also means knowing your customer and keeping customer information secure.

Security is proving to be increasingly difficult not because of hackers but because data is so portable.

Every week businesses are reporting missing computers and data: laptops have been stolen or CD's or memory sticks containing thousands of customer files have been misplaced. And computer files are not encrypted.

Or physical files are lost between offices and storage centres.

Customer privacy has now become customer security.

December 24, 2006 in Anti-money laundering, Business Planning, Compliance, Financial Services, Privacy | Permalink | Comments (0) | TrackBack

Privacy Act updated

ComLaw has issued an updated consolidated Privacy Act 1988 up to 13 December 2006.

The publication includes:

  • a new Part VIA inserted by the Privacy Legislation Amendment (Emergencies and Disasters) Act that applies to the handling of personal information during a declared emergency or disaster situation; and
  • amendments inserted by the Anti-Money Laundering And Counter-Terrorism Financing (Transitional Provisions And Consequential Amendments) Act 2006.

December 19, 2006 in Privacy | Permalink | Comments (0) | TrackBack

Privacy and credit reporting

The Australian Law Reform Commission (ALRC) has released an Issues Paper calling for public comment on Australia ’s credit reporting system by 9 March 2007.

ALRC President Prof David Weisbrot said the credit reporting provisions of the Commonwealth Privacy Act were overly complex and hard to follow, and were under scrutiny as part of the ALRC’s major review of Australia’s privacy laws.

Prof Weisbrot said the ALRC issues paper, Review of Privacy—Credit Reporting Provisions (IP 32), outlines the strict limitations in Australia under the Privacy Act about the categories of personal information that may be collected and used as part of the credit reporting process.

The Commissioner in charge of the Inquiry, Prof Les McCrimmon, said that the Issues Paper sets out the arguments for and against comprehensive credit reporting and its potential impact on privacy.

IP 32 also looks at a range of reform options for credit reporting, including whether new and separate legislation is required to regulate credit reporting.

Prof McCrimmon said some of the issues being considered by the ALRC include:

  • the types of information held in credit information files and credit reports;
  • how credit reporting agencies and credit providers are required to protect personal information; and
  • the system for resolving complaints about credit reporting, including complaints about the accuracy of information on a credit file.

The ALRC also has launched a plain-English guide to the Inquiry, Reviewing Australia’s Privacy Laws: Is Privacy Passé? (IP 31 & 32—Overview).

December 13, 2006 in Compliance, Financial Services, Privacy | Permalink | Comments (0) | TrackBack

Government responds to Privacy Act review

Attorney-General Philip Ruddock has released the Government’s responses to the Privacy Commissioner’s report, Getting in on the Act: The Review of the Private Sector Provisions in the Privacy Act 1988, and the Senate Legal and Constitutional References Committee report, The Real Big Brother: Inquiry into the Privacy Act 1988.

Earlier this year the Attorney-General issued a reference to the Australian Law Reform Commission to review the extent to which the Privacy Act continues to provide an effective framework for the protection of privacy in Australia. The ALRC has now released an Issues Paper. The final report is to be delivered to the Attorney-General by 31 March 2008.

Separately, regulations to ensure the Privacy Act applies to all Residential Tenancy Databases will soon be implemented.

The Attorney-General’s Department is also examining options to harmonise Commonwealth, State and Territory privacy laws.

Privacy Commissioner's response.

December 1, 2006 in Privacy | Permalink | Comments (0) | TrackBack

Telephone numbers to be protected

The Telecommunications Amendment (Integrated Public Number Database) Bill 2006 will amend the Telecommunications Act 1997 (Telecommunications Act) to provide additional safeguards to ensure that integrated public number database (IPND) information is only disclosed and used for the purposes specified in Part 13 of the Telecommunications Act.

The IPND is an industry-wide database of all residential and business phone numbers (both listed and unlisted) and associated customer information, including name and address information. The IPND was established and is maintained by Telstra as a condition of its carrier licence.

The insertion of a definition of public number directory into the Telecommunications Act is intended to prevent IPND information being used directly to produce records or databases which are used for such purposes as marketing, data cleansing and appending, debt collection, identity verification and credit checking and to limit the extent to which records which are public number directories (within the meaning of the definition in the Bill) are readily able to be used for such purposes.

Comment: The Australian

November 22, 2006 in Marketing, Privacy | Permalink | Comments (0) | TrackBack

ACMA issues first communications industry report

The ACMA Communications Report 2005–2006 assesses industry performance across the communications, internet and broadcasting sectors.

The report is structured into four parts, covering:

  • an overview of the communications operating environment in 2005–06,
  • a snapshot of key participants in the communications environment,
  • analysis of the benefits that accrue to consumers from access communications services; and
  • an assessment of some of the challenges posed by the emerging communications environment.

November 22, 2006 in Business Planning, Compliance, Marketing, Privacy | Permalink | Comments (0) | TrackBack

Restoring your reputation after a compliance breach: Choicepoint

Earlier this year Choicepoint a major US data broker agreed to pay US$15 million to settle charges it did not properly protect consumers' personal financial information.

For Choicepoint it was a public relations disaster.

ChoicePoint faced its critics with the attitude: "We want to make our privacy practices exemplary."

According to Keeping Your Enemies Close (NY Times) Choicepoint started its makeover with the following:

  • it offered possible victims of identity theft membership of a credit monitoring service at no charge for one year, and provided them with free reports from the big three credit bureaus.
  • To actual victims of identity theft, it offered its expertise to help correct the problem.
  • The company also gave a $1 million, four-year grant to the Identity Theft Resource Center, a nonprofit group in San Diego.
  • ChoicePoint then overhauled its security measures, a move that began with the filling of the new position of chief privacy officer.
  • it stopped dealing with private investigators
  • it set up a centralized credentialing department (separate from sales)
  • It also performs random audits of its customers, to ensure that they are conducting searches appropriate for their type of business, and it uses its computer systems to monitor accounts for suspicious activity.
  • ChoicePoint has endured roughly 100 outside audits, most of them conducted by long-term corporate customers
  • ChoicePoint also set up a Web site for consumers who, at no cost, want to check and challenge possible inaccuracies in their dossiers

via beSpacific

November 13, 2006 in Business Planning, Compliance, Marketing, Privacy | Permalink | Comments (0) | TrackBack

Privacy Laws in Australia: major review commences

The Australian Law Reform Commission (ALRC) has released an Issues Paper, Review of Privacy as the first step in a major review of Australia 's privacy laws due to be completed in March 2008.

The Issues Paper (which is 616 pages long) was prepared in response to the Terms of Reference prepared by Attorney-General Ruddock who identified four factors as relevant to the decision to initiate the Inquiry:
• rapid advances in information, communication, storage, surveillance and other relevant technologies;
• possible changing community perceptions of privacy and the extent to which privacy should be protected by legislation;
• the expansion of state and territory legislative activity in areas relevant to privacy; and
• emerging areas that may require privacy protection.

The ALRC said the Inquiry will ask questions such as:

  • Do Australians feel that their privacy is adequately protected?
  • Is it possible for privacy laws to keep up with technology such as data matching, facial recognition and even body odour measurement?
  • Do younger people care as much about privacy as their elders?

The Review coincides with increasing concern over disclosure of personal information such as allegations of sale of information by Indian call centres.

October 9, 2006 in Privacy | Permalink | Comments (0) | TrackBack

Do we still have privacy?

I used to show a clip from Enemy of the State to show how little privacy we actually have.

But this video from ACLU is pretty good (via Peter Timmins).

September 19, 2006 in Privacy | Permalink | Comments (0) | TrackBack