Recent developments in information and privacy law include:
1. Australian government’s Budget decision to disband the OAIC
Following the Australian government’s Budget decision to disband the Office of the Australian Information Commissioner (OAIC) by 1 January 2015, the OAIC has expressed its commitment to a smooth transition to the new arrangements. As a consequence, the Privacy Act 1988 will continue to be administered by the Privacy Commissioner; the Freedom of Information Act 1982 (FOI Act) will be administered jointly by the Attorney General’s Department (advice, guidelines, annual reporting), the Administrative Appeals Tribunal (merits review) and the Commonwealth Ombudsman (complaints); and the information policy advice function currently discharged by the OAIC will cease.
The OAIC is endeavouring to finalise FOI complaints that are currently before it by 31 December 2014. When a new complaint is received, the OAIC will contact the complainant to discuss the matter and unresolved complaints will be transferred to the Commonwealth Ombudsman for completion.
3. Australian government’s data retention proposal
In response to the Australian government’s data retention proposal, the Privacy Commissioner has noted that while it is unclear exactly what types of information will be retained, there is potential for data to be considered to be “personal information” under the Privacy Act. In addition, as the retention of large amounts of personal information for an extended period of time increases the risk of a data breach, organisations holding this information need to comply with all their obligations under the Privacy Act, including requirements to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.
4. Privacy public interest determination guide
The OAIC has revised its guidance on applying for a privacy public interest determination (PID) to reflect the reforms to the Privacy Act that commenced in March 2014. The Privacy Public Interest Determination Guide will assist entities that are subject to the Australian Privacy Principles (APPs) when considering whether a PID is necessary. The guide also sets out the process involved if an application is made.
The revised guide has been inserted in the “Determinations” tab of CCH’s Australian Information and Privacy Handbook at ¶12-000.
5. International money transfers public interest determinations
The Privacy Commissioner has made two Public Interest Determinations to allow the Australia and New Zealand Banking Group Ltd (ANZ), other authorised-deposit taking institutions (ADIs) and the Reserve Bank of Australia (RBA) to continue existing practices in relation to processing international money transfers without breaching the Privacy Act for a period of 12 months.
These determinations can be found in the “Determinations” tab of CCH’s Australian Information and Privacy Handbook at ¶12-340 and ¶12-350.
6. Privacy breach: 254,000 Australian online dating profiles hacked
The Privacy Commissioner has found that Cupid Media Pty Ltd (Cupid) breached the Privacy Act by failing to take reasonable steps to secure the personal information held on its dating websites.
Cupid operated over 35 niche dating websites based on personal profile including ethnicity, religion and location. In January 2013, hackers gained unauthorised access to Cupid webservers and stole the personal information of approximately 254,000 Australian Cupid site users. The compromised personal information included full names, dates of birth, email addresses and passwords.
The Australian Privacy Commissioner, Timothy Pilgrim, has urged businesses to remain vigilant about information security. “This case highlights the importance of organisations conducting ongoing testing and maintenance of security systems to minimise the risk of a hack succeeding, and to ensure they are able to respond quickly if one occurs. Cupid’s vulnerability testing processes did allow it to identify the hack and respond quickly. Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure,” said Mr Pilgrim.
The incident also demonstrated the importance of securely destroying or permanently de-identifying personal information that is no longer required. The Commissioner found that Cupid had not done so. “Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk. Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing with it.” Mr Pilgrim also reminded “consumers using internet dating sites to regularly update your privacy settings, change your passwords and be careful about the personal information you share. You don’t want to become a victim of identity theft or a scam.”
The Commissioner noted Cupid’s collaborative and co-operative approach in working with the OAIC during the investigation, as well as the significant remedial steps taken by Cupid in response to the data breach. Mr Pilgrim then encouraged “organisations to proactively notify the OAIC of a data breach so that we can work with them and assist with appropriate remediation if necessary”.
The OAIC’s data breach notification guide outlines steps businesses and agencies can take to respond to, and mitigate the results of, data breaches. See ¶3-080 in the Australian Information and Privacy Handbook.
7. Privacy breach: Medical records kept in garden shed
The Privacy Commissioner has found that Pound Road Medical Centre (PRMC) in Melbourne breached the Privacy Act by failing to take reasonable steps to secure sensitive medical records.
PRMC stored medical records of approximately 960 patients in a locked garden shed at premises that were no longer operated or staffed by it. In November 2013, the shed was broken into and the medical records were compromised.
The Australian Privacy Commissioner, Timothy Pilgrim, noted the seriousness of the case particularly as the records contained sensitive personal information such as full name, address, date of birth, Medicare number, treatment details including results of medical investigations and discharge summaries. “The Privacy Act requires organisations to take reasonable steps to protect the personal information of their customers. I can’t think of any circumstances in which it would be reasonable to store health records, or any sensitive information, in an insecure temporary structure such as a garden shed,” Mr Pilgrim said. The Privacy Commissioner also warned organisations about the importance of secure document storage. “Physical security of hard copy documents is just as important as digital security. There is no point in converting paper records to a secure digital system, and then leaving the paper files unsecured. If paper records are no longer needed, they should be disposed of securely,” Mr Pilgrim said.
Although the majority of the medical records related to individuals who had stopped being patients of PRMC before 2004, the Privacy Act requires organisations to securely destroy or de-identify personal information that is no longer required. “If organisations don’t need to keep personal information for a legal purpose, then they must have a system in place to dispose of it securely. Get out the shredder or hire a secure document destruction service. If you don’t, you’re putting your clients at risk of identity theft or fraud, and your company at risk of enforcement action.”