2018 was a monumental year for data privacy and protection - globally and in New South Wales.
On a global scale, the introduction of the EU General Data Protection Regulation (GDPR), the Facebook-Cambridge Analytica data scandal, and Equifax’s record £500,000 fine (and US$287,000,000 remediation costs) for a 2017 security breach has brought data privacy and protection to the forefront of both government and business considerations.
On a local scale, data privacy and protection continues to make headlines.
In this article, we recap the big events (and breaches) that have shaped the data and privacy landscape in NSW this year, stemming from the overreach of data using technology.
In March, a NSW resident successfully challenged Transport for NSW’s collection of personal data through the Opal card ticketing system. The complainant argued against the mandatory registration of pensioner and concession Opal cards, which tracked the public transport movements of an identifiable user. The NSW Civil and Administrative Tribunal ruled in favour of the complainant, finding that there was little basis for the collection of the travel information for the stated purpose of enforcement of entitlement to the concession/pensioner travel card. However, the Tribunal has since overturned the decision, allowing an appeal by Transport for NSW in August.
In August, more than 1,000 confidential medical records were found in a derelict former aged care facility near Helensburgh. NSW Health responded to the data breach by stating that the building had been illegally accessed. Photos from the aged care facility indicate that the site had been illegally accessed since 2015, meaning that NSW Health had failed to take action to secure the records for up to three years. The NSW Government announced an audit of the archived medical records and apologised to the families of those whose records had been exposed to the breach. Following the findings from the audit by NSW Health, the incident may constitute a breach of the Health Records and Information Privacy Act 2002 (NSW) and Health Privacy Principle 5, which requires an organisation holding health information to protect against unauthorised access, use and misuse.
At the other end of the spectrum, moving from privacy, the NSW Government’s push towards open data continues with ongoing releases of data by Government agencies and continued investment and co-operation by NSW Government agencies responsible for open data including the NSW Information and Privacy Commissioner who, during May, launched a number of online learning resources to further assist the open data process in NSW. At the time of writing, it appears that NSW open data has been successful in the period that it has been running and unlike a range of media reports that have plagued Federal Government agencies misuse of data, it seems that the NSW move towards open data is continuing and continuing to succeed.
Further, the implementation of the EU’s GDPR in May of this year has had a trickle-down effect on the privacy and data considerations of NSW businesses and public sector agencies. The GDPR has extraterritorial reach, applying to all organisations that handle the personal information of EU residents. If a NSW business or government agency has an establishment in the EU, or offers goods or services, or monitors the behaviour of individuals in the EU, it will now need to comply with GDPR requirements. This includes the implementation of measures that ensure compliance with a prescribed set of privacy principles, with the aim of promoting the transparent handling of personal information. So ubiquitous has the GDPR become that the IPC has provided guidance for NSW agencies on the topic on its website.