Privately speaking is a quarterly publication tracking developments in privacy legislation, regulation and case law.

The risks for organisations from a privacy breach can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of data integrity and confidentiality.

Our team of data protection lawyers can assist you with data security risk management, including contractual terms, privacy compliance, and litigation to contain data security breaches.


Orcon to pay $25K for providing “inaccurate and misleading personal info”

Telecommunications company, Orcon Ltd instructed Baycorp to recover $208.58 owed by Mr Taylor, a solider in the NZ Army. This instruction had “an immediate effect” on Mr Taylor’s credit rating and made it almost impossible for him to find rental accommodation for his wife and baby daughter. Mr Taylor claimed that the debt had been waived by agreement, meaning that the information Orcon had supplied Baycorp was inaccurate and therefore in breach of Principle 8 of the Privacy Act.

The Human Rights Tribunal agreed with Mr Taylor, awarding him $25,000 – $10,000 for loss of benefit and $15,000 for humiliation,loss of dignity, and injury to feelings. It also ordered Orcon to provide training to its staff in relation its obligations under the Act.

There are two points of general note.

First, organisations supplying personal customer details to a debt collection or credit reporting agency must ensure that the information is accurate, up to date, and not misleading.

Second, to meet the materiality threshold for an “interference” under section 66 of the Privacy Act, it is not necessary for the act or omission to be the sole, main, direct, indirect or “but for” cause of the harm. It is sufficient to establish that it made or might have made a more than trivial contribution to the occurrence or loss.

Link: Taylor v Orcon Ltd

Bank to pay $20K for confidentiality breach

The Banking Ombudsman has ordered a bank to pay $20,000 to a business owner after a bank employee methodically accessed the business company accounts, apparently without legitimate or authorised purpose.

The office recently released a guide outlining the approach it will take to privacy and confidentiality complaints.

Links: Privacy and confidentiality guide and case note

Annual Review of the Privacy Commissioner

Three points of interest from the Justice and Electoral Committee’s 2014 report on the performance of the Privacy Commissioner are:

  • the Commissioner does not yet have full assurance that adequate privacy protection considerations are being designed into government IT systems
  • PwC has been engaged to update the Commission’s privacy impact assessment toolkit for use in the design stage by IT system developers and agencies, and
  • the Commissioner wants complainants and respondents to take more responsibility for reaching resolution, with its own role limited to setting parameters and explaining the legal position.

Link: Justice and Electoral Committee’s annual report

Protecting patients’ private information

Following a privacy breach, Counties Manukau DHB has reminded health professionals of their legal responsibility to protect sensitive patient files when travelling between sites:

  • if possible, transport the information in a secure container which is under your control at all times
  • only take the notes you need for your task, and
  • have them off-site for the least time necessary.

Link: CEO’s note


Metadata constitutes “personal information”

In June 2013, Ben Grubb, a Fairfax reporter, requested access to “all metadata information” stored by Telstra relating to his mobile phone services.

Telstra refused the request on the basis that Mr Grubb’s identity could not be ascertained through the metadata and that it was therefore not personal information as defined under the Australian Privacy Act. The Privacy Commission disagreed, saying that although the metadata didn’t directly identify Mr Grubb, Mr Grubb’s identity was reasonably ascertainable by cross-matching the metadata against Telstra’s various network and records management systems.

The Commissioner noted that Telstra had a pool of over 120 staff who engaged in this kind of data retrieval and that it used cross- matching for internal purposes and when responding to law enforcement agency requests.

Telstra has appealed the decision to the Administrative Appeals Tribunal.

Link: Ben Grubb and Telstra Corporation Ltd

Privacy Commissioner updates guidance

The Australian Privacy Commissioner has released a new Privacy Management Framework and a check list to help organisations comply with the Australian Privacy Principles. The guidance outlines four ‘e’ steps to ensure good privacy governance:

  • embed leadership and governance arrangements to create a culture of privacy that values personal information
  • establish robust and effective privacy processes (e.g. training staff on their privacy obligations and developing a data breach response plan)
  • evaluate the adequacy and currency of the business’s existing privacy practices (e.g. by creating feedback channels for staff and customers), and
  • enhance (e.g. by commissioning an independent review to identify areas for improvement).

Among the tips on the check list are:

  • always consider doing a privacy impact assessment when developing a project that involves new or changed personal information handling practices
  • collect only the information you need
  • make that information accessible internally on a needs-to-know basis, and
  • have a data breach response plan ready to go.

The new tools followed the release by the Australian Information Commissioner of a survey into the adequacy of the on-line privacy policies of 20 Australian and international organisations within the finance, retail, government and media sectors.

The policies were evaluated against the requirements of Australian Privacy Principle One (APP1), which requires entities to have a privacy policy that is clearly expressed and up-to-date. The Commissioner found that 55% of those surveyed did not meet one or more of the content requirements under APP1.

Links: Privacy management framework and Ten tips to protect your customers’ personal information

Singtel Optus - enforceable undertaking following privacy breaches

Singtel Optus has agreed with the Australian Privacy Commissioner on an independent audit of its internal privacy practices after a  flaw was detected in its security system, and it accidentally posted private information about 122,000 customers on an online directory without consent.

Link: Enforceable undertaking by Singtel Optus

ASIC on cyber resilience

The Australian Securities and Investments Commission (ASIC) has released a report to assist the Australian financial sector to improve cyber resilience. Suggested ‘health check prompts’ to cyber-risk management include:

  • whether the board and senior management are aware of the entity’s cyber risks
  • whether key third-party providers or clients are cyber resilient, and
  • whether employees and contractors are properly trained to deal with cyber risk.

Link: ASIC report


US Department of Justice issues data breach response guidance

The US Department of Justice has issued new guidance on how businesses should address the risk of data breaches, before, during, and after cyber intrusions. Among the recommendations are:

  • before formulating a response plan, an organisation should first determine which data, assets, and services warrant the most protection, and
  • the plan should be vetted by the organisation’s legal advisors to ensure that the organisation’s incident response activities remain on a firm legal footing.

Link: Department of Justice guidance

Data security incident response report

A US study of more than 200 data security incidents in 2014 has revealed the following insights:

  • employee negligence was the leading cause for a data security incident, demonstrating that technology solutions alone will not do  it and that companies need also to drive better employee training and awareness, led by the right “tone from the top” and appropriate information security policies
  • the average time lag between the incident occurrence and detection was 134 days, and
  • in the investigation of a breach, regulators most often ask to review companies’ internal policy documents including; policies and procedures governing privacy and security, disaster recovery and business continuity plans, and evidence of education and awareness programmes.

Link: Incident Response Report 2015


Some links to recent enforcement activity in the US, the UK and Europe: