Tuesday, March 04, 2014

No One Can Say They Have Not Been Warned About The Impending Changes In The Information Privacy Environment.

This came up a few days ago:

The OAIC's enforcement approach to new privacy laws from 12 March 2014 — Statement from the Australian Information Commissioner and Privacy Commissioner

28 February 2014
Significant changes to the Privacy Act 1988 will commence on 12 March 2014. The changes include a new set of harmonised Australian Privacy Principles (or APPs) that will replace the two sets of principles that currently apply to Australian Government agencies and to businesses. There will also be changes to credit reporting, including the introduction of a more ‘comprehensive credit reporting’ system and a simplified and enhanced correction and complaints process. The reforms also include new enforcement powers and remedies in relation to investigations.
The Office of the Australian Information Commissioner (OAIC) has adopted an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements. Our compliance focus in the months following 12 March 2014 will be on working with entities to ensure that they understand the new requirements and have the systems in place to meet them. In resolving matters brought to the attention of the OAIC we will take into account the steps taken by entities to genuinely prepare for the changes and to comply with the new legal requirements.
The full article is here:
There is warning commentary here:

Security experts slam new privacy guidelines

SECURITY experts have slammed new privacy law guidelines which they claim sends a weak message and lets businesses off the hook should they fall prey to hackers.
However, legal experts say it isn’t an open-and-shut case.
The Office of the Australian Information Commissioner last week released the Australian Privacy Principles guidelines which is a crucial tool to March 12 when new privacy laws kick in.
Agencies and companies can be fined up to $1.7 million and individuals $340,000 for serious or repeated invasions of privacy.
Phil Kernick, CQR national head of information security, said the guidance “wildly underwhelms me since businesses won’t be held liable if they get hacked”.
Mr Kernick said the guidance states that organisations won’t be held accountable for the exposure of personal information if it happens as a result of a cyber attack and if the OAIC was satisfied that ‘reasonable steps’ were taken to prevent them.
More here:
and here:

GP privacy slip may cost $1.7m

25th Feb 2014
ANXIOUS GPs are being urged to protect themselves against new privacy rules that come into force next month and could result in fines of up to $1.7 million.
The 12 March change from the National Privacy Principles to the Australian Privacy Principles (APP) includes new civil fines of up to $344,000 for individuals and $1.7 million for companies, such as practices, for significant breaches of the guidelines.
Experts believe many GPs could be left exposed if they fail to take measures to protect against breaches of privacy.
Examples such as the hacking of patient records at the Miami Family Medical Centre on the Gold Coast in 2012 exposed the need for heightened security around digitally stored patient information.
Now the focus is on how information can be safely passed on, shared and transferred, without falling foul of the information commissioner.
More here:
and just to ginger things up we had this!

Legal documents, account numbers found on recycled hard drives

Results “very disturbing”, says CEO of National Association for Information Destruction
Fifteen out of 52 computer hard drives purchased by the National Association for Information Destruction (NAID) Australia were found to have highly sensitive personal data including bank account details, medical information and home addresses.
The hard drives were taken to a forensic investigator, Insight Intelligence, who was able to easily extract the information. Some of the data included the legal case records of a family dispute, email files from a medical facility and signed documents granting access to business and personal emails from a Justice of the Peace.
NAID CEO Bob Johnson said the results were “very disturbing” in light of the Privacy Act reforms which are coming into law on 12 March 2014.
More here:
So the risks seems to be everywhere and the penalties are going up. Certainly everyone who manages client information needs a real plan to protect that information. Just hoping it will be all OK might be a very, very bad mistake!


Anonymous said...

I have been banging on about this for 18 months and still the healthcare industry is dragging their heels to get best practice in place when it comes to handling sensitive information and the new Privacy Act reforms.

Practices are very exposed to the real threat of cyber attack...

The elephant in the room will not go away.

Privacy Paul

Anonymous said...

The mandarins have not listened to anyone else about anything else, so why should they listen to you? It's not as though privacy is important or anything.