Thursday, May 14, 2015

The Privacy Act and The Rules Will Suddenly Get More Attention If An Opt-Out PCEHR Is Implemented!

There were a couple of articles appeared last week.
First we had this:

Privacy complaints leap as companies struggle with compliance

Date May 4, 2015 - 3:09PM

Hannah Francis

Technology Reporter

More than half of all major Australian companies recently examined by Australia's Privacy Commissioner have failed to comply with privacy rules.
Privacy Commissioner Timothy Pilgrim said that 55 per cent of the 20 top websites run by the companies examined published inadequate privacy policies, while privacy-related complaints had leapt 43 per cent in the year since the nation's privacy laws were revamped.
The companies surveyed included the "big four" Australian banks; social media sites Instagram, LinkedIn and Twitter; the Department of Human Services; and major media outlets including,, The Guardian Australia, Yahoo!7 and The Sydney Morning Herald, owned by Fairfax Media, publisher of this article.
Government agencies performed the best out of 11 industry sectors when it comes to handling users' personal data and privacy.  
A separate report from Deloitte Australia, also launched on Monday to coincide with Privacy Awareness Week, found more than a third of consumers had experienced privacy "issues" with Australian companies.
The findings come just over a year after the Office of the Australian Information Commissioner (OAIC) introduced revamped privacy rules for government agencies and businesses, as well as increased powers for the Privacy Commissioner.
More here:
Second we have this.

NSW Privacy Commissioner calls for mandatory data breach notification

State privacy act needs an overhaul
NSW Privacy Commissioner Doctor Elizabeth Coombs has called for amendments to be made to the state's Privacy and Personal Information Protection (PIPP) Act from 1998 to bring it in line with 21st Century privacy concerns.
A report (PDF) was tabled in state parliament which outlined a number of recommendations.
These include:
  • The PPIP Act to be amended to provide mandatory notification of serious breaches of an individual’s privacy by a public sector agency.
  • Access to and amendment of personal information to be governed solely by the PIPP Act and access to non-personal government information to be governed by the Government Information Public Access (GIPA) Act
  • All NSW state owned corporations should be covered by privacy legislation
  • Principle of anonymity and pseudonymity where lawful and practicable
  • Coombs to prepare guidance for agencies on the use of surveillance technologies such as CCTV
  • The PPIP to include privacy by design
  • ISO/IEC 27018 standard covering privacy, security and cloud services to be considered for inclusion in the NSW government’s information security management systems policy
  • A Code of Practice to be developed to enable information sharing for planning and policy analysis purposes between agencies.
More here:
Lastly we have this:

Nearly half of employees inadequately trained on Privacy Act compliance

Only 54 percent of workers believe their employers have given them adequate training about how to preserve the privacy of customers' personally identifiable information (PII), a new survey has found as privacy authorities spruik a new privacy management framework designed to help Australian organisations improve privacy compliance efforts that have been slammed as inconsistent and unbelievable by consumers.
Released by the Office of the Australian Information Commissioner (OAIC) to mark the 2015 Privacy Awareness Week – an annual awareness exercise run by the Asia Pacific Privacy Authorities (APPA) forum – the new Privacy management framework is designed to help organisations boost employee awareness of privacy responsibilities.
Specific recommendations are intended to inform organisations' privacy response along four key steps: embedding a culture of privacy, establishing robust and effective privacy processes, evaluating privacy processes to ensure continued effectiveness, and enhancing organisations' response to privacy issues.
“Privacy management is an obligation that is continuous and proactive and for it to be successful, it must have support from an organisation's leadership team,” Australian privacy commissioner Timothy Pilgrim said in a statement.
More here:
While the Government agencies typically do a good job of protecting personal information their responsibility rises dramatically with a compulsory opt-out system.
It seems to be certain new legislation will be required with the change to opt-out as we believe is the case - so we will need to wait and see just how it is framed - especially as the Privacy Commissioner would seem to be at least partially defunded!
There are some serious issues to be sorted out - and these will need to be sorted before the trials commence.


Bernard Robertson-Dunn said...

re:"There are some serious issues to be sorted out - and these will need to be sorted before the trials commence."

Not if it's a data gathering exercise, which it has all the appearances of being. The issues are serious and will need sorting out, along with many others but not before whatever trials they have in mind.

And I refuse to call it myhealthrecord, It's the government's health record.

ghr -> goverment'shealthrecord would be a more accurate name.

The only winners I can see in all this are the people directly involved with the operations, support and maintenance of the PCEHR/ghr.

It will keep the people who have developed a system that very, very few find useful, (un)gainfully employed for a few more years.

I wonder if they really, truly believe in it.

Anonymous said...

Bernard, one wonders if any one still remebers what 'it' is they believe in, I predict they will continue beavering away in there little silo's doing 'stuff' looking busy and pretending that someone else's scope' is dealing with the hard problems, all the while the department will steamroll on oblivious to what requirements management actual means