July 24, 2017 8:30 AM | Posted by Maiken Hansen | Permalink
On 28 June 2017 Canada's Supreme Court upheld a decision ordering Google to remove links to websites unlawfully selling the intellectual property of another company. The Judges (7-2) in Google Inc. v. Equustek Solutions Inc maintained that Canadian courts had authority to issue an injunction forcing Google, a non-party to the initial proceedings, to delete search results, not only within Canada but globally. read more
June 29, 2017 11:39 AM | Posted by Leah Mooney, Paul Kallenbach, Veronica Scott | Permalink
Just when Australian businesses thought they had escaped the worst of WannaCry, there's a new ransomware campaign hot on its heels and reportedly exploiting the same vulnerability. read more
June 5, 2017 3:35 PM | Posted by Helen Lauder, Veronica Scott | Permalink
The Office of the Australian Information Commissioner (OAIC) last week released four resources on the mandatory data breach notification scheme (DBN scheme)  for consultation. read more
May 21, 2017 5:16 PM | Posted by Veronica Scott, Cathy Lyndon | Permalink
Privacy iconMany of our clients introduce new technologies into their workforce with the aim of improving safety – recently we have seen employers, ranging from emergency services and health providers to construction firms, introducing body cameras, and there are plenty of smart phone apps which assist with WHS compliance. read more
May 15, 2017 1:40 PM | Posted by Leah Mooney & Paul Kallenbach | Permalink
Over the weekend an unprecedented ransomware attack spread malicious software known as 'WannaCry' around the world. Britain's National Health Service was one of the more high-profile victims, with the service forced to cancel surgery, close emergency rooms and divert ambulances as a result of the attack. And while a British-based, self-confessed 'accidental hero' managed to halt the spread of the WannaCry virus, and Australia appears to have escaped the worst of the fallout, the consequences for business, government and individuals are far from complete, with the Australian Prime Minister's cyber security expert warning 'this is not game over'. read more
March 17, 2017 5:00 PM | Posted by Paul Kallenbach | Permalink

We are delighted to announce the publication of our second annual cyber security survey report, Perspectives on Cyber Risk 2017.

The 12 months since the publication of our last report has seen some of the most devastating cyber incidents yet.  No organisation type or industry has been spared. From finance, retail, hospitality and healthcare, to mining and resources, utilities, professional services and education – it's clear that everyone is fair game in cyberspace.

read more
February 28, 2017 1:20 PM | Posted by Helen Lauder and John Fairbairn | Permalink
Privacy2016 set the stage for changes to Australian privacy laws with two key amendment bills introduced. Further, major legislative (and other) changes were recommended by the Productivity Commission in its draft report into data availability and use. Overseas, the EU General Data Protection Regulation was published. There were also a number of OAIC determinations. Finally, the Federal Court interpreted the meaning of 'personal information' (although this occurred in early this year, not 2016).

We look at these legislative changes and other developments in Looking back at 2016 - Privacy Recap
read more
January 24, 2017 4:13 PM | Posted by Veronica Scott, Helen Lauder | Permalink
Kick-starting the privacy debate in Australia in 2017, the Full Federal Court has handed down its judgment in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4.  read more
December 1, 2016 8:55 AM | Posted by Veronica Scott | Permalink
Most organisations are well aware of their privacy obligations to their customers, but many assume that they don't have to worry about privacy when dealing with their employee's personal information because of the employee record exemption in the Privacy Act 1988 (Cth).  read more
December 1, 2016 8:30 AM | Posted by Tony Middleton | Permalink
A recent decision by the Federal Court comes amidst the start of the festive season but has left neither party with any holiday cheer. read more
October 21, 2016 8:48 AM | Posted by Veronica Scott, Susan Walsh, Nicole Franklin | Permalink
Australia finally looks set to have a new national mandatory notification laws for data breaches. read more
August 26, 2016 9:50 AM | Posted by Veronica Scott | Permalink
The OAIC this week issued its 40 page joint report with its Canadian counterpart of their joint investigation into the data security practices of Ashley Madison adult dating website operator Avid Life Media. The website suffered a large scale breach affecting individual users in multiple countries. read more
August 11, 2016 2:13 PM | Posted by Paul Kallenbach and James Patto | Permalink
Earlier this year, we released our inaugural cyber survey report, Perspectives on Cyber Risk, intended to provide insight into Australian organisations' cyber risk posture and cyber resilience capability. read more
May 19, 2016 2:43 PM | Posted by Veronica Scott and Andrew Cusumano | Permalink
Successful organisations depend on three key factors: people, processes and technology.  They cannot rely on just one of these alone. In in the context of the impact of technology, this article focuses on the roles that we as individuals have to play in data security and privacy protection - both as private citizens and as part of the organisations that we work in. read more
April 21, 2016 9:06 AM | Posted by James Patto | Permalink
The hack of toy manufacturer VTech's computer systems, which was disclosed by the company late last year, has highlighted various privacy concerns with, and vulnerabilities of, the Internet of Things (IoT) phenomenon. read more
April 8, 2016 11:49 AM | Posted by James Patto & Paul Kallenbach | Permalink

Welcome to the third instalment of the 'When IT hurts, it hurts: Mitigation strategies for cyber attack loss' blog series.  Coinciding with the release of MinterEllison's cyber survey report, Perspectives on Cyber Risk (the Report), this series focuses on key areas of loss that an organisation may suffer as a result of a cyber attack, and key strategies to mitigate that loss.

Today's blog post looks at two other feared exposures of our survey respondents - business interruption and loss of confidential information and intellectual property.

read more
March 8, 2016 10:37 AM | Posted by Brad Woods | Permalink
The NSW Legislative Council Standing Committee on Law and Justice released its Final Report into 'Remedies for the Serious Invasions of Privacy in New South Wales' on 3 March 2016. read more
March 2, 2016 12:26 PM | Posted by Hugh Bastiaan, Glen Ward, Paul Kallenbach | Permalink
Heralded as 'an epic fight pitting privacy against national security', the recent case between Apple and the FBI in the United States has seen a litany of debate, both legal and political. read more
February 23, 2016 3:36 PM | Posted by James Patto & Paul Kallenbach | Permalink
As a chief information officer or chief security officer, it's probably not going to be good news when your phone lights up at 2am on a cool winter's night. read more
February 3, 2016 7:01 PM | Posted by Paul Kallenbach | Permalink

We are pleased to announce the publication of our inaugural cyber security survey report - Perspectives on Cyber Risk.

Our survey results reflect that cyber attacks are occurring on a regular basis, across all organisations types, and in almost every industry; that cyber security is front of mind for many Australian organisations; and that for many (though not all) organisations, cyber resilience is considered a whole-of-enterprise challenge.

Our survey also found that many organisations perceive they have a satisfactory understanding of, and a satisfactory capability to prevent and deal with, cyber attacks. Unfortunately, this perception is not always reflected in the practical measures that organisations are adopting to mitigate cyber risk and increase their cyber resilience. 

You can download the report here.

read more
December 15, 2015 12:44 PM | Posted by James Patto & Paul Kallenbach | Permalink
October 13, 2015 1:29 PM | Posted by Helen Lauder, Paul Kallenbach & Veronica Scott | Permalink
On 6 October 2015, the Court of Justice of the European Union (ECJ) handed down a judgment relating to transfers of personal information from the EU to the US.  The judgment is seen by many as a 'landmark' decision, a 'bombshell'. In this post, we answer some key questions about the judgment, including what the implications are for transfers of personal information to and from the US and Australia. read more
October 7, 2015 8:25 AM | Posted by Tarryn Wood | Permalink
Contractor error is being blamed for a data breach which left millions of documents containing highly sensitive personal information freely accessible on the web. read more
October 1, 2015 5:04 PM | Posted by Helen Lauder & Rochelle Schuenker | Permalink
The Office of the Australian Information Commissioner (OAIC) has released for consultation a series of draft health privacy resources for health service providers and consumers (Resources). The Resources will replace the OAIC’s existing health privacy guidance materials, which were released prior to the 2014 reforms to the Privacy Act 1988 (Cth).  The Resources will supplement the OAIC's Australian Privacy Principle guidelines, providing more detailed guidance on the APPs in the health and research context. read more
September 10, 2015 10:30 AM | Posted by Helen Lauder | Permalink
The Crimes Act 1914 (Cth) was recently amended to increase the Commonwealth penalty unit from $170 to $180. The penalty unit will also be subject to CPI indexation every three years starting on 1 July 2018. read more
September 1, 2015 4:18 PM | Posted by Paul Jeffreys & Paul Kallenbach | Permalink
The Ashley Madison saga continues. As we foreshadowed in our earlier blog post, Avid Life Media Inc (ALM), the Canadian-based provider of the extramarital dating site, has been hit with lawsuits in Canada and the United States, flowing from the posting online, by the hacker group 'Impact Team', of personal information (including highly sensitive information) pertaining to the site's many millions of users. read more
August 21, 2015 9:00 AM | Posted by James Patto and Paul Kallenbach | Permalink
Consistent with a May decision of the Privacy Commissioner determining that metadata can be 'personal information' under the Privacy Act 1988 (Cth), the Office of the Australian Information Commissioner has released a privacy business resource intended to assist telecommunication companies and ISPs to comply with their obligations in respect of the storage and management of metadata. read more
July 24, 2015 3:00 PM | Posted by Paul Kallenbach & Leah Mooney | Permalink
Avid Dating Life Inc (ADL), the company behind the US-based Ashley Madison online (extramarital) dating service, are currently being held to ransom by a hacker known by the pseudonym "the Impact Team" ... read more
May 20, 2015 3:50 PM | Posted by Lucy McGovern & Paul Kallenbach | Permalink
In the 2015 Budget, the Government has committed, as part of its national security expenditure, $153.8 million over four years to support the implementation and ongoing management of the metadata retention scheme. read more
May 18, 2015 4:45 PM | Posted by Tarryn Wood and Veronica Scott | Permalink
Last week a US federal appeals court ruled that the NSA's mass collection of telephone metadata is not in fact authorised by the Patriot Act as the US government has long maintained. The NSA's collection of this data was made infamous by the revelations of former NSA contractor, Edward Snowden, and The Guardian newspaper in 2013. read more
May 6, 2015 5:06 PM | Posted by James Patto & Paul Kallenbach | Permalink
Last week the Privacy Commissioner, Timothy Pilgrim, (Commissioner) made a determination that metadata held by Telstra is 'personal information' for the purposes of the Privacy Act 1988 (Cth) (the Act).  Our blog post earlier this week outlined the determination by the Commissioner and his reasoning behind the decision.  Telstra argues that the ramifications beyond this decision may have the potential to hamstring telecommunication companies (Telcos) in a sea of compliance and lead to higher prices for consumers.  In this post, we explore the compliance consequences with respect to key Australian Privacy Principles (APPs). read more
May 5, 2015 5:05 PM | Posted by Helen Paterson & Paul Kallenbach | Permalink
The Commonwealth Privacy Commissioner (the Commissioner) late last week released a determination that considers the meaning of 'personal information' under the Privacy Act 1988 – a term that has been the subject of scant jurisprudence to date.  The Commissioner found that metadata held by Telstra was 'personal information', and that Telstra breached the Privacy Act when it did not provide access to that metadata to the individual to whom the metadata related. read more
May 4, 2015 4:41 PM | Posted by Charles Alexander, Veronica Scott, Ian Lockhart | Permalink
Privacy Awareness Week runs this week from 3 to 9 May 2015.  This morning the Australian Privacy Commissioner, Timothy Pilgrim, and a panel of academic and industry speakers discussed the issue of 'Privacy – living in the future'. read more
February 2, 2015 8:53 AM | Posted by Lucy McGovern & John Fairbairn | Permalink
Following the privacy reforms this year, a key concern for Australian entities has been the liability associated with disclosing personal information overseas. This article provides some practical guidance on how to approach outsourcing arrangements with overseas providers in light of amended Privacy Act 1988 (Cth) (Act) and the new Australian Privacy Principles (APPs), including in relation to intra-group information sharing. read more
January 28, 2015 11:55 AM | Posted by Ian Lockhart | Permalink
The last year has seen fundamental changes to credit reporting law. A new regime is embodied in a complete re-write of Part IIIA of the Privacy Act 1998 supplemented by a number of regulations and a new Credit Reporting Code (CR Code). This body of new law establishes a framework for comprehensive credit reporting in Australia. read more
January 21, 2015 3:02 PM | Posted by Lucy McGovern & John Fairbairn | Permalink
On 17 November 2014, the Privacy Commissioner launched a new Privacy regulatory action policy (Policy) which explains the range of powers afforded to the Office of the Information Commissioner, the office's regulatory strategy, approach and priorities. The Privacy Commissioner has emphasised that the Policy does not seek to make a radical shift in terms of the approach taken by the office to regulation, but rather seeks to provide transparency to the office's existing approach. read more
January 21, 2015 2:19 PM | Posted by Veronica Scott | Permalink

While 2014 was a year of privacy reform for Australia, one Spanish citizen, Mario Costeja Gonzalez, will never be forgotten for helping to contribute to a landmark development in European privacy law that ahs resonated around the world. As a result of his privacy complaint, the European Court of Justice (ECJ) has given EU residents the 'right to be forgotten'. The ECJ decision found that, while the right was not absolute

"individuals can request search engines to remove all links to not only inaccurate information, but also to personal information deemed to be "inadequate, irrelevant ... or excessive [for] the purposes of the processing."

read more
January 21, 2015 11:06 AM | Posted by Lucy McGovern & Charles Alexander | Permalink
The Office of the Australian Information Commission released a new Guide to Securing Personal Information which replaces the Guide to Information Security which was issued in April 2013. read more
November 12, 2014 9:00 AM | Posted by Joseph Cram | Permalink
In a recent privacy decision (DK and Telstra Corporation Limited [2014] AICmr 118), the Privacy Commissioner made a determination that Telstra Corporation Limited ('Telstra') apologise, update its privacy policy and collection notices, and pay $18,000 to a family law judge ('DK') as a result of Telstra's breach of National Privacy Principle ('NPP') 1.3 which constituted an interference with DK's privacy. The breach resulted from a failure by Telstra to inform DK that his information would be included in the White Pages (and therefore disclosed to the public). read more
September 3, 2014 5:30 PM | Posted by Lucy McGovern & Elisabeth Koster | Permalink
The Australian Law Reform Commission has today released its Final Report into 'Serious Invasions of Privacy in the Digital Era'.  The Report makes a number of recommendations regarding the prevention of and remedies for serious invasions of privacy in the digital era, including considering the design of a statutory cause of action for serious invasions of privacy.  read more
August 29, 2014 2:31 PM | Posted by Joseph Cram | Permalink
The OAIC recently released a new edition of its Data Breach Notification Guide, which provides general guidance for organisations and agencies on how to respond to data breaches. This blog post provides some brief comments on the new edition of the Guide. read more
August 15, 2014 3:27 PM | Posted by Loren Blumgart & Anthony Borgese | Permalink
The Office of the Australian Information Commissioner has released a revised version of its "Guide to Information Security: 'Reasonable steps' to protect personal information" (the Revised Guide).  The Revised Guide aims to provide more clarity in assisting organisations and government agencies in meeting their information security obligations under the Privacy Act 1988 (Cth).  In this article we look at the key elements of the Revised Guide. read more
August 6, 2014 10:28 AM | Posted by Harry Aitken | Permalink
Sony has agreed to a preliminary settlement of $15 million (USD) in a class action law suit over cyber-attacks on its networks in 2011. The settlement, which follows a £250,000 penalty imposed by UK authorities against the tech giant in 2013, serves as a salient reminder that companies may be exposed to significant liability if they fail to protect their users' personal information. read more
July 15, 2014 5:32 PM | Posted by Joseph Cram | Permalink
Today the Australian Privacy Commissioner released another own-motion investigation report, this time in relation to the storage of medical records by Pound Road Medical Centre (PRMC).

This is the fourth own-motion investigation published this year, and is in addition to the Commissioner's determination in the case of ‘BO’ and AeroCare Pty Ltd [2014] AICmr 32. This represents a marked increase from the Commissioner's enforcement activity last year, in which the Commissioner only published one own-motion investigation report and made no privacy determinations.

In this post, we look at how the Commissioner has dealt with non-compliance in each of these four cases, and the sorts of cases it seems the Commissioner is more likely to investigate. read more
May 28, 2014 2:00 PM | Posted by Nicole Reid | Permalink
Following a recent Federal Court decision, liquidators now need to be aware of the sensitivity of content stored on the computers of companies under liquidation if that content may be confidential to another person. read more
May 15, 2014 9:51 AM | Posted by Lauren Edge, Helen Paterson and Charles Alexander | Permalink
In the budget for 2014-15, the Government has proposed changes to the current privacy and Freedom of Information (FOI) arrangements through which the Government has stated that it will achieve savings of $10.2 million over four years. Under the new arrangements, privacy functions will still be undertaken by the Privacy Commissioner. However the Privacy Commissioner will be an independent statutory position within the Australian Human Rights Commission. read more
May 13, 2014 4:57 PM | Posted by Margaret Gigliotti and Paul Kallenbach | Permalink
Following an own motion investigation into a data breach suffered by Multicard Pty Ltd (Multicard), the Privacy Commissioner found that Multicard failed to take reasonable steps to ensure the security of personal information, and requested that Multicard commission an external privacy and security auditor to certify Multicard's implementation of agreed improvements to its privacy practices and information security systems. read more
May 8, 2014 4:19 PM | Posted by Harry Aitken and Paul Kallenbach | Permalink
The Federal Privacy Commissioner recently determined that AeroCare Pty Ltd, an outsourced flight support company, infringed the National Privacy Principles by questioning a disabled man about his medical condition in the presence of other passengers. read more
May 6, 2014 8:47 AM | Posted by Charles Alexander | Permalink
For Privacy Awareness Week, Minter Ellison's Charles Alexander discussed some of the key issues with Privacy Commissioner Timothy Pilgrim. The three parts cover issues including the Australian Privacy Principles, the ‘Heartbleed bug’ and the privacy implications of social media for employers and prospective employees. read more
May 2, 2014 10:41 AM | Posted by Tarryn Ryan and Paul Kallenbach | Permalink

New email app, Acompli, launched recently with much hype around its functionality for those who want to do more with their emails on their mobile device than simply checking new messages and quickly firing off the occasional reply.

Significantly, however, Acompli's servers are located in the US. By allowing Acompli to access your work email and replicate your email and attachments on its servers, you may be 'disclosing' personal information to an overseas recipient and putting your employer at risk of breaching the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).

read more
March 21, 2014 4:04 PM | Posted by Tarryn Ryan | Permalink
Yesterday, with little fanfare, Labor Senator Lisa Singh reintroduced mandatory data breach notification legislation to the Senate in the form of a private member's Bill - the Privacy Amendment (Privacy Alerts) Bill 2014 (Cth). read more
March 14, 2014 10:19 AM | Posted by Veronica Scott | Permalink
After a 15 month preparation period, the changes to the Commonwealth Privacy Act 1988 are now in force. Not only have the National Privacy Principles been replaced with the Australian Privacy Principles, but we have a brand new credit reporting system, and the Privacy Commissioner has been awarded much stronger enforcement powers. read more
March 12, 2014 4:00 PM | Posted by Paul Kallenbach | Permalink
On 12 March, the new privacy regime comes into effect.  In a series of short videos, Partner Paul Kallenbach and Special Counsel Veronica Scott discuss the details and implications of the changes. read more
February 21, 2014 11:38 AM | Posted by Veronica Scott and Paul Kallenbach | Permalink
Today the Office of the Australian Information Commissioner released the final version of the guidelines on how agencies and organisations can comply with the new Australian Privacy Principles (APPs). read more
September 4, 2013 4:30 PM | Posted by Lucy McGovern and Veronica Scott | Permalink
The Federal Attorney-General, Mark Dreyfus QC, has appointed Professor Barbara McDonald as lead Commissioner of the Australian Law Reform Commission's (ALRC) inquiry into Serious Invasions of Privacy in the Digital Era. read more
September 4, 2013 4:22 PM | Posted by Helen Paterson and Charles Alexander | Permalink
On 14 August 2013, the Office of the Australian Information Commissioner (OAIC) released the results of the privacy sweep of the websites most used by Australians. read more
March 8, 2013 12:00 AM | Posted by Tarryn Ryan and Paul Kallenbach | Permalink
Last month the United States Supreme Court put a definitive end to a challenge of the constitutionality of laws which allow the US Government to conduct warrantless surveillance of non-US citizens, by finding that the plaintiffs lacked standing to bring the action.[i] The challenge was brought by human rights groups including Amnesty International, lawyers and journalists, all of whom claimed that their communications were likely to be caught up in surveillance activities carried out under the laws introduced by the FISA Amendment Act.[ii] read more
December 20, 2012 12:00 AM | Posted by Posted by Tarryn Ryan and Paul Kallenbach | Permalink
The past few days have been eventful to say the least for Instagram and Instagram users. On Monday, Instagram proposed new changes to its privacy policy and terms of service that sent users on a war path. Just as remarkable was Instagram's rapid response and backflip following the outcry. read more
October 19, 2012 4:46 PM | Posted by Paul Kallenbach | Permalink
The Federal Government has released a Discussion Paper on mandatory data breach notification. You can read our alert here. read more
May 27, 2011 3:34 PM | Posted by Siobhan Doherty and Veronica Scott | Permalink
From 26 May 2011, new UK laws require website operators to obtain a user's consent before using (eg by storing or accessing) a cookie (a text file saved by the site to a user's computer to store information such as user preferences) or a similar technology, unless the cookie is strictly necessary for the operation of the website. read more