Privacy 5 Minute Fix 03: National Data Security Action Plan, COVID-19 tracing

The Privacy team
09 Jun 2022
Time to read: 5 minutes

Get your 5 Minute Fix of privacy news. This issue: the National Data Security Action Plan discussion paper, WA's COVID-19 tracing system, SIM-swap scams, and a round-up of recent cases and articles.

Release of the National Data Security Action Plan discussion paper

On 22 April 2022, the Australian government released the National Data Security Action Plan discussion paper which seeks consultation on:

  • how government and business can meet data security expectations now and into the future;
  • how to assign data security responsibilities for optimal data safety; and
  • how to share responsibility for data security across government, business and individuals for optimal data security outcomes across the economy.

Submissions have been extended and now close on 24 June 2022.

WA Auditor-General's report

WA's Auditor-General has told parliament that the state's COVID-19 contact tracing system has  significant privacy and security concerns and controls on the sensitive medical and personal information of more than half a million users must be strengthened.

The Auditor-General has tabled a report which finds that authorities failed to adequately protect sensitive contact tracing data, including through an absence of data encryption to protect personal information, inadequate logging of access to sensitive data, a lack of restrictions to stop malicious files being uploaded and errors and inefficiencies resulting from the manual entry of data.

Auditor-General Caroline Spencer has also criticised authorities' failure to adequately inform the public about information collected, and to safeguard this information to the standards expected by the public. The report details an example a former contractor being allowed continued access to sensitive data.

WA Health has defended the configuration of the system but has largely agreed to implement the recommendations in the report.

You can access the report here.

Australian Communications and Media Authority (ACMA) introduces new rules targeting SIM-swap scams

The new Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 will come into effect from 30 June 2022.

The new rules introduced by ACMA require stronger customer identity checks when telcos undertake high-risk transactions such as SIM-swap requests, changes to accounts or disclosure of personal information.  A SIM-swap scam involves a scammer taking control of a consumer’s mobile number by using that individual’s personal details to request a new SIM.

Under the new rules, the ACMA will have a range of enforcement actions available for telcos found to have breached the new rules, including commencing court proceedings.

Read more here.

Health Legislation Amendment (Information Sharing) Bill 2021 (Vic)

The Victorian Opposition has moved an amendment to refer the Victorian Government's Bill to establish a centralised electronic patient health information sharing system to the Legal and Social Issues Committee.

The Health Legislation Amendment (Information Sharing) Bill aims to enable information-sharing between specified health services, through a centralised platform operated and managed by the Victorian Department of Health. The Department would have the authority to securely hold and share health information between and across public health services electronically.  The intent of the platform is to save lives and improve the care of patients who may access multiple healthcare facilities.

Norkin v University of New England [2022] NSWCATAP 146 (9 May 2022)

This was an appeal against a decision of the Tribunal of 15 December 2021. The Appellant sought access from the Respondent (the University), pursuant to the Government Information (Public Access) Act 2009 (NSW) (GIPA Act), to the name of a contractor of the University who conducted a Genuine Temporary Entrant (GTE) assessment of the Appellant, which is part of the enrolment process for a foreign student. As part of this assessment, the contractor was requested to make assessments including whether the applicant was a genuine student, had an appropriate level of English, had sufficient funds to support themselves and their dependants in Australia and was a genuine temporary entrant to Australia.

The University declined to provide the Appellant with this information, noting that this decision was made after a third-party consultation with the contractor (pursuant to GIPA Act, s 54) who had objected to the release of their information.

The Tribunal upheld the previous decision and dismissed the appeal, citing reasons against disclosure including prejudice to the effective exercise of University functions, probable undermining of competitive neutrality in connection with any functions of an agency, and probable prejudice to the legitimate business, commercial or financial interests of the University and the contractor.

Read the full decision here.

EIG v North Sydney Council [2022] NSWCATAD 127 (20 April 2022)

Senior Member Dunn found that the North Sydney Council (Council) had breached Health Privacy Principle (HPP) 4 and HPP 11 under the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) in disclosing a person’s “health information”. The breach related to the disclosure by the Council in a report published on the Council’s website of attendance at Council meetings, that a councillor had sought to attend Council meetings remotely for a period of 5 months for medical reasons.  This occurred following a decision by the Office of Local Government to resume in-person council meetings following the COVID-19 pandemic, unless a council member could justify their absence.  The councillor in question had made such an application, but had expressly requested that the reasoning and information provided remain confidential for privacy reasons.  The Council made an assessment that listing the reason for remote attendance as “'Medical” was not “health information” within the meaning of the HRIP Act and included it in the public report.

Botre and Privacy Commissioner [2022] AATA 746 (11 April 2022)

The applicant lodged an application for review of a decision of the Commonwealth Ombudsman.  Deputy President B W Rayment OAM QC found that the Tribunal did not have jurisdiction in respect of the application for review.  The Ombudsman Act 1976 did not confer power on the AAT to review the activity of, or decisions made by the Commonwealth Ombudsman.  While certain decision of the Privacy Commissioner could be reviewed by the AAT, the relevant decision here was made by the Privacy Commissioner under section 41 of the Privacy Act 1988, which was not within the review powers of the AAT set out in section 96 of the Privacy Act.

Clearview AI fined £7.5 million by UK privacy watchdog

England’s Information Commissioner’s Office (ICO) has fined facial recognition vendor Clearview AI more than £7.5 million (A$13.3 million) and ordered it to delete the data of UK residents from its systems, after concluding a joint investigation with the Office of the Australian Information Commissioner in November 2021.

Clearview AI created a tool which harvested image data from across the web and could help identify persons of interest, marketed at enforcement authorities worldwide. As well as deleting UK residents’ data, the company has been ordered to stop scraping and using UK residents’ personal data from public internet services.

The ICO said Clearview AI’s data collection was neither fair nor transparent, and the company didn’t have a lawful reason to collect people’s information. There was no process to prevent the data being retained indefinitely, and Clearview AI failed to meet the higher data protection standards required for biometrics.

In order to respond to requests for removal from people who suspected they were on its database, Clearview AI would ask for extra personal information including additional photos. The ICO has indicated that this may have acted as a disincentive to individuals who wish to object to their data being collected and used. The ICO has added that although Clearview AI no longer offers its services to UK organisations, the company continues to provide services in other countries and is still using personal data of UK residents.

In November 2021, the OAIC also found Clearview AI in breach of Australian privacy law.

Leaked SCOTUS decision overturning Roe v. Wade raises questions about how our health data can be used

In early May, US publication POLITICO published a draft opinion by the Supreme Court of the United States suggesting that the majority of the judicial body have voted to overturn the landmark 1973 judgment in Roe v. Wade, which currently protects a woman’s right to decide whether to continue her pregnancy under the constitutional provisions of individual autonomy and privacy.

If the decision is confirmed by the Court, it could have far reaching ramifications regarding the right to privacy in the US, in particular with respect to women's reproductive health. Privacy bodies and human rights watchdogs have begun to express concerns about how existing and future data collection might be used to police anti-abortion laws, including:

  • Information about pregnancies on social media.
  • Internet search behaviour.
  • Location tracking via mobile phones, for example showing a visit to a place that could be linked to reproductive health.
  • Apps that reveal sensitive data, like menstrual cycle charting.
  • Through access to data in encryption or anonymous tools.

Health apps already have a poor track record of respecting privacy when it comes to user and patient data, and this increased interest in tracking and storing health data could likely add a new dimension to an existing issue for users.

You can read more on this topic here.

Recent Clayton Utz articles

Managing cybersecurity risk – precedent ASIC enforcement action provides key learnings

A recent Federal Court decision has confirmed that a failure by AFS licensees to have in place controls or measures to manage cybersecurity risk across its network of financial advisers can amount to breaches of certain general obligations contained in section 912A of the Corporations Act 2001 (Cth) by the AFS licensee, with lessons in managing cybersecurity risks for all organisations generally, particularly those that utilise third parties or intermediaries.

Reference to "medical reasons" breached obligations to keep health information private

The intersection of Health Privacy Principles and the functions of a public body has been explored in the recent decision of EIG v North Sydney Council [2022] NSWCATAD 127 in the NSW Civil and Administrative Tribunal. In addition to the summary coverage of this case in our last privacy and data protection update, explore Mathew Baldwin and Connie Beswick's analysis of the potentially broad application of the HPPs to practical scenarios.

Government use of artificial intelligence – new horizons (and risks)

Although AI holds much promise for governments, they should undertake a comprehensive risk assessment of any AI solution and monitor if it is operating legally and as intended.

Edited and compiled by Mathew Baldwin, Fiona Curtis, Connie Beswick and Imogen Hanrahan
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.