There has been a major data breach of the Victorian Department of Education which resulted in hackers accessing names, email addresses and encrypted passwords of current and formal students of Victorian Government schools. It is reported widely with coverage in the Age, cyber daily, AFR and the Saturday Paper.

While the names and email addresses were stolen the students’ data of birth and other forms of personal information were not.  That makes it likely that the data was siloed.  Notwithstanding the problems with the data breach itself at least there was some sophistication in the storage of the data.  The Victorian Department of Education Read the rest of this entry »

Accidental, usually negligent, publication of documents containing the personal information of multiple people is a public service specialty and common enough to be almost passe. But it is almost always serious. And so it was when the communications team of the Post Office published an unredacted version of a legal settlement document which set out the personal information of 502 former postmasters who had sued the Post Office for its egregious use of Horizon IT to make allegations against them.

Having proper protocols for publishing documents on line is vitally important.  Most additions to web sites are non controversial and pose no privacy risks because the information does not identify individuals and is generally about the organisation.  But organisations create or hold documents which do contain personal information and with most documents stored in digital form they can be passed across to a whole range of people in an organisation. Here it was the communications team, who are culturally and technically as far away from dealing with sensitive information as one can get.  They specialise in spinning and putting out press releases.  Not analysing legal documents.  The ICO sets out matters that an organisation should consider in the handling of information.

The media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Post Office Limited following a data breach that resulted in the unauthorised disclosure of personal information belonging to hundreds of postmasters involved in the Horizon IT scandal.  

The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.

When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. We found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices. Read the rest of this entry »

The Federal Trade Commission is one of the main regulators the deal with privacy breaches. The usual basis for action is the deceptive conduct by companies and organisations. Most recently the FTC took action against Avast for using iits browser extensions and antivirus software to collect, store and sell browsing information without notice and proper consent. The FTC took action in February 2024 seeking $16.5 million from Avast. The claim settled in June 2024.

This type of privacy breach is common enough in Australia, and other places, though not as egregious as what Avast did.  Avast engaged in active deception. Companies continue to collect more information than they require to provide the service to their customers, subscribers or visitors to their sites.  Organisations continue to justify this conduct.  The danger to them and their clients is that if there is a data breach the misuse or overcollection or both of data will be discovered.  And regulatory action will follow. Or a class action.  Or both.

The most recent announcement about distribution of payments Read the rest of this entry »

The Australian Information Commissioner has published its Annual Report.

The media release provides:

The overview from the Privacy Commissioner provides:

This has been my first full year in the role of Privacy Commissioner, and has been characterised by ever- increasing risks to the protection of Australian’s privacy. With data breaches continuing to mount, AI and other emerging technologies becoming part of our day-to- day reality, and novel scams and online harms creating community concern, the work of the OAIC has never been more important, or more challenging.

The period of 1 July to 31 December 2024 saw the OAIC notified of 595 data breaches, an increase of 15% compared to the previous 6 months. Across the 2024 calendar year, data breach notifications were up 25% year on year. Individual and representative complaints to the OAIC, arising out of data breaches as well as other privacy interferences, also increased this financial year, totalling 3,295. Health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.

In response to these building trends, the OAIC has focused on a dual-track regulatory response which prioritises both education and enforcement. Acknowledging the uplift required across the public and private sectors to ensure robust Privacy Act compliance, the OAIC has invested in and developed resources to support businesses and agencies to enhance their privacy governance. For example, in embodying the Privacy Awareness Week 2025 theme of ‘Privacy – It’s Everyone’s Business’ we released the Privacy Foundations self-assessment tool, a simple resource designed to help businesses who want to embed a culture of privacy and improve practices procedures and systems. Throughout the year, we issued new guidance clarifying the application of the Australian Privacy Principles (APPs) to a range of emerging technologies, including tracking pixels, facial recognition and AI, and we updated our charities and non-profits guidance. We launched a blog which we used to share information in a more accessible manner, and to explain the impact of some of the 10 determinations we issued in 2024–25. And together with our Digital Platform Regulators Forum partners, we released a working paper on multimodal foundation models. Read the rest of this entry »

The Privacy Commissioner has published notifications of data breaches in the first half of 2025 under the National Data Breach Notification Scheme. The health sector continues to have the most reported data breaches (18% of reported data breaches), followed by the finance sector (14%) and Australian Government agencies (13%).

The details are:

• Number of notifications: 532
• 33% of data breaches were caused by cyber security incidents of which:
  • 28% were due to phishing
  • 21% due to compromised or stolen credentials
  • 21% due to ransomware
  • 17% hacking
  • 6% brute force attacks
  • 4% malware
• 3 data breaches affected between 100,000 – 250,000.  The same number as the July December 2024 period.  3 data breaches affected 250,000 – 500,000 people. The same number as the July December 2024 period
• Contact information was the most common information affected by data breaches (456),  Identify information was affected in 303 data breaches.  Financial details were involved in 194 and health information in 161 data breaches.
• 56% data breaches were reported in 10 or less days from discovery.  27% of data breaches were reported more than 30 days after the data breachess.
• 308 of the data breaches were caused by malicious/criminal attacks and 193 caued by human error.

Read the rest of this entry »

At the first directions hearing on 30 October 2025 in the Federal Court proceeding of SAM GROTH and another v THE HERALD AND WEEKLY TIMES PTY LTD and others the Respondent succeeded to have an application to determine whether the journalist exemption applies. The hearing will occur on 6 November 2025. The directions hearing is reported by the Guardian in News Corp had no first-hand source suggesting Sam Groth’s wife underage at start of relationship, MP’s lawyer tells court, the AFR with News Corp allegedly claimed to be writing puff piece on Groths, and 9 News with ‘Salacious gossip’ or news? Tennis star turned MP to test new privacy law (to name but 3 stories).

The orders made Justice MceLwaine are:

1. The interlocutory application of the respondent accepted for filing on 2 October 2025 is set down for hearing at 30am on 6 November 2025.
2. Any evidence proposed to be relied upon by the respondent at the hearing of the interlocutory application is to be in the form of an affidavit which is to be filed and served by 4pm on 4 Novemebr 2025.
3. Any evidence proposed to be relied upon by the applicant at the hearing of the interlocutory application is to be in the form of an affidavit which is to be filed and served by 12pm on 5 November 2025.
4. The matter be set down for hearing in Melbourne at 15am on 11 May 2026, with an estimate of 10 days.
5. The parties are to attend a mediation to be organised by the parties, such mediation to take place on 7 November 2025.

The Guardian article provides:

Read the rest of this entry »

When reports appear that Gmail suffers a data breach involving 183 million accounts the likelihood of panic is great and the reputational damage to Google is greater. Gmail is a now well established form of email communication. It is ubiquitous, easy to set up and maintain and, until recently, had the cache of being part of the Google Empire thereby being safe to use. But what happens when claims that mass theft of gmail passwords isn’t so so mass after all.  Google has to scramble to set the facts straight. It can and does get messy.  The Forbes article Gmail Passwords Confirmed Within 183 Million Account Infostealer Leak and the Sydney Morning Herald article Panic as breached details of 183m accounts, including Gmail, emerge report that the very significant data breach has occurred and part of the data stolen included gmail passwords.  Google has had to scramble to clarify.

The issue for businesses is to be as clear and transparent as possible.  Many statements in response to data breaches are models of obfuscation and confusion when they are not boilerplate about working with authorities and doing all they can etc..

The Forbes article Read the rest of this entry »

The New South Wales District Court in Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396 considered issues regarding the statutory tort of serious invasion of privacy on 7 October 2025.

FACTS

The relevant parties are:

• the defendant, Williams, is the sole director and secretary of Glexia Pty Ltd, a company that briefly leased premises the subject of a development application brought by the first plaintiff, Kurraba [2].
• Kurraba lodged a development application with the City of Sydney to develop and establish a life science hub in the vicinity of 100 Botany Road Alexandria [10].
• Botany Road development Pty Ltd as trustee for the Botany Road development trust (“BRD”) is the owner of the real property to be developed and is also the company responsible for the development.
• the second plaintiff, Smith, is the sole director and shareholder of BRD [10].

Kurraba publicly announced its intention to lodge the development application in or about 19 and 20 June 2024 [11].  At about that time a property in Wyndham Street was advertised t for short-term rental. BRD exercised an option to purchase the Wyndham Street property. Williams called the real estate agent and said words to the effect that he was interested in leasing the property & was told it was to be sold and knocked down for development[12].

On 26 June 2024 Glexia Pty Ltd entered into a commercial lease for a period of six months commencing on 1 July 2024. Significantly, Williams did in fact vacate the premise on or around 1 January 2025 [12].

The first interaction between the plaintiffs and Williams occurred when Williams texted Smith stating [13]:

“Dear Kurraba Group,

Your development at 100 Botany Road (SD-63067458 /D/2024/937) intends to cause considerable disruption to my business and likely violates numerous laws, regulations, rules, and policy documents.

We intend to oppose the development first by submitting it to the State of New South Wales and the City of Sydney Local Government Area and, if still approved, the Land Environment Court and/or Supreme Court.

I write to establish communications before formal opposition proceedings and litigation to see if there might be a way to resolve these issues amicably, saving us both the immense cost and time of such proceedings.

We have begun retaining experts to develop a more comprehensive opposition package and to impact the various reports you have submitted as part of your package.

I have attached our preliminary submissions, which will be submitted to the State of New South Wales and the City of Sydney on 29 November 2024 unless we reach some agreement to mitigate the impacts on our business.

Regards,

Michael Williams”

On 11 November 2024,  Williams and  Smith had a meeting. Mr Smith states that Read the rest of this entry »

One thing that is almost a given in data privacy law is that if the regulator starts investigating a discrete problem or data breach it will end up reviewing the entire entity’s operation and find problems worse than what it started looking at. Often the original problem ends up being a small fraction of the entity’s problem. And so it goes with American Express where the Privacy Commissioner found systemic failures with American Expresses security controls, potentially exposing more than a million cardholders to a privacy breaches. The initial complaint related to a customer complaining about a staff member spying on his personal financial information. It is reported in the Age story Sensitive personal information’: Leaked report reveals American Express security failures. What is unusual and reflects poorly on American Express is that two years ago the Age reported that the Australian Financial Complaints Authority found American Express had breached privacy laws when its employee accessed the complainant’s accounts on at least nine occasions without consent. Ironically the Privacy Commissioner’s interim report was leaked, not surprisingly, to the Age. That is quite unusual and is unlikely to impress the regulator or American Express.

Based on the article it appears that American Express does not track employee access to customer accounts across 78 per cent of its systems.  This is a classic exposure to  “insider threat” risks.  It is surprising that American Express did not have the technology to restrict staff access to certain customer accounts.  It cites operational complexity as a reason for not implementing those controls.  This is of course nonsensical.  Banks have long had such technology.  Rogue or even just foolishly inquisitive employees who access accounts not related to their job are summarily dismissed a matter of rigid practice.  American Express relied on internal policies and staff training to prevent misconduct. That should be part of the process but not the end of it. What was particularly disturbing is that staff  with basic privileges based in Australia and overseas had “full and unfettered access” to the private information of Australian customers, which includes celebrities, politicians, politically exposed individuals and vulnerable people.  This is quite extraordinary for a company of American Express’ size and profile and especially as it had an internal data breach revealed two years ago.  Unfortunately this level of complacency is all too common for many other entities to give employees broad and sometimes unfettered access to personal information even where they have no need to access that data.  Often companies do not log access so internal threats can’t be identified.

It is interesting to see American Express adopt Read the rest of this entry »

As 10 December approaches the regulators are releasing guidances. Last month the e safety Commissioner issued its guidance.  Last Friday the Privacy Commissioner issued a statement and guidance.  As the Guidance makes clear, more is expected of entities in handling and, importantly, destroying data. Part 4A of the Online Safety Act 2021 sets out quite detailed obligations upon Social Media Platforms.  For Social Media entities this will require a very thorough audit of data collection and use practices.  

The Statement provides:

1. Purpose Limitation – section 63F(1) Entities that hold personal information collected for, or including, SMMA purposes must not use or disclose that information for any other purpose.  There are limited Limited exceptions under APP 6.2(b)–(e) which permits use or disclosure, or where the individual gives voluntary, informed, current, specific and unambiguous consent under section 63F(2).  This standard goes beyond the general APP 6 framework. The inclusion of “unambiguous” as an element of consent precludes the use of pre-selected settings or opt-outs when seeking consent. Also the reuse of information is prohibited unless clearly authorised or in the exceptional circumstances set out in APP 6.2(b) – (e).
2. Information Destruction – section 63F(3) Once personal information collected for SMMA purposes which has been used or disclosed for those purposes that personal information must be destroyed.  De-identification is not permitted.  The destruction must happen as soon as all SMMA purposes are met.  This obligation is stricter than APP 11.2, which permits de-identification or retention for ancillary business needs. Pre-existing data used to support age assurance  remains governed by APP 11.2.
3. Enforcement. The Privacy Commissioner has the power to investigate and take action for breaches as a breach of section 63F constitutes an “interference with the privacy of an individual” under the Privacy Act.  Those actions include investigating, make determinations, and require remediation or compensation. Individuals may also lodge complaints directly with the Privacy Commissioner.
4. Part 4A does not replace the APPs.  It is an overlay of stricter duties in addition to the existing APPs.  The APPs still apply in their entirety.

Under the Guidelines Platforms cannot retain information “just in case” it is useful later. The OAIC can investigate and enforce directly, even against entities not previously regulated, such as small technology providers or overseas processors.

The OAIC expects age assurance solutions to be privacy by design, backed by an early-stage Privacy Impact Assessment (PIA) that examines proportionality, necessity and data minimisation.  That may be a new concept for some entities.  In establishing the processes and procedures the least privacy-invasive method should be used.  It should be teated through a PIA before deployment.

The OAIC recommends establishing a “ring-fenced SMMA environment” — a segregated technical and data structure where age assurance information is processed, stored and destroyed separately from other systems. Only minimal artefacts, such as a binary “16+ yes/no” result, method and timestamp, should persist. Inputs like ID scans or selfies must be deleted immediately after use.

The OAIC supports inference-based and AI-driven approaches but with clear restrictions: they must be transparent, demonstrably accurate, and not rely on continuous behavioural tracking or unnecessary sensitive data such as biometric or content analysis.

The process must be transparent. That includes:

• just-in-time notifications at the point of data collection,
• explaining what information is being collected, by whom, for how long, and why.
• having privacy policies which clearly describe SMMA-specific processing and destruction practices.

Legal, product and design teams need to collaborate. Poorly designed consent or information screens — even if legally accurate — can amount to non-compliance.

Part 4A sets a higher bar for consent to secondary uses of information collected for SMMA purposes than the standard APP test. It must be:

• voluntary,
• informed,
• current,
• specific and unambiguous and
• be able to be withdrawn.

The OAIC Guidance says that there should be:

• no:
  • bundled or pre-ticked consents,
  • reliance on general terms of use, and
• simple withdrawal mechanisms in dedicated privacy settings or contextually appropriate screens.
• purpose specific and time limited consent which is purpose-specific and time-limited.

Section 63F’s destruction requirement is specific and Read the rest of this entry »