Search This Blog

Monday, July 18, 2011

Why no action to fix mandatory notification and penalty gaps in privacy law?

 No not about the media-for a moment at least.

I'm sure the Privacy Commissioner is set to investigate the latest home town privacy failing to hit the news, this time by Medvet, Australia's largest provider of drug and alcohol testing in the workplace.The Weekend Australian reported Medvet's online store left accessible by Google, complete home and work addresses of customers and others who ordered paternity test kits, drug and alcohol test kits and other products this year and last year.  According to The Australian today the cached pages were still there 24 hours later despite the company stating on Friday that it was doing everything possible to overcome the privacy breach.

Apart from drawing attention to the lax standards that have allowed public access to potentially sensitive information of this kind, the incident also reminds of two big holes (there are others) in privacy law that the government says it intends-sometime- to fix: mandatory notification to those potentially affected by disclosure of personal information, and powers to seek penalties when significant breaches of privacy law are uncovered in the course of privacy commissioner own-motion investigations. These should be fixed promptly without more hand wringing or wheel spinning or waiting for the outcome of what is proving to be the long running saga of getting the redrafted Australian Privacy Principles through the Parliament.
  • No public or private organisation in Australia has an obligation at law to notify those affected by any breach of privacy standards. Last week the Privacy Commissioner reminded us in reporting on a Telstra breach two years before that the Australian Government was currently considering a recommendation from the Australian Law Reform Commission that the law require mandatory notification of a significant breach of privacy. It's had that recommendation since 2008.The Privacy Commissioner has said previously we need such a law. The Minister for Privacy and Freedom of Information Brendan O'Connor in May was reported as saying such a system now ''appears necessary." Perhaps those concerned take some comfort that Medvet says the "board has instructed that an independent investigation is undertaken immediately into how this has occurred, who is affected and what can be done to address it. Once we have all the facts we will contact the clients whose details have been published to the internet."  So relax until we get to you! Medvet aren't alone in all this. Sony Play Station took days to admit publicly there was a problem when what appears to have been a major breach of privacy came to light in May.
  • The Information Commissioner has no powers to impose or seek penalties if an own motion investigation finds a breach of privacy principles. In the Medvet case, the Sony PlayStation case, or the Vodaphone or Dell cases before them. The minister's predecessor Senator Ludwig said the Government intended to do something about this in October 2009  He repeated this in July last year telling us the Government was powerless to do much after the finding of "very serious" breaches through Google's street view cameras.
The Australian tells us Medvet is owned by the South Australian Government (one of two that doesn't have a privacy law) although you wouldn't know from its website. This site provides company information and describes it simply as a private company.

Medvet says it is "committed to observing the National Privacy Principles as set out in the Privacy Amendment (Private Sector) Act 2000" and published this apology:
"Medvet Laboratories deeply regrets that its web store security has been compromised, as a result of which some clients' delivery addresses and product order details have become available on the internet.  No client names, bank account details or results of any tests have been disclosed. On becoming aware of this Medvet Laboratories immediately closed the web store and we have initiated the necessary steps to have the information removed from the internet.   We sincerely apologise for this occurring and for any embarrassment this may have caused to our clients. If you have any concerns in regards to this matter please contact me on 08 8132 7410.
Greg Johansen
Managing Director
Medvet Laboratories"

No comments:

Post a comment