Author Topic: eevBLAB #52 - My Personal Data STOLEN from the Government!  (Read 11846 times)

0 Members and 1 Guest are viewing this topic.

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5632
  • Country: au
Re: EEVBLAB 52 - My personal data stolen from the government
« Reply #25 on: September 22, 2018, 06:21:46 am »
One thing you need to be aware of is that WA Government agencies are not covered under the Privacy Act (1988) (the Act).  This is because of (1) the definition of who is covered by the  Act, and (2) because WA has *NO* privacy legislation.  Off the top of my head, I'm not sure if the WA Mint falls under one of the categories which are covered, but they well may not be...  This is something you can check by a call to the Office of the Australian Information Commissioner (OAIC) (email foi@oaic.gov.au) 1300 363 992.

I'm sorry but that's just not correct at all. Could you point to some references to support your claim?

The Privacy Act is federal legislation. It trumps any state/territory legislation to the contrary but also co-exists with existing state/territory legislation concerning the collection of personal information. The Privacy Act 1998 applies to all states and territories within Australia. In fact, if you look at the very first paragraph on the OAIC website concerning this, it says:

The Privacy Act 1988 (Privacy Act) regulates how personal information is handled by Australian Government agencies and the Norfolk Island administration, medium-to-large businesses, the not-for-profit sector, the credit reporting industry and health service providers.

The report by WA mint to OAIC was done because that is what is required of them by the act.
 

Offline (*steve*)

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBLAB 52 - My personal data stolen from the government
« Reply #26 on: September 22, 2018, 07:15:22 am »
Please see the Privacy Act (1988) here https://www.legislation.gov.au/Details/C2014C00076

One of your objections is under section 109 of the Australian Constitution.  This act explicitly deals with inconsistency by generally deferring to State/Territory legislation.  Read section 3:

"It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act."

The fact that WA does not have Privacy legislation is important, but not the sole consideration here because many state acts make provision for the "collection, holding, use, correction or disclosure of personal information[...]"

Then section 6C (p36)

Starting with "What is an organisation?", and going through to "that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory."

Then further on page 37, "What is a State or Territory authority?" which lists a huge set of things.  Notably, and as I alluded to in my opening post, certain structures are exempted from this exemption.  6C(3)(c)(i) may apply to the Mint.

There are other methods by which organisations can be prescribed, exempted, or have certain functions exempted, but I doubt those are relevant here.

I think it is quite likely, but not 100% certain that
Quote
The report by WA mint to OAIC was done because that is what is required of them by the act.
  Because it's not relevant to what I do, I've not looked to see if organisations exempt from the Act can volunteer to report to the OAIC. 

The entire point of this is that *before* you go off complaining that the organisation has not reported completely, you should determine that the organisation is actually covered by the Act.  Once you find that it is, I would recommend you direct your enquiries to the OAIC.  As underfunded as they are, they have the power to actually get an answer, the Act doesn't really give an individual much power to demand anything (because there are so many ways they can fob you off).

« Last Edit: September 22, 2018, 07:16:58 am by (*steve*) »
 

Offline Brumby

  • Supporter
  • ****
  • Posts: 12288
  • Country: au
Re: EEVBLAB 52 - My personal data stolen from the government
« Reply #27 on: September 22, 2018, 09:53:30 am »
To me it sounds absurd to claim a Federal act has no power in a state because that state has no similar legislation - because that's what it sounds like you are saying.

While I'm no legal expert, the phrase "is not to affect the operation of a law of a State or of a Territory ... ... and is capable of operating concurrently with this Act." would indicate to me that, if there is no conflict between State law and the Federal privacy act, then they can both be applied to a given situation.  In the case where the state has no such legislation, then the Federal legislation carries full weight.

It's like having a Federal law to not detonate a nuclear bomb - but the state has no such laws.  It doesn't mean you can go to that state and blow shit up with one.
 

Offline (*steve*)

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBLAB 52 - My personal data stolen from the government
« Reply #28 on: September 22, 2018, 02:19:13 pm »
Quote
To me it sounds absurd to claim a Federal act has no power in a state because that state has no similar legislation - because that's what it sounds like you are saying.

I didn't say that.

Quote
While I'm no legal expert

Funnily enough I rely on the advice of those who are.

Quote
It's like having a Federal law to not detonate a nuclear bomb - but the state has no such laws.  It doesn't mean you can go to that state and blow shit up with one.

No, it's like having a federal law that is drafted so as not to override state legislation. 

I'm not going to argue with you.  If you're correct, please inform the Federal AG and the AOIC, the various State Solicitors, and frankly as many other people as you can.  It will save me a hell of a lot of time and effort and let me retire early to my electronics hobby. 

 

Offline Brumby

  • Supporter
  • ****
  • Posts: 12288
  • Country: au
Re: EEVBLAB 52 - My personal data stolen from the government
« Reply #29 on: September 22, 2018, 04:11:52 pm »
Seems I've got the wrong end of the stick.  Maybe I'll reread this when my head cold clears.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5632
  • Country: au
Re: EEVBLAB 52 - My personal data stolen from the government
« Reply #30 on: September 22, 2018, 11:23:44 pm »
Please see the Privacy Act (1988) here https://www.legislation.gov.au/Details/C2014C00076

"It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act."

The key words here are "and is capable of operating concurrently with this Act". The above clause in the Privacy Act basically gives each state the ability to create its own laws in addition to the federal Privacy Act (although it seems a little redundant to me). As per Section 109 of the Australian Constitution, If there is a clash between state and federal law, then federal law takes precedence as to the extent of the inconsistency.

The fact that WA does not have Privacy legislation is important, but not the sole consideration here because many state acts make provision for the "collection, holding, use, correction or disclosure of personal information[...]"

It really doesn't matter for the purposes of this thread whether Western Australia does or does not have it's own laws regarding Privacy or the collection of personal information, this is why the Privacy Act 1988 exists.

Then section 6C (p36)

Starting with "What is an organisation?", and going through to "that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory. Then further on page 37, "What is a State or Territory authority?" which lists a huge set of things.  Notably, and as I alluded to in my opening post, certain structures are exempted from this exemption.  6C(3)(c)(i) may apply to the Mint."

You're looking at the wrong definition. Under Part IIIC (Notification of eligible data breaches), this part refers to "entity", not "organisation". An "entity" is defined as being an agency, organisation or a small business operator. Then, if you look at the definition of "agency", its interpretation is wide. The Western Australia Mint falls under this definition.

There are other methods by which organisations can be prescribed, exempted, or have certain functions exempted, but I doubt those are relevant here.

Correct.

I've not looked to see if organisations exempt from the Act can volunteer to report to the OAIC.

Yes they can but it doesn't apply in this case.

The entire point of this is that *before* you go off complaining that the organisation has not reported completely, you should determine that the organisation is actually covered by the Act.  Once you find that it is, I would recommend you direct your enquiries to the OAIC.  As underfunded as they are, they have the power to actually get an answer, the Act doesn't really give an individual much power to demand anything (because there are so many ways they can fob you off).

I made the comment in another thread that it was possible that WA Mint didn't fully comply with the requirements under the Privacy Act, specifically "the kind of kinds of information concerned". I haven't read the e-mails from WA Mint to Dave so I only made the suggestion based on Dave's comments before the video was uploaded to YouTube. Whilst I've studied law, I'm not an expert in legislation concerning privacy and alike. The wording is open to interpretation and I'm sure the legal experts at WA Mint would have advised correctly. However, by not providing a complete list of the various fields/pieces of information that was stored in the database seems a bit dodgy to me.

I don't think anyone expects an organisation to send each and every person affected by a breach a personal letter to explain exactly what of theirs was stolen, but I would expect them to tell everyone what fields were in the database subject to the breach, then it would be up to the individual to determine whether they had provided that data to the organisation.

* I used the word state but consider this to also mean "territory".
 

Online EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #31 on: September 22, 2018, 11:48:59 pm »
The Perth Mint have now offered a third party credit monitoring service for 12 months for all those affected.
 

Offline MK14

  • Super Contributor
  • ***
  • Posts: 4527
  • Country: gb
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #32 on: September 23, 2018, 12:14:41 am »
The Perth Mint have now offered a third party credit monitoring service for 12 months for all those affected.

I was offered something similar, when my account details (in the end, I think I was lucky, and my details were safe) were compromised (along with a huge number of others), because of a UK business being hacked. About 2 or 3 years ago.

But I ignored that measly offering, because I was worried it would need my credit card to verify who I am for the "free" 12 month period.
Then after the 12 months, they would charge me for the credit monitoring service and be a real nightmare (pain in the neck), to cancel. Needing lots of phone calls and listening to sales talk (which I'm not interested in), from sales reps, trying to sell me services I don't want. For just cancelling the "free" service.
« Last Edit: September 23, 2018, 12:18:52 am by MK14 »
 

Offline (*steve*)

  • Regular Contributor
  • *
  • Posts: 50
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #33 on: September 23, 2018, 02:35:43 am »
Quote
It really doesn't matter for the purposes of this thread whether Western Australia does or does not have it's own laws regarding Privacy or the collection of personal information, this is why the Privacy Act 1988 exists.

Sigh.  Clearly expertise in electronics elicits a greater working knowledge of the Privacy Act (1988) than a person who has to deal with it, and more than the Federal AG and the OAIC have in administering it.

Please read the datasheet.  You don't even have to read the whole 346 pages. I have provided references to the information created for engineers using this product.  I would encourage you to read and understand that rather than the bullshit marketing fluff.

My last word on this (and then I'll leave you to your misinterpretation based on inaccurate media reporting of detailed technical information):

The Act EXCLUDES state agencies (and a broad range of other groups -- possibly including Dave -- from many/all provisions), and this MAY include the WA Mint.  I'm not saying it is a good thing any more than I would say that "Absolute Maximum" ratings are a good thing, they're just facts.  I have suggested how to find out, and once you have, how to leverage the Act to possibly get answers to your questions.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #34 on: September 23, 2018, 10:52:26 am »
But I ignored that measly offering, because I was worried it would need my credit card to verify who I am for the "free" 12 month period.
Then after the 12 months, they would charge me for the credit monitoring service and be a real nightmare (pain in the neck), to cancel. Needing lots of phone calls and listening to sales talk (which I'm not interested in), from sales reps, trying to sell me services I don't want. For just cancelling the "free" service.

It's like being robbed twice. >:(
 
The following users thanked this post: MK14

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5632
  • Country: au
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #35 on: September 23, 2018, 10:22:37 pm »
Quote
It really doesn't matter for the purposes of this thread whether Western Australia does or does not have it's own laws regarding Privacy or the collection of personal information, this is why the Privacy Act 1988 exists.

Sigh.  Clearly expertise in electronics elicits a greater working knowledge of the Privacy Act (1988) than a person who has to deal with it, and more than the Federal AG and the OAIC have in administering it.

Please read the datasheet.  You don't even have to read the whole 346 pages. I have provided references to the information created for engineers using this product.  I would encourage you to read and understand that rather than the bullshit marketing fluff.

My last word on this (and then I'll leave you to your misinterpretation based on inaccurate media reporting of detailed technical information):

The Act EXCLUDES state agencies (and a broad range of other groups -- possibly including Dave -- from many/all provisions), and this MAY include the WA Mint.  I'm not saying it is a good thing any more than I would say that "Absolute Maximum" ratings are a good thing, they're just facts.  I have suggested how to find out, and once you have, how to leverage the Act to possibly get answers to your questions.

As I said, I have a very good grasp of law based on my previous employment. My electronics knowledge aside, I think I have a fairly clear understanding on how to interpret legislation. My interpretation has absolutely nothing to do with the media, in fact, I haven't read, seen or heard a single thing about it in mainstream media, mostly because I don't pay that much attention to it.

It seems it's you who is misinterpreting the law in this instance. I get that you're getting advice from others, but I find Chinese whispers never worked too well. As I said, I'm not going to pretend to know the in's and out's of privacy legislation, it's not my area of expertise, but you're still yet to point me to any piece of legislation which excludes the WA Mint from the definitions/clauses I pointed out previously. From what I can see it very much INCLUDES them. On one hand you're sitting on the fence by using words like "may", yet on the other hand you're arguing sections which I literally copied from the Privacy Act. If you're going to assert that I'm wrong, provide some evidence please.
 

Offline CatalinaWOW

  • Super Contributor
  • ***
  • Posts: 5173
  • Country: us
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #36 on: September 23, 2018, 10:32:13 pm »
What is silly about this is that anyone anywhere will loan a significant amount of money based on a single number, an email address and a password.  These data breaches shouldn't really matter.  They are annoying, troubling and all of that, but wouldn't have affected anything in the world of a few decades ago when you couldn't get any kind of credit unless the banker knew you and your employer personally.

We have gained much with the convenience of these remote transactions, but we have lost much too.  Perhaps we should swing the pendulum back the other way a bit and require something closer to the bandwidth involved in the older methods of giving credit.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5632
  • Country: au
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #37 on: September 23, 2018, 11:03:37 pm »
What is silly about this is that anyone anywhere will loan a significant amount of money based on a single number, an email address and a password.  These data breaches shouldn't really matter.  They are annoying, troubling and all of that, but wouldn't have affected anything in the world of a few decades ago when you couldn't get any kind of credit unless the banker knew you and your employer personally.

We have gained much with the convenience of these remote transactions, but we have lost much too.  Perhaps we should swing the pendulum back the other way a bit and require something closer to the bandwidth involved in the older methods of giving credit.

Most (all?) banks in Australia now use two-factor authentication. Whilst it's not enforced on every account, the banks tend to limit their liability by restricting transfer limits. For example without 2FA, the most I can transfer out of my account is $1000. With 2FA, I can increase that up to $10,000 per day.

But all the security measures in the world won't protect people from themselves, for starters, they need to stop using the same passwords for their various accounts!
 

Offline (*steve*)

  • Regular Contributor
  • *
  • Posts: 50
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #38 on: September 25, 2018, 11:13:28 am »

As I said, I have a very good grasp of law based on my previous employment. My electronics knowledge aside, I think I have a fairly clear understanding on how to interpret legislation. My interpretation has absolutely nothing to do with the media, in fact, I haven't read, seen or heard a single thing about it in mainstream media, mostly because I don't pay that much attention to it.

It seems it's you who is misinterpreting the law in this instance. I get that you're getting advice from others, but I find Chinese whispers never worked too well. As I said, I'm not going to pretend to know the in's and out's of privacy legislation, it's not my area of expertise, but you're still yet to point me to any piece of legislation which excludes the WA Mint from the definitions/clauses I pointed out previously. From what I can see it very much INCLUDES them. On one hand you're sitting on the fence by using words like "may", yet on the other hand you're arguing sections which I literally copied from the Privacy Act. If you're going to assert that I'm wrong, provide some evidence please.

https://www.oaic.gov.au/privacy-law/rights-and-responsibilities

Scroll down to "Who doesn't have responsibilities under the Privacy Act?"

then read this:

The Privacy Act does not cover:
  • State or territory government agencies, including state and territory public hospitals and health care facilities (which are covered under state and territory legislation) except:
    • certain acts and practices related to My Health Records and Individual Healthcare Identifiers
    • entities prescribed by the Privacy Regulation 2013
  • individuals acting in their own capacity, including your neighbours
  • universities, other than private universities and the Australian National University
  • public schools
  • in some circumstances, the handling of employee records by an organisation in relation to current and former employment relationships
  • small business operators, unless an exception applies (see above)
  • media organisations acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
  • registered political parties and political representatives.

This is, of course, not as authoritative as the references to the Act that I have already provided. 

And I am VERY MUCH on the fence as to whether or not the Mint is covered -- you simply assume they are.  I was pointing out that state agencies ARE NOT covered, and IF it includes the Mint, it is a reason why they don't have to do what the ACT says an organisation under the act has to do.  My advice continues that you should (1) find out, and (2) IF they are, take it up any perceived non-compliance with the OAIC.

The legal question concerning the Mint is whether their corporate structure falls one way or the other with respect to the Act. 

I would recommend that Dave, in his next communication with the Mint, ask "Are you covered by the Privacy Act (1988)?"
 
The following users thanked this post: thm_w

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5632
  • Country: au
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #39 on: September 25, 2018, 11:55:25 pm »

As I said, I have a very good grasp of law based on my previous employment. My electronics knowledge aside, I think I have a fairly clear understanding on how to interpret legislation. My interpretation has absolutely nothing to do with the media, in fact, I haven't read, seen or heard a single thing about it in mainstream media, mostly because I don't pay that much attention to it.

It seems it's you who is misinterpreting the law in this instance. I get that you're getting advice from others, but I find Chinese whispers never worked too well. As I said, I'm not going to pretend to know the in's and out's of privacy legislation, it's not my area of expertise, but you're still yet to point me to any piece of legislation which excludes the WA Mint from the definitions/clauses I pointed out previously. From what I can see it very much INCLUDES them. On one hand you're sitting on the fence by using words like "may", yet on the other hand you're arguing sections which I literally copied from the Privacy Act. If you're going to assert that I'm wrong, provide some evidence please.

https://www.oaic.gov.au/privacy-law/rights-and-responsibilities

Scroll down to "Who doesn't have responsibilities under the Privacy Act?"

then read this:

The Privacy Act does not cover:
  • State or territory government agencies, including state and territory public hospitals and health care facilities (which are covered under state and territory legislation) except:
    • certain acts and practices related to My Health Records and Individual Healthcare Identifiers
    • entities prescribed by the Privacy Regulation 2013
  • individuals acting in their own capacity, including your neighbours
  • universities, other than private universities and the Australian National University
  • public schools
  • in some circumstances, the handling of employee records by an organisation in relation to current and former employment relationships
  • small business operators, unless an exception applies (see above)
  • media organisations acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
  • registered political parties and political representatives.

This is, of course, not as authoritative as the references to the Act that I have already provided. 

And I am VERY MUCH on the fence as to whether or not the Mint is covered -- you simply assume they are.  I was pointing out that state agencies ARE NOT covered, and IF it includes the Mint, it is a reason why they don't have to do what the ACT says an organisation under the act has to do.  My advice continues that you should (1) find out, and (2) IF they are, take it up any perceived non-compliance with the OAIC.

The legal question concerning the Mint is whether their corporate structure falls one way or the other with respect to the Act. 

I would recommend that Dave, in his next communication with the Mint, ask "Are you covered by the Privacy Act (1988)?"

Don't just rely on the dot-points on the OAIC website, for example If you scroll up a little bit it states:

Who has responsibilities under the Privacy Act?
Australian Government agencies (and the Norfolk Island administration) and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.

As I said, read the actual legislation.

Quote
26WK  Statement about eligible data breach

Scope

             (1)  This section applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.

Statement

             (2)  The entity must:

                     (a)  both:

                              (i)  prepare a statement that complies with subsection (3); and

                             (ii)  give a copy of the statement to the Commissioner; and

                     (b)  do so as soon as practicable after the entity becomes so aware.

             (3)  The statement referred to in subparagraph (2)(a)(i) must set out:

                     (a)  the identity and contact details of the entity; and

                     (b)  a description of the eligible data breach that the entity has reasonable grounds to believe has happened; and

                     (c)  the kind or kinds of information concerned; and

                     (d)  recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.

             (4)  If the entity has reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, the statement referred to in subparagraph (2)(a)(i) may also set out the identity and contact details of those other entities.

Quote
entity means:

                     (a)  an agency; or

                     (b)  an organisation; or

                     (c)  a small business operator.

Quote
agency means:

                     (a)  a Minister; or

                     (b)  a Department; or

                     (c)  a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth enactment, not being:

                              (i)  an incorporated company, society or association; or

                             (ii)  an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 or a branch of such an organisation; or

                     (d)  a body established or appointed by the Governor‑General, or by a Minister, otherwise than by or under a Commonwealth enactment; or

                     (e)  a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth enactment, other than a person who, by virtue of holding that office, is the Secretary of a Department; or

                      (f)  a person holding or performing the duties of an appointment, being an appointment made by the Governor‑General, or by a Minister, otherwise than under a Commonwealth enactment; or

                     (g)  a federal court; or

                     (h)  the Australian Federal Police; or

                   (ha)  a Norfolk Island agency; or

                     (k)  an eligible hearing service provider; or

                      (l)  the service operator under the Healthcare Identifiers Act 2010.


A number of exemptions exists, for example, complying with secrecy provisions, but they don't seem to apply here.
 

Online BrianHG

  • Super Contributor
  • ***
  • Posts: 7661
  • Country: ca
Re: eevBLAB #52 - My Personal Data STOLEN from the Government!
« Reply #40 on: September 27, 2018, 03:59:08 pm »
How funny, bumped into this (shows you how the Australian government databases have been hacked many times and shared with others...):

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf