Jodie Siganto

Bio: Jodie Siganto is an academic researcher from Royal Holloway, University of London. The author has contributed to research in topics: Privacy policy & Security information and event management. The author has an hindex of 1, co-authored 2 publications receiving 13 citations.

The Privacy Commissioner and Own-Motion Investigations into Serious Data Breaches: A Case of Going Through the Motions?

Abstract: Data breaches resulting from information security failures continue to be an issue of pressing concern. The Office of the Australian Information Commissioner (‘OAIC’) recognises that data security is a major challenge for organisations. Starting in February 2011, the OAIC commenced a series of ‘high profile’ investigations into alleged data breaches. Each of these investigations was commenced by the Privacy Commissioner (the ‘Commissioner’) with reference to the OAIC’s Own Motion Investigation (‘OMI’) powers. These powers allow the Commissioner to conduct an investigation without any prior complaint being made. The Commissioner heralded the use of OMIs and the subsequent publication of reports as a change in its enforcement approach to ‘particularly serious or high profile privacy incidents’. All of these incidents related to data breaches. The new strategy was partially developed to increase the transparency of the OAIC’s investigation process and to help organisations and agencies to better understand their privacy responsibilities. Surprisingly, the Commissioner’s change in approach has received little scholarly attention given the heightened concern about data breaches and past criticisms of the Commissioner’s failure to pursue a robust enforcement approach. Previous research has focused on the way the OAIC has used its investigation powers generally, with only limited consideration of the use of powers in relation to data breach incidents. This article fills a gap in the current literature and examines the actual investigatory and decision-making procedures adopted in six data breach-related OMIs undertaken between February 2011 and July 2012. They involve a range of different respondents, different types of security incidents and different findings regarding breaches of privacy principles, with a particular focus on National Privacy Principle (‘NPP’) 4. NPP 4 required entities covered by the Privacy Act 1988 (Cth) (‘Privacy Act’) to implement reasonable security measures in order to protect personal information.

Digital Data Collection and Information Privacy Law

Abstract: In Digital Data Collection and Information Privacy Law, Mark Burdon argues for the reformulation of information privacy law to regulate new power consequences of ubiquitous data collection. Examining developing business models based on collections of sensor data – with a focus on the ‘smart home’ – Burdon demonstrates the challenges that are arising for information privacy’s control model and its application of principled protections of personal information exchange. By reformulating information privacy’s primary role of individual control as an interrupter of modulated power, Burdon provides a foundation for future law reform and calls for stronger information privacy law protections. This book should be read by anyone interested in the role of privacy in a world of ubiquitous and pervasive data collection.