Yes, but Robodebt was unlawful.
Yes, but only years after many had to either produce proof of their employment records to show they had no debt, or pay up or face debt collectors.
Yet that ‘minor issue’ did not stop the government of the day. Having personal records might have mitigated the immediate harm assuming real records would be accepted as an acceptable rebuttal for an unlawful demand.
You are both assuming that the employer was lawfully not keeping or refusing to give the required data. What happens if there is a dispute with the tax office over the wages paid. I don’t have a reference handy but I seem to recall employers need to keep this data for a specified period.
I think tax records for the salary payer (the employer) must be kept for 7 years.
Tax records for the taxpayer (the individual, the employee) must be kept for 5 years.
In either case, of course that period extends if you are in dispute with the ATO, in which case you have to keep records “forever”, until the dispute is finally resolved.
The effect is that a company would legitimately keep payroll data about you for 7 years. So that is the data breach period after you cease employment with that employer, which is unfortunate, but we always knew that government is part of the problem as far as Data Retention is concerned.
The best we can hope for is that the government limits companies to retaining data no longer than the legally-required period where government is part of the problem (in other words, the Data Retention period is both the minimum and the maximum).
Where the government is not part of the problem (let’s say Latitude Financial, but I can’t be sure of that) then the government should be limiting companies to, say, 2 years of Data Retention.
In any case, the Privacy Act invites companies to retain the data but de-identify it. I wonder how many companies are taking up that option (as opposed to ignoring their obligations and Retaining Data, or just deleting it).
Developing: Tasmanians affected by security breach of third-party file transfer service - ABC News
(nowhere near enough detail to make further comment)
Update: (still struggling to get detail) Names, addresses and bank account details potentially at risk after hack, Tasmanian government says - ABC News
Update: Tasmanian cyber attack grabs TasTafe, Teachers Registration Board data - ABC News
Data Retention strikes again.
Also, this is quite a bit bigger than initially understood.
It stems from a breach, in early February, of Fortra’s GoAnywhere system that resulted in data from 130 organisations around the world being leaked.
I can see why they are kept longer. Many workers compensation claims can occur some time after employment has ceased. Examples being lung disease resulting from the work environment. Many such diseases can occur many decades after exposure. Likewise other ailments (physical or psychological) resulting in the workplace which can have long term onset. An example is a head injury at a workplace which causes a longer term brain injury like that which can occur for sportspeople. Records may need to be kept of the type of work, exposures and workplace incidents which occurred in the workplace. Some personal details also kept to link an individual to the workplace. If such records are ‘destroyed’, it may make future claims more difficult as it becomes very much ‘he said, she said’.
No assumption was made excepting for some reason formal records were not available and the government, not assumed proven, was acting unlawfully.
Another day, another dollar for the scammers: Data of thousands of TAFE SA students stolen in breach spanning over five years - ABC News
Yet more copies of valid identity documents out there.
1 Like
A different kind of data breach: Former Victoria Police officer pleads guilty to misusing his position to pursue sexual relationships - ABC News
Not creepy at all.
It might be worse!
Where other than your trusted employer are all the following personal details likely to be found? Also likely alongside your employee ID card that usually includes a recent photo, and possibly a matching drivers license necessary to drive a work vehicle.
1 Like
The same different kind of data breach: Former Service NSW employee granted bail over alleged involvement in Sydney kidnapping - ABC News
In what way does this story relate to the topic??
Data is collected. Data is accessed without authorisation, for the benefit of the party making the access and to the detriment of the person whose data it is.
Same same.
Sure, it’s an “inside job” in this case (Service NSW) and the previous similar case (Victoria Police).
The second one (Service NSW) certainly reaches the threshold of “serious harm” to make the breach notifiable!
There is no requirement under the NDB Scheme for the number of people affected to be “massive”. The test is “one or more individuals”.
It is also fair to ask: If one employee has been caught doing this, how many are doing it but have not been caught?
And with any data breach, it is fair to ask, as an organisation, how can we do better towards stopping it happening in the future?
The data was accessed in an authorised manner, by an authorised person.
So where is the breach in the context of this topic?
If simply using data for a purpose not intended is considered a breach, then that is one of code of conduct, or the law. Not in the context of defeating an organization’s security to gain access to data.
The Latitude data breach has extended further, where Coles has confirmed that its former customers with a Coles or Myer credit card (issued in the past by GE Money) have also had their data breached:
3 Likes
It is almost certainly a breach of the law regarding how the information was handled.
From the Privacy Act 1988
section 14, Principle 9
A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.
Abducting and torturing someone, and extorting someone, is not relevant use of the information collected by Service NSW.
At least Service NSW doesn’t disclose this as a purpose of collecting the information when they do so. 
Schedule 3, Principle 2 also says
An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless [various lengthy conditions that do not apply here].
It seems that the person who accessed the data would ordinarily be authorised to access data in the general sense. However it is suggested in the article that, at best, the data was accessed as “a favour” to someone else (and presumably, at worst, as an active participant in serious criminal activity).
While I don’t have available to me Service NSW’s procedural documentation, it seems highly likely that this kind of gratuitous access to records is unauthorised. That is to say, access would only be “authorised” if it is in accordance with conditions similar to what appears in the Privacy Act. It is not authorised merely because the employee has access.
(Police forces have similar problems with gratuitous access. Consequently, the system will record all access to records and it can be audited later on. A police officer can be asked to justify why a record was accessed e.g. what investigation it was pertinent to. I don’t know whether Service NSW does something similar - or it takes it on trust that employees don’t make gratuitous access.)
1 Like
So as I said, it is a breach in the sense of a misuse of information, not a security breach.
So why is that relevant to this topic?
Straight off the OAIC web site:
A data breach happens when personal information is accessed or disclosed without authorisation or is lost.
Nothing about that requires there to have been a security breach.
If nothing else, the disclosure by the Service NSW employee to her associate is “without authorisation”.
