Cars

The National Transport Commission's paper Regulatory reforms for automated road vehicles [PDF] comments

Automated vehicles offer the possibility of fundamentally changing the transport task and society. It is likely this technology can improve road safety, mobility, productivity and environmental outcomes. However, current regulations do not adequately support automated road vehicles and there is uncertainty about how and when current polices and regulations will be adapted. There is also a risk that, without a national and coordinated response to automated vehicle reform, Australia’s complex regulatory framework will result in inconsistent regulation of automated vehicles across states and territories.

In this policy paper, the National Transport Commission (NTC) recommends that the Commonwealth and state and territory governments support on-road trials, remove unnecessary legal barriers, and provide for the safe operation of automated vehicles. These reforms should be undertaken in a phased approach, with near-term, medium-term and long- term priorities, based on an assessment of when different levels of automated vehicles are likely to be commercially available in Australia.

In November 2015 the Transport and Infrastructure Council tasked the NTC to identify any regulatory or operational barriers associated with the introduction of road and rail vehicles that are more automated. The NTC project has identified:

• There are no regulatory barriers to automated rail (including light rail) in Australia, and the NTC project will not be considering automated rail further. 

• Current regulations can support vehicles that have partial or conditional automation, but control of the vehicle needs to be clarified. 

• There are legal barriers to highly and fully automated road vehicles. 

• A nationally consistent regulatory framework can support automated road vehicles. The regulatory framework should be underpinned by nationally agreed policy principles.

The NTC has identifed regulatory barriers

The NTC has identified regulatory barriers for highly or fully automated road vehicles and a number of actions that could increase industry and consumer certainty for vehicles that are conditionally automated or still require a human driver. 

In assessing current regulations and policy settings the NTC has identified the following issues: 

1. Supporting on-road trials and demonstrations

• There are currently no nationally-consistent guidelines or conditions for on-road trials of automated vehicle technology. 

2. Supporting automated driving that requires a human driver

• It is unclear who is in control of an automated vehicle when the human driver must monitor the automated driving system and intervene if requested. 

• The enforcement interpretation of proper control that requires a human driver to have at least one hand on the steering wheel is likely to become outdated. 

3. Automated driving that does not require a human driver

• There is no regulatory framework in place for governments to ensure the safe operation of automated vehicles that do not require a human driver. 

• Road rules and other laws, including many compulsory third-party insurance schemes, assume a human driver and would not apply in the same way to vehicles that do not have a human driver. 

• It is uncertain how government agencies would access automated vehicle data, and in what circumstances. • 

Current Australian Design Rules (ADRs) and in-service vehicle standards have vehicle standards that require a human driver. They also do not have regard to other matters that are likely to be relevant to automated vehicles, such as security and behavioural compliance with road rules. 

Additional issues should continue to be monitored by governments as the technology develops. These include potentially increased safety risks related to vehicle modi cation, maintenance and repair, resolving complex liability scenarios, privacy protection and access to data to determine fault and civil liability. This policy paper sets out key policy findings and eight recommendations to address these issues. 

The policy findings and recommendations reflect extensive engagement with government and industry, including vehicle manufacturers, motoring groups, law societies, researchers, insurers, police and road and transport agencies. In February 2016 the NTC published an issues paper for consultation, Regulatory barriers to more automated road and rail vehicles. The consultation identified key issues and project scope and con rmed that there are no regulatory barriers relating to rail vehicles that are more automated. In May 2016 the NTC published a discussion paper for consultation, Regulatory options for automated vehicles. This paper discussed key issues based on a comprehensive NTC legal audit of Commonwealth and state and territory legislation, summarised stakeholder feedback to the issues paper and canvassed potential options to address the identi ed issues. The consultation confirmed the key issues and proposed timing and sequencing of reforms. .... 

In arguing that "national reform is needed" the NTC states

Industry and consumer uncertainty that automated vehicles are legal 

Vehicle manufacturers are progressively introducing increased levels of automated driving controls in their vehicles. Automated vehicles could signi cantly improve road safety outcomes by preventing crashes and reducing deaths and serious injuries, yet the technology cannot be fully used unless our current regulations are reformed. Lack of certainty relating to who or what is in control of an automated vehicle, and the concept of the driver in legislation, are the key regulatory barriers to increasingly automated vehicles. 

National and international consistency of laws related to automated vehicles 

The Australian Government has responsibility for design rules for new vehicles, but state and territory governments have jurisdiction over in-service vehicle standards, road rules, enforcement, registration and licensing. There is a risk that this complex regulatory framework will result in inconsistent regulation of automated vehicles across states and territories. There is also a risk that regulations will be inconsistent with relevant international standards and conventions. This would constitute a significant barrier to the introduction of automated vehicles in what is primarily a global and import-based market. 

The phased timing of reforms 

The reform program outlined in the recommendations reflects a considered view that the timing of reforms should be phased as near-term (commence as soon as possible), medium- term (commence reforms within two years) and long-term (commence reforms within three to ve years). This categorisation has been determined based on key assumptions we have tested with industry through the consultation process. 

These assumptions are that:

• Demand to trial different levels of driving automation on public roads is already occurring and is expected to increase signi cantly in the next two to three years. 

• Large-scale commercial deployment of increasingly automated vehicles that still require a human driver is expected by 2020. 

• Large-scale commercial deployment of automated vehicles that do not require a human driver (for some, or all of the journey) is expected after 2020. 

Governments seek to ensure that they do not regulate too early – which could create arti cial barriers to emerging technologies – or that they regulate too late and stop proven safety- related technologies from being deployed. The NTC therefore recommends that governments adopt a phased reform program, recognising that the program must be suf ciently exible to reprioritise and address emerging technologies and market developments as required.

The NTC accordingly recommends "actions approved by the Transport and Infrastructure Council"-

Government support of on-road trials of automated vehicles for all levels of automated driving 

1. That the NTC and Austroads develop national guidelines for on-road eld testing and trials of automated vehicles in Australia. 

2. That state and territory road and transport agencies and the National Heavy Vehicle Regulator (NHVR) undertake a review of current exemption powers to ensure they have suf cient powers to undertake and manage on-road trials of automated vehicles, including in relation to vehicle standards, road rules and driver licensing requirements, and to review how cross-border trials could be managed. Certainty for industry and governments as to: (1) who is in control of an automated vehicle (2) how enforcement agencies will apply the ‘proper control’ requirement in the road rules to all levels of driving automation 

3. That the NTC develops national enforcement guidelines that clarify regulatory concepts of control and proper control for partial, conditional, highly and fully automated vehicles. The NTC should develop guidelines that have regard to international standards and best practice and in collaboration with state and territory road, transport and police agencies and public prosecutors. 

4. That Australian transport ministers agree to reaffirm the existing policy position that: 

4.1 The human driver remains in full legal control of a vehicle that is partially or conditionally automated, unless or until a new position is developed and agreed (in alignment with recommendation 3).
4.2 The human driver of a partially or conditionally automated vehicle should only undertake non-driving tasks currently permitted by the road rules and existing enforcement policies and guidelines, unless or until a new position is developed and agreed (in alignment with recommendation 3), or an exemption is provided by a road agency. 

A complete regulatory framework to support the safe commercial operation of automated vehicles 

5. That the NTC develop a national performance- based assurance regime designed to ensure the safe operation of automated vehicles, with an initial focus on vehicles with conditional automation (level 3). An initial briefing on process and technical performance requirements to be provided to ministers in May 2017. 

6. That the NTC develops legislative reform options to clarify the application of current driver and driving laws to automated vehicles, and to establish legal obligations for automated driving system entities. 

7. That state and territory governments undertake a review of compulsory third-party and national injury insurance schemes to identify any eligibility barriers to accessing these schemes by occupants of an automated vehicle, or those involved in a crash with an automated vehicle. That, subject to the review of insurance schemes, each state and territory government amends its compulsory third-party insurance schemes in close consultation with each other and industry, and that the resulting reforms are nationally consistent wherever possible.

Disclosure

'How Cheap Is Corporate Talk? Comparing What Companies Tell Regulators With What They Tell Investors' by James W. Coleman in (2016) 40(1) Harvard Environmental Law Review comments

When companies face adverse proposed rules, they may want to convince regulators that the proposed rules are unworkable and should be changed while, at the same time, reassuring investors that the rules will be manageable. These conflicting incentives may lead to inconsistent messages in regulatory comments and securities disclosures, fueling a perception that corporate submissions to regulators are "cheap talk." Despite this perception, there has been no empirical study comparing statements to these two audiences. This project performs such a study, taking the example of comments submitted on the Environmental Protection Agency's Renewable Fuel Standard. This standard provides an ideal case study because controversial annual rulemakings have created a rich dataset of company comments that can be compared to contemporaneous security disclosures from the same companies. The empirical study demonstrates that oil companies do send inconsistent messages to their two audiences — warning regulators and reassuring investors. 

The article suggests that regulators use this methodology to assess the sincerity of industry warnings about the cost of regulation. Private and public enforcers of security disclosure laws should also use this method to identify companies that are hiding regulatory risks. Finally, now that a company's comments can be compared with its securities disclosures, corporate counsel should align company statements to avoid securities litigation and enhance the company's credibility in each forum.

Health Claims

'Health and nutrition content claims on websites advertising infant formula available in Australia: A content analysis' by Nina J. Berry and Karleen D. Gribble in the latest Maternal and Child Nutrition comments

The use of health and nutrition content claims in infant formula advertising is restricted by many governments in response to WHO policies and WHA resolutions. The purpose of this study was to determine whether such prohibited claims could be observed in Australian websites that advertise infant formula products. A comprehensive internet search was conducted to identify websites that advertise infant formula available for purchase in Australia. Content analysis was used to identify prohibited claims. The coding frame was closely aligned with the provisions of the Australian and New Zealand Food Standard Code, which prohibits these claims. The outcome measures were the presence of health claims, nutrition content claims, or references to the nutritional content of human milk. Web pages advertising 25 unique infant formula products available for purchase in Australia were identified. Every advertisement (100%) contained at least one health claim. Eighteen (72%) also contained at least one nutrition content claim. Three web pages (12%) advertising brands associated with infant formula products referenced the nutritional content of human milk. All of these claims appear in spite of national regulations prohibiting them indicating a failure of monitoring and/or enforcement. Where countries have enacted instruments to prohibit health and other claims in infant formula advertising, the marketing of infant formula must be actively monitored to be effective.

 The authors conclude

Australian manufactures of infant formula are disregarding regulatory prohibitions that apply to the inclusion of health and nutrition content claims in websites advertising their products. This suggests these prohibitions are not effectively enforced, or that sanctions applied do not present a significant disincentive. In order to rectify this situation, resources must be allocated to enforcing existing regulations. Furthermore, attention should be given to the question of whether existing sanctions present meaningful disincentives for non-compliance. Where countries have enacted instruments to prohibit health claims on infant formula, the advertising of these products must be actively monitored if those instruments are to be effective.

Families

The Family Law Council's final report on Families with complex needs and the intersections of the family law and child protecton systems has been released by the Commonwealth Attorney-General.

The Council's recommendations are -

R1: Family safety services

The Australian Government consider ways of incorporating the expertise of specialist family violence services into the family law system to improve responses to families where there are issues of family violence or other safety concerns for children. This may include a combination of:

1) funding family violence services that provide embedded services in state and territory courts to continue to support clients with family violence issues when they move to the family law system to seek parenting or other orders;

2) embedding workers from specialist family violence services in the family courts and Family Relationship Centres;

3) creating a dedicated family safety service within the family law system.

R2: Early whole-of-family risk assessments

Having regard to the issues of abuse, neglect and family violence and the need for such evidence to be broadly available to protect children, the Australian Government should incorporate a whole-of-family risk assessment process into the family law system that is non-confidential and admissible.

R3: Family lawyers and risk identification

The Australian Government consult with the Family Law Section of the Law Council of Australia, legal practitioner regulation bodies, including National Legal Aid, and family law practitioners more broadly, to support the development of:

1) a simplified risk identification mechanism for parents and children for use by the legal profession

2) protocols and guidelines to assist practitioners to utilise strategies to ensure that risk is identified and managed effectively, including through warm referrals to specialised family violence services

3) the development of a strategy to support the implementation of these measures among legal practitioners who practice family law in the context of their professional obligations to their clients, their ethical responsibilities as legal practitioners and the professional indemnity issues that responses to risk raise.

R4: Family dispute resolution practitioners and risk management strategies

The Australian Government consult with key stakeholders, including Family and Relationships Services Australia, to identify how best to support a systematic approach to meeting client needs once an assessment that family dispute resolution should not proceed is made or risk is identified. The following options should be considered:

1) an amendment to Regulation 25 of the Family Law (Family Dispute Resolution Practitioners) Regulations 2008 to extend the obligations of family dispute resolution practitioners to their clients to encompass the following steps as required: (a) preparation of a safety plan and referral to a specialised family violence support service; (b) referral for legal advice on personal protection orders and options for addressing parenting arrangements; (c) referral for therapeutic support for affected parents and children; (d) referral to a men’s behaviour change program and other referrals in relation to other support needs, such as housing, mental health or substance misuse needs. 2

) amendments to relevant funding agreements to support this extension of obligations.

R5: Judicial risk assessments and court ordered programs

The Family Law Act 1975 be amended to facilitate the making of court orders for observational assessment reports where the court orders a party to attend a post-separation parenting program or a men's behaviour change program.

R6: A court-based integrated services model

1) To provide evidence and a better structured system in a more child-focused way, the Australian Government should consider establishing a client-centred integrated service model to trial collaborative case management approaches to families with complex needs, to be piloted initially in one court registry and evaluated pending further roll out. Part of that trial should include the development of effective information sharing protocols.

2) In order to support the development of effective information sharing protocols, Council recommends the government clarify the confidentiality status of family dispute resolution intake assessments. 

R7: Case managed integrated services in the family relationships sector

To better address the complex nature of children’s disputes, the Australian Government consult with Family and Relationship Services Australia with a view to further developing a case managed integrated services approach attached to family dispute resolution and men's behaviour change programs across the whole family relationship services sector.

R8: Self-represented litigants with complex needs

The Australian Government explore the viability of piloting a Counsel Assisting model in cases with self-represented litigants and allegations of family violence or other safety concerns for children.

R9: Support services for families in rural and regional areas

Given the needs in regional areas for access to courts and court services;

1) The Australian Government provide funding to the family courts and family relationship services for improved technology to enable more video appearances and conferencing.

2) The Australian Government provide increased funding to the Federal Circuit Court and state and territory magistrates courts to enable the Federal Circuit Court to expand its regional circuits.

R10: Collaboration between family law and state and territory courts

The Australian Government explore through COAG or LCCSC the possibilities for increasing circuiting of Federal Circuit Court judicial officers and registry staff in state and territory magistrates courts, including specialist family violence courts and community justice centres.

R11: Family violence competency

The ability of professionals working in the family law system to understand family violence dynamics be strengthened by training programs and, more specifically:

1) The Australian Government develop, in partnership with other stakeholders, a learning package for professionals working in the family law system that provides both minimum competencies and in-depth and technical content designed for a range of roles, including family dispute resolution practitioners, family report writers and family lawyers (including Independent Children's Lawyers).

2) There should be a specific family violence and child sexual abuse module in the National Family Law Specialist accreditation scheme at the examination phase, professional development phase and re-accreditation phase as a compulsory requirement of being accredited.

3) That Legal Aid Commissions across Australia should consider requiring their in-house lawyers as well all legal practitioners on their family law practitioner panels to demonstrate a sound awareness of family violence, trauma informed practice and an ability to work with victims of family violence.

R12: Joint professional development

1) To ensure there is consistent and national training, the National Judicial College of Australia develop a continuing joint professional development program for judicial officers from the family courts and state and territory courts in which judicial officers preside over matters involving family violence to strengthen understanding of family law and family violence and the impact of trauma.

2) The Australian Government engage with relevant professional bodies within the child protection, family law and family violence systems with a view to encouraging collaboration in designing and delivering joint training opportunities aimed at strengthening cross-professional understanding.

R13: Children’s views and experiences

1) The Australian Government establish a young person advisory panel to assist in the design of child-focused family law services that build on an understanding of children’s and young people’s views and experiences of the family law system’s services.

2) The Australian Government consult with children and young people as key stakeholders in developing guidelines for judges who may choose to meet with children in family law proceedings.

Recommendation 14: Family dispute resolution and confidentiality

1) The Australian Government consider ways to improve understanding among family dispute resolution practitioners of the nature of their confidentiality and admissibility obligations in order to reduce any perceived barriers to information sharing. 2) The word ‘imminent’ be removed from s 10H(4)(b) of the Family Law Act 1975. 3) The Australian Government clarify the admissibility status of family dispute resolution intake assessments.

R15: State and territory courts exercising family law jurisdiction

1) The National Judicial College of Australia develop a continuing joint professional development program in family law for judicial officers from the family courts and state and territory children's courts and magistrates courts.

2) If the Australian Government accepts Rec 15.1, then Council recommends amendment of the Family Law Act 1975 to increase the monetary limit for property division by courts of summary jurisdiction.

3) Council recommends an increase in Commonwealth funding to state and territory courts of summary jurisdiction to enable them to take on more family law work.

R16: Aboriginal and Torres Strait Islander families

1) The Australian Government implement the recommendations made by the Family Law Council in its 2012 report Improving the Family Law System for Aboriginal and Torres Strait Islander Clients.

2) Part VII of the Family Law Act 1975 be amended to provide for the preparation of Cultural Reports, which may be included in Family Reports for Aboriginal and Torres Strait Islander children where a cultural issue is relevant, and for the Family Report to include a cultural plan which sets out how the child’s ongoing connection with kinship networks and country may be maintained.

3) The Australian Government implement a process, including through amendments to the Family Law Act 1975, to support the convening of family group conferences for Aboriginal and Torres Strait Islander families in appropriate family law matters to assist informed decision-making in the best interests of the child, to allow them to be cared for within their own families and communities wherever possible, based on the Aboriginal and Torres Strait Islander Child Placement Principles.

4) The Australian Government consider a pilot of a specialised court hearing process in family law cases that involve an Aboriginal or Torres Strait Islander child to enhance cultural safety for Aboriginal and Torres Strait Islander families, including through the participation of Elders or Respected Persons who can provide cultural advice to the court in relation to the child or young person and a specially reconfigured courtroom design.

5) The Australian Government consult with Aboriginal and Torres Strait Islander representative institutions in the development of any reforms arising from Council’s work that affects Aboriginal and Torres Strait Islander children.

R17: Culturally and linguistically diverse families

1) The Australian Government implement the recommendations made by the Family Law Council in its 2012 report Improving the Family Law System for Clients from Culturally and Linguistically Diverse Backgrounds.

2) The Australian Government ensure that workers from Culturally and Linguistically Diverse-specific services are incorporated into the development of any court-based and family relationship sector-based integrated services model as recommended by Council in Recommendations 6 and 7.

3) The Australian Government implement a process, including through amendments to the Family Law Act 1975, to support the convening of family group conferences for families from culturally and linguistically diverse backgrounds in appropriate family law matters to assist informed decision-making in the best interests of the child, to allow children to be cared for within their own families and communities wherever possible.

R18: Court support workers

The Australian Government increase funding and resources to provide family violence trained court support workers, including workers from, or who have been appropriately trained to work with, Aboriginal and Torres Strait Islander and Culturally and Linguistically Diverse clients.

R19: Self-represented litigants and misuse of process

1) The Australian Government commission research that would support an understanding of how and to what extent the intentional and unintentional misuse of legal processes, such as the request for subpoenas, and other agencies and services relevant to family breakdown (family law services and courts, the child support system, child protection systems and civil family violence protection order systems) occurs and how this may be prevented.

2) The Australian Government commission research that would support an understanding of the extent, experience and dynamics of self-representation in family law matters involving families with complex needs, including matters where there are family violence and mental health issues.  

R20: Crossover cases

The Australian Government commission research to examine the extent to which the client bases of state and territory police and justice systems overlap those of the family courts to support the development of strategies to respond to these cases more effectively.

R21: Consent parenting orders

The Australian Government commission research to examine the dynamics of matters that resolve by consent, including the extent to which the arrangements consented to respond to any matters of risk that have been raised prior to the consent orders being made, and the extent to which orders made by consent are followed by further litigation.

R22: Legislative reform

The Australian Government instigate a review of Part VII of the Family Law Act 1975 with a view to supporting expeditious decision-making in matters involving risk to the child or other complex characteristics.

Obscurity, Censorship and Personality Rights

'The Anglo-American / Continental Privacy Divide? How Civilian Personality Rights Can Help Reconceptualize the ‘Right to Be Forgotten’ Towards Greater Transnational Interoperability' by Karen Eltis in (2016) 94 Canadian Bar Review comments

The European Court of Justice’s much maligned decision in Google v Costeja González, appears to compel search engines, to remove links to certain impugned search results at the request of individual Europeans (and potentially by others beyond Europe’s borders). Further complicating an already thorny situation is the court’s failure to impart much-needed practical guidance in Costeja.

What is more, Costeja may inadvertently and ironically have the effect of appointing (chiefly American) ‘data controllers’ as unwitting private censors; arbiters of the European public interest. Indeed, the decision may be deemed a culmination of the growing divergence between Anglo-American and Continental approaches to privacy significantly extending beyond the United States, to the United Kingdom.

It further reflects internal normative contradictions within the continental tradition and emphasizes the urgency of re-conceptualizing digital privacy in a more transystemically viable fashion in Europe and beyond.

In light of the above, informational privacy, the following posits, must ultimately be re-theorized in a manner that would presumably obviate – or at the very least palliate – the need for a stand-alone ill-defined and under-theorized ‘right to be forgotten’, as set out at pains in Costeja. It is in essence a procedural right predicated on the impracticable idea that individuals ‘own’ data, rather than a right to their identity itself and the perception thereof. It therefore fails to accord with the long-established civilian tradition of personality rights, which, unlike its common law counterpart, emphasizes personhood not property. In the end, a more robust construction of privacy predicated on protecting identity would allow for a more nuanced balancing of privacy and freedom of expression.

Blood Data Breach

The Australian Red Cross, in reporting the large scale breach regarding data about actual and prospective blood donors, states

On 26 October the Blood Service became aware a file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This file contained registration information of 550,000 donors made between 2010 and 2016. Included in the file was information such as names, addresses and dates of birth. 

This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership. 

With assistance of AusCERT, the Blood Service took immediate action to address the problem. The Blood Service has been in communication with the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. 

IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse. 

To our knowledge all known copies of the data have been deleted. However, investigations are continuing. 

The online forms do not connect to our secure databases which contain more sensitive medical information. 

The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems.

In the circumstances the organisations' knowledge of deletion of copies is unlikely to be exhaustive.

Information exposed through the breach (responses to the online blood donor appointment request form) encompasses answers to

• First and last name 
• Address, Suburb, Postcode, State 
• Mobile phone (optional) 
• Email Donor ID (optional). 
•  Have you donated in the last 24 months? 
• Postcode or suburb for donation
•  Preferred date range request for donation, and preferred time of day 
• Preferred location for donation 
• Preferred appointment time 
• Date of birth 
• Gender 
• In the 4 months leading up to your appointment, will you travel outside of Australia? 
• Between 1980 and 1986, did you live in the UK for a cumulative period of 6 months? 
• Are you feeling unhealthy or unwell? 
• Are you taking antibiotics at the moment? 
• Are you currently pregnant or have you been pregnant in the last 9 months? 
• Have you had an operation or surgical procedure in the last 6 months? 
• Are you planning any operations or surgical procedures in the next 3 months? 
• In the last week, have you had any dental work, cleaning, fillings or extractions? 
• In the last 4 months: Have you had a tattoo? Have you had a piercing? 
• Do you weigh less than 50 kilograms?
•  In the last 12 months, have you engaged in at-risk sexual behaviour?

The Red Cross states

A file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This was a human error on the part of the third party service. This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed AusCERT. 

What are you doing about this? 

Working with AusCERT, a cyber security organisation who provides information and security advice to us as a member of their service, we have managed to have all known copies of the archive deleted, and have removed the vulnerability from the web developer’s server. We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service. 

How long was the data available? 

At this stage we understand the data may have been available from 5 September 2016 to 25 October 2016. Our forensic experts are working to confirm the exact dates. To our knowledge, all known copies of the data have been deleted, however investigations are continuing. 

When was the data accessed? 

We believe the archive was accessed on 24 October 2016, our forensic experts are confirming this. We have managed to have all known copies deleted and have removed the vulnerability from the third party service that develops and maintains the Blood Service’s website. 

Why should I trust you with my information? 

We take the security of information our donors provide extremely seriously and have done everything in our power, since becoming aware of this situation, to address this security issue. 

Is this the Blood Service's fault? 

This was a human error on the part of the third party service that develops and maintains the Blood Service’s website. We take full responsibility for this mistake and apologise unreservedly to all affected. We take cyber security very seriously and we are deeply disappointed this occurred. 

What actions are you taking? 

Working with AusCERT we have managed to delete all known copies of the archive, and have removed the vulnerability from the third party service that develops and maintains the Blood Service’s website. We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service. IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse. We are reviewing our arrangements with the third party provider.

US broadband privacy rules

The US Federal Communications Commission this week adopted rules requiring broadband internet service providers to protect the privacy of their customers.

The rules ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs. 

 The rules implement privacy requirements of Section 222 of the Communications Act. The FCC states that

To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. 

This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights. 

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

• Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications. 

• Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

• Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

Additionally the rules include:

• Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences; 
• A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.  
• Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information. 

The FCC notes that

The scope of the rules is limited to broadband service providers and other telecommunications carriers. 

The rules do not apply to the privacy practices of web sites and other “edge services” over which the Federal Trade Commission has authority. 

The scope of the rules do not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption or law enforcement.