Government response to the Privacy Act Review Report

Fine

Absolutely

The provision of a trusted broker to provide IAAS where all details of transactions are E2EE and and unavailable in any way to the IAAS - the IAAS provides only a means for the business to provide invoicing etc.. In other words, a business wants to onboard a new client, the client is directed to the government IAAS which vets the client. When the business needs to invoice the client or contact them for some other purpose, the transaction occurs via the IAAS - the IAAS never knows what the contact is about and the business never knows any information about the client other than that the IAAS is able to identify them should the need arise. In this way, there is no risk whatsoever (or liability) when a business gets hacked and the government IAAS is made sufficiently secure - think of it like the way PayPal works with financial authority.

Key to this is that the government IAAS can be trusted and blind - any user must be able to log in to the IAAS and revoke authority whenever they wish providing no transactions are outstanding.

This is way too weak - see previous answer re IAAS. No need for employer to have any information, just an auth key to the IAAS who will act as blind agent for pay etc.

Again, ridiculously weak - see previous answers.

I don't know about specific requirements of media organisations, but size is completely irrelevant to privacy and security.

Biometrics are sensitive data and should not be allowed to be used or obtained in any way whatsoever by private organisations. We would not allow Bunnings to take fingerprints of every customer, for instance. Nor should the governemtn be allowed to do so - the theft of biometric information via driver's licenses was completely wrong - we do not allow police to just finger print every member of public willy nilly yet that is exactly what happened with DL's - the data should be destroyed immediately. Moreover because the government has an appalling record of securing data and protecting privacy.

No

No

No

These are all too weak and are clearly designed to benefit entities rather than individuals.

Why even bother - you can drive a truck blind-folded though the exceptions.

All such mechanisms and algorithms must be completely open source and there must be prior scrutiny by independent experts in law and in the technology employed (programmers/mathematicians/etc.)

Absolutely not - Robodebt is a sufficient exemplar to show that neither government, the law or the public service can be trusted or have sufficient competency or cognition.

Who cares? None of these benefit individuals.

This is a complete farce - "fair and reasonable" means whatever entities and government want it to mean. Opt out must be the default position

Good.

See previous answer on IAAS

See previous answer on IAAS

Who cares about the impact to small businesses - if they are incapable of protecting information (and it really isn't that hard), they should have no right holding it.

Not that I am a huge fan of PayPal, but the model of trusted agent works much better than having clueless entities obtaining information they have no need for and represent a far greater risk of breach than larger entities - many of these small businesses are simply retailers who have no training or expertise whatsoever in IT, law or cyber security - they don't even need to have an ABN!

No, the digital world is completely flat and short of geoblocking and banning foreign entities from operating here, the best you can do is educate people. It would be much more sensible (and cost effective) to simply adopt the GDPR and work with the EU and other adopters to create the largest possible coverage of what will very likely become the defacto standard - why reinvent the wheel when Australia is already at least 20 years behind the state of the art and has shown an abysmal lack of competency and intent in such matters?

No, absolutely not.

Impose meaningful penalties for failure to do so - we know there are orders of magnitude more breaches than are admitted to. We cannot trust entities to disclose breaches as their interests are fundamentally mis-aligned with client's privacy and security - there needs to be a competent and trusted monitoring agent.

Here we go again with "reasonable steps" - this is complete and utter nonsense, the "steps" need to be: clearly and precisely spelled out, mandatory within a mandatory timeframe and incur harsh penalties upon failure to perform.

Privacy is a joke in Australia and this is a very weak and frankly passive-aggressive set of proposals clearly designed for the benefit of entities.

The entire notion of personal data needs to be turned on its head - the default needs to be that entities seek permission for access to a person's information. The only way to make this happen is for every individual to have secure repository that they may elect to grant access to a specific set of information to a specific entity for a specific time window. In fact, most functions can be performed by a blind agent - say you want to sell an item: an invoice is sent to the blind agent who passes it to the individual - if the individual deems it valid, the agent verifies that payment has been made and then pass a 'paid' token and shipping address to the entity.

A similar identity/authorisation flow could occur when on boarding a new employee etc. - the key point is that the individual has complete control over their data - they can modify it or change access grants at any time and can be as prudent or as promiscuous as *they* deem fit. Entities can operate just fine on a fraction of the data they obtain and retain - the only reason they want more is for profit. I am not against businesses making profit but I have no interest whatsoever in helping them and no have shown no care whatsoever in protecting it so they need to kept on the shortest leash possible.