Privacy Awareness Week 2020 - Reboot Your Privacy | OAIC

Reboot your privacy - a number of different devices, such as a smart watch, a mobile phone, a tablet, a fitbit, a console controller and an Alexa.

Join us for Privacy Awareness Week
4 to 10 May 2020

As we shift even more of our day-to-day activity online during the COVID-19 pandemic, Privacy Awareness Week is an important reminder to Reboot your privacy.

  • Check and update your privacy controls
  • Consider the alternative when giving or asking for personal information
  • Delete any data from old devices and securely destroy or deidentify personal information if it’s no longer needed for a legal purpose.

Explore our PAW website to find out more on how to join in the conversation to promote privacy awareness, and sign up as a supporter.

Welcome

to Privacy Awareness Week

Angelene Falk: Australian Information Commissioner and Privacy Commissioner Angelene Falk: Australian Information Commissioner and Privacy Commissioner

This year’s Privacy Awareness Week comes in the midst of uncertain times, as nations around the world respond to the very serious challenges presented by the COVID-19 virus. Our circumstances are changing rapidly as we all adapt to new ways of operating.

We understand that health and other personal information needs to be shared to prevent and manage COVID-19, and that public health concerns are front of mind in the current crisis. In turn, we all have a role to play in supporting public trust and confidence in the handling of our personal information to support public health initiatives.

In taking steps to prevent and manage the pandemic, the importance of protecting personal information remains constant, and any changes to information handling practices to address the pandemic must be reasonable, time-limited and necessary.

As we try to stop the spread of COVID-19, even more of our activity and interactions are moving online. This makes our theme for Privacy Awareness Week 2020 particularly relevant, as we encourage you to Ctrl+Alt+Delete and reboot your privacy.

As organisations and agencies implement strategies to respond to the current situation, they should be guided by the key principles of good privacy practice. Put the right controls in place. Consider the privacy risks and come up with alternatives. Collect only what is necessary and delete or de-identify information if it’s no longer required for a legal purpose. Above all, be transparent in how you handle personal information and give people choice wherever possible.

For individuals, take the time to stop and check the privacy controls across your online accounts. Consider the alternatives when you sign up for a new service and when you’re asked to share your personal information. Delete unused accounts and wipe your data from old devices.

To help you reboot your privacy, we’ll be sharing more tips on how to protect personal information online. We’ll also be promoting new resources and research to help organisations and agencies covered by the Privacy Act 1988 understand and meet community expectations about respecting and protecting personal information.

Don’t forget to sign up your organisation as a PAW Supporter to show your commitment to good privacy practice and receive our toolkit to help you promote privacy awareness to your staff and stakeholders.

From all of us at the Office of the Australian Information Commissioner, thank you for supporting Privacy Awareness Week.

Angelene Falk
Australian Information Commissioner and Privacy Commissioner

Click each device and discover tips to reboot your privacy

Protect your accounts

Multi-factor authentication, strong and unique passphrases and automatic device updates are some of the best tactics you can use to keep your accounts secure and protect your personal information online.

Reduce the risk of someone gaining unauthorised access to your accounts and stealing your digital identity by:

  • enabling two-factor authentication/multi-factor authentication for accounts and devices whenever possible, for an extra layer of security and to prevent your logins being compromised.
  • setting strong and unique passphrases for your important online accounts. Like a password, a passphrase can be used to verify access to a computer system, program or service, and is most effective when it is:
    • unique – not a famous phrase or lyric, and not re-used
    • longer – phrases are generally longer than words
    • complex – naturally occurring in a sentence with uppercase, symbols and punctuation
    • easy to remember – saves you being locked out.
  • storing your login credentials in a reputable password manager which can also generate new passphrases for you to use across different platforms
  • turning on automatic software updates for your devices to keep your security up to date. The Australian Cyber Security Centre has step by step guides for turning on automatic updates for Windows 10 as well as iOS devices.
  • checking whether your passwords/passphrases have been compromised on Have I Been Pwned, a searchable database of email addresses that have been caught up in data breaches. If your password is listed you should up update it immediately.

Get more tips on how to protect your information at cyber.gov.au and the Stay Smart Online program.

Detox your digital profile

Social media is a great way to stay in touch, but are you aware of how much personal information you share? Posts and status updates, polls and quizzes, photos and videos can all reveal a lot about you. The information you share may be given to other organisations without your explicit consent. It can also be used to steal your identity or cause you harm in other ways.

Adjust your privacy settings to help protect your personal information — use the ‘privacy check-up tools’ on Facebook and Google or edit your privacy settings on other networks. Depending on the site, you may be able to:

  • set your page or online profile to ‘private’
  • limit who can see your contact details or find your profile via your phone or email
  • limit the audience for your posts or stories, including old posts
  • control who can send you friend requests or connect with you
  • review and reduce the number of apps that can access your social media profile

You should also be aware of what you share: think before you tag yourself at a location, and consider their privacy before you tag a friend. For more tips check the Data Detox Kit.

Be smart about connected devices

Smart connected devices are everywhere in our lives: from home assistants to connected toys, fitness trackers and sensors in our cars. While they can be helpful, they can also collect and share your personal information.

Before you buy, take some time to research a product’s security and privacy credentials. Look for trusted reviews or guides like Mozilla’s *privacy not included to help you decide which device is right for you.

Reading the privacy policy will help you understand how a device operates and whether you are comfortable with its data practices. Does it share your information with any third parties? How long is your personal information retained? If you’re unsure, ask questions of the manufacturer or the retailer.

Adjust the privacy settings to reduce the amount of personal information that is collected. You may also be able to limit or stop the sharing of your personal information with any third parties.

While you may be comfortable with a car accessing your address book to help you safely take calls when driving, a smart fridge probably does not need to sync with your calendar in order to work.

If the device has voice recognition, check whether it’s listening all the time and how you can control the settings or delete the information.

Does your device always need to be switched on or connected to the internet? Limiting internet access or switching the device off when it is not in use will help protect your privacy. Remember to use a strong password and turn on automatic updates to keep the device secure.

Tracking your location

Your devices and apps may track your location by default unless you adjust your settings. This may be a necessary part of the service if it is a navigation or ridesharing app, but you should think about whether the app you are installing needs location data or permissions to be turned on to work.

Your location data can be combined with other information about you to create a rich picture about who you are, where you go and what you like. For example, your location data might reveal how you travel to work, where you live, or how long you spend exercising each day.

An app’s privacy notice should explain why it collects location data and how it is used, including whether it is shared with any third parties. If it’s not clear who you’re dealing with and what information they are collecting about you, then reconsider whether you really need the app at all.

You can also adjust the settings on your phone and other devices to limit or stop location tracking altogether. This might stop some apps working properly. You can also control each app’s ability to access your location information.

Your location can also be tracked when you browse the internet, so to limit this you can:

  • use a browser with an alternative privacy approach like Firefox or DuckDuckGo
  • use ‘add-ons’ or extensions that make it more difficult to track you online
  • regularly clear your cookies and cache
  • switch to a virtual private network (VPN)

Where’s your data going?

When you visit a website or use an app, your device may be tracked using cookies and online identifiers. Cookies are small data files that are sent from a website to your device to record information such as settings or your browsing activity. An online identifier may be used to distinguish one person from another according to patterns of information generated by a device. They include internet protocol (IP) address, advertising ID, MAC address, pixel tag, account credentials and device fingerprints.

Cookies and online identifiers help websites and services to work more efficiently by remembering your preferences and settings. However, they can also be used to record your behaviour online and share information about you with third parties. For example, online tracking may enable ads to be shown to your device based on your browsing habits.

Your activity may also be tracked and recorded by social media sites and digital platforms like Facebook and Google. Depending on your privacy settings, and whether you log out of your profile, they can continue to track your activity when you leave the service or platform and visit other websites.

You can adjust your habits and change your settings to limit activity tracking and help control your privacy by:

  • not browsing other websites or shopping online while logged into social media or a digital platform
  • deleting cookies in your browser settings or not accepting cookies when you navigate to a website
  • choosing your advertising preferences to limit ad tracking and resetting your advertising ID (see Apple and Google for more)

The side effects of screen scraping

Screen scraping is a process where information from your screen is collected (or ‘scraped’) and made available to another application or website. It is sometimes referred to as Digital Data Capture and can be useful for consumers, such as when data from an old application is made available to a new application. It is sometimes used in the financial sector when a consumer directs a third-party service provider to access and recover their data from a web application.

However, when you agree to let a third party access your information via screen scraping you are also required to provide your log in details, such as your username and password. This may not only breach security requirements or terms and conditions, it is also a significant privacy risk.

The new Consumer Data Right will provide a safe alternative to screen scraping. It allows you to access certain data about you held by businesses, and direct that your data is securely transferred to an accredited third party of your choice. The Consumer Data Right will be introduced in the banking sector in 2020 and will then be rolled out to other parts of the economy, including energy and telecommunications.

Personal information can also be ‘scraped’ from websites and digital platforms without permission, in a process known as web scraping. To help protect your personal data, check your privacy settings on social media and other online platforms, and consider limiting the amount of personal information like photos that you share online.

Shopping up a storm?

Almost three quarters of Australian households are now shopping online, so it’s more important than ever to take practical steps to keep personal information safe. Breaches of your personal data including financial information can have serious consequences, like identity theft.

If you are signing up for a loyalty program or creating an online shopping account, remember that your personal information is valuable and should be protected. Consider checking out your shopping as a guest or leaving data fields blank to limit the amount of personal information the site collects and stores.

Know who you’re buying from. Where possible, shop from reputable brands and cross-check information. This could include searching for reviews from other customers or reading information on warranty, refunds and complaints handling before making a purchase. If anything looks suspicious, don’t risk it.

Only shop from secure websites—look for a URL starting with ‘https’ and a closed padlock symbol. When you are ready to buy, make sure you pay using a secure method like PayPal, BPay or your credit card. These offer dispute resolution processes if things don’t go to plan.

If paying by PayPal, select the ‘payment for goods/services’ option. If a seller instructs you to make the payment ‘to friends and family’ rather than ‘payment for goods’ this violates PayPal’s policies and voids the buyer protections.

Fake ads are an increasing source of online scams, so watch out for offers that seem too good to be true. Fake retailer websites or online stores that offer luxury and other goods at a steep discount can appear legitimate. Payment methods like money order, pre-loaded money cards or wire transfer are another warning sign. Search for reviews from real users and don’t trust a site just because it’s been advertised on social media.

The ACSC’s Stay Smart Online program offers more advice on how to shop safely online. For information on the latest scams and how to report them, visit the ACCC’s Scamwatch.

Phishing for information

Malicious and criminal attacks are the leading cause of data breaches involving personal information, which can result in serious harm. Common cyber incidents include phishing and brute-force attacks, which use technology to generate millions of character combinations per second to try and crack passwords. These incidents can compromise your login details and potentially give people unauthorised access to your email and other online accounts.

Scammers can also use a range of sneaky tactics to extract your personal information and use it to steal your identity or commit fraud. For example, remote access scams try to convince you that you need to give an IT expert access to your computer, or buy and install new software to fix a problem.

Be alert for unexpected messages and requests for your personal details. Phishing messages can often feature branding and logos, or use similar language to well-known organisations, to appear ‘real’ and try to trick you into clicking on a link or attachment. Look out for requests to check or confirm login details, suspicious looking attachments, requests for money (especially with a sense of urgency), or where contact or bank details may have changed from previous, legitimate correspondence you received from the business.

If you’re still in doubt, contact the organisation that the message claims to be from, using the contact details on their website or other official sources, not the contact details in the message you received.

Find out more about how to avoid phishing attacks from Scamwatch, cyber.gov.au and the Stay Smart Online program.

Protect kids’ privacy online

Just like adults, many children are also spending more time online and are using a wide range of devices. Smart toys and fitness trackers, apps and social media accounts, phones and other devices can all capture your child’s personal information, track their activity and create a lasting digital footprint. By keeping up with the latest apps, platforms and other technology you will be better placed to guide your child through the online environment and help protect their privacy.

At any stage, it’s a good idea to talk about online safety and privacy issues and keep the lines of communication open. Encourage your child to safeguard their personal information, like their real name, address telephone number, school, and date of birth, and report any unexpected contact or notices.

Depending on your child’s age, other strategies may include supervising screen time, limiting access to devices or setting parental controls. Adjusting privacy settings together can help your family control the information collected through webcams, microphones and cookies, as well as websites, apps, games and software. This is particularly important for social media and other digital profiles, to limit who can see your child’s personal information.

Other steps to protect your child’s privacy include:

  • setting strong and unique passwords and not sharing them at school or online
  • securing mobile devices with a pin lock, or passcode
  • disabling geo-location services when they are not needed
  • only downloading apps from reputable sources
  • controlling cookies and the use of add-ons and ad-blockers

Visit the eSafety website for more advice about online technology and safety for parents, carers and children.

Clean up your email trail

In both our personal and professional lives, we frequently use email to send important information to others. This can include personal information about ourselves, such as financial and identity information. It can also include information about our family members or friends. Emails can remain in our accounts for extended periods of time if we don’t actively delete them.

Our Notifiable Data Breaches report for July-December 2019 found that many cyber data breaches involved malicious actors gaining access to personal information stored in email accounts. The report also found that people often email personal information to the wrong recipient by mistake.

To help you limit the risks with using emails:

  • Use strong and unique passphrases for your email accounts to reduce the risk of your login details being compromised or stolen
  • Regularly review and move your emails to a secure document management system or device
  • Delete any emails from your inbox and sent box once they have been moved or are no longer needed
  • If you are sending important information to another recipient, consider protecting your information using passwords or encryption.
Protect your accounts
Detox your digital profile
Be smart about connected devices
Tracking your location
Where’s your data going?
The side effects of screen scraping
Shopping up a storm?
Phishing for information
Protect kids’ privacy online
Clean up your email trail

Virtual events

Commissioner Angelene Falk

Monday, 4 May 2020

Hear from our Commissioner about Privacy Awareness Week and the OAIC’s regulatory focus.

Queensland OIC PAW launch

Tuesday, 5 May 2020 (recording available)

Hear from state and federal experts, including Commissioner Falk, sharing the latest developments around privacy.

Webinar: Privacy in a pandemic

2pm Wednesday, May 6 2020 (recording available)

Join Australian Information Commissioner and Privacy Commissioner Angelene Falk, New Zealand Privacy Commissioner John Edwards and more at OneTrust’s webinar: Privacy in a pandemic.

Listen as they explore privacy issues around COVID-19.

Resources

Explore our privacy guidance and other tips to reboot your privacy and protect personal information online.

For agencies and organisations

Privacy advice for the COVID-19 pandemic

For agencies and organisations

Privacy guidance for agencies and private sector employers to help keep workplaces safe and handle personal information appropriately

Evaluating and mitigating privacy risks in changed working environments

For agencies and organisations

What to consider when assessing the privacy impacts of a remote working arrangement

10 steps to a Privacy Impact Assessment

For agencies and organisations

A one-page guide to undertaking a Privacy Impact Assessment

Guide to securing personal information

For agencies and organisations

Guidance on the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold

Tips for good privacy practice

For organisations

Tips for start-ups and other organisations on efficient and effective ways to protect privacy

Protecting customers' personal information

For Organisations

Advice to help you comply with the Australian Privacy Principles

Privacy in practice e-learning course

For agencies

An introduction to the Privacy Act with practical advice on good privacy management practices

PIA tool

For agencies and organisations

This tool accompanies our Guide to Undertaking Privacy Impact Assessments. It helps you conduct a PIA, report its findings and respond to recommendations.

Resources for individuals

Reboot your privacy and protect your personal information online

For individuals

Tips to protect your personal information while even more of our day-to-day activity is taking place online

Data breach notifications

For Individuals

What to do if you receive a data breach notification, and how to reduce your risk of harm

Data breach support

For individuals

Where to get help if your information has been involved in a data breach

Current COVID-19 (coronavirus) scams

For individuals

Stay up to date on how scammers are trying to take advantage of the coronavirus with Scamwatch

The eSafety Guide

For individuals

Learn about the latest games, apps and social media platforms and how to protect your information

Credit reporting

For individuals

How to access your credit report and what to do if your credit information isn’t accurate or complete

CreditSmart

For individuals

Information to help consumers understand credit reporting in Australia - CreditSmart is owned by the Australian Retail Credit Association

Assets

Poster

PAW 2020 Color poster - without bleed

PowerPoint template

PAW 2020 PowerPoint template

Social media tiles

PAW 2020 Social media tile 1
PAW 2020 Social media tile 2
PAW 2020 Social media tile 3
PAW 2020 Social media tile 4
PAW 2020 Social media tile 5
PAW 2020 Social media tile 6

Web banner

PAW 2020 Web banner

LinkedIn banner

PAW 2020 LinkedIn cover image

Thank you to everyone who helped make Privacy Awareness Week 2020 such a success. Our network of supporters grew to a record 549 organisations this year, in a clear sign of our shared commitment to upholding and promoting privacy rights.

We hope you enjoyed Privacy Awareness Week 2020 and look forward to having you join us again next year. You can sign up now as a supporter for 2021 and be one of the first to hear about next year’s campaign. For other privacy and OAIC updates please follow us on Twitter and Facebook, or sign up to our Information Matters bulletin.

A number of different devices, such as a smart watch, a mobile phone, a tablet, a fitbit, a console controller and an Alexa.