June

The Australian government has released the first component of the Trusted Digital Identity Framework for organizations seeking to provide identity services.

The framework, whose development has been overseen by the Digital Transformation Agency, is intended to set standards for organizations providing digital ID for access to online services. The framework will help underpin the development of a federated digital identity system and provide the standards for the government's Govpass ID platform.

The intention is allow individuals to only have to prove their identity once and then be able to use a digital ID across multiple government services.

A £120,000-a-year oil executive has been jailed for lying about his academic qualifications on his CV.  David Scott, 48, was sentenced to 12 months in jail after inventing three degrees and awarding himself a first-class honours in petroleum engineering.

He also claimed to have written the acclaimed academic paper: Nonparametric Regression For Analysis Of Complex Surveys And Geographic Visualisation.  Scott was taken on as managing director of Mech-Tool, a thriving engineering company in Darlington, County Durham, last June.

Among his responsibilities was overseeing two multi-million pound contracts in Kazakhstan.  Judge Peter Armstrong told him: 'Whether people have a tendency to lie on their CV is not for this court to comment on.'   

The firm - a world leader in heat and blast protection in the oil and gas sector - paid him a basic salary of £120,000, a resettlement package, a £10,000 car allowance and bonuses.  The deal placed him 'high up in the commercial world'.

But within three months his colleagues realised that Scott was woefully out of his depth and began their own investigation into his background.  Mech-Tool founder Marshall Garner, 66, discovered that Scott was a fraud who had gone into engineering after joining the army at a junior rank and had never held an executive post in his life.  He also traced the academic paper back to Dr David W Scott, an American professor with the same name as Scott but with an impressive array of genuine qualifications.

Scott claimed to have a Masters in business administration from Heriot-Watt, a Master of Science in petroleum engineering from Imperial College and a Bachelor of Science in Service Science from Imperial College.  The decisive factor was the academic paper, which appeared to prove that Scott, of Stainton, near Middlesbrough, was one of the finest engineering brains in the world.

But when the firm arrived in Kazakhstan their efforts were disastrous, with its staff following a strategic plan drawn up by Scott which the judge said showed he was 'quite clearly not up to the job'.  Judge Armstrong said: 'How you thought you were going to get away with this is difficult to imagine.  Fortunately for this company they became suspicious and made enquiries and discovered your fraudulent job application.  Whether people have a tendency to lie on their CVs is not for this court to comment on, but where deliberate fraud is perpetrated the court has to follow the guidelines as to its effect".  The judge added: 'This was not just claiming an extra GCSE or A level, this was fraud at the highest end of CV falsehood.'

He said it was high culpability deliberate fraud and dismissed a probation service recommendation that the sentence should be suspended, sentencing Scott, who was of previous good character, to 12 months in jail.  

Simon Perkins, for Scott, said: 'We accept he was entirely criminally wrong to fabricate his CV. He has no degree, he was a relatively junior soldier who trained as a surveyor and had the facility to use his GPS surveying knowledge and go into geo surveying.'

Scott admitted one count of fraud by false representation to a value of £54,564 between June and August last year.

 

Deepti Wadhwa, senior associate, Australian Business Lawyers & Advisors, provides information on what HR professionals in Australia should know about the GDPR.  These are all terms you’ve probably been hearing a lot about recently. But what do they mean? How do they apply to your business? And why should you care?

The notifiable data breach scheme

Are you covered by the Privacy Act?	Private sector organisations that generate annual turnover of $3 million or more annually are covered by the Act. In addition, some prescribed categories of organisations are covered regardless of their turnover (e.g. health service providers). Organisations can also (and are often encouraged to) opt-in to the Privacy Act.
What kinds of data are at play?	The Privacy Act covers several different types of information, however it most relevantly covers ‘personal information’ - this is information or an opinion (true or not) about an identified or reasonably identifiable individual, whether or not the information or opinion is recorded.
What constitutes an eligible data breach requiring notification?	The new laws introduce the concept of an ‘eligible data breach’ – this is where there has been unauthorised access to or disclosure of, or loss of, personal information that is likely to result in serious harm to any individual affected.
What steps must you take if you identify a serious data breach?	Whether a data breach is likely to cause serious harm should be determined on a case-by-case basis.  Time is of the essence in making this determination.    If an eligible data breach is identified then the organisation must prepare a statement relating to the breach which must then be given to the OAIC, and its contents also notified to the affected individuals (personally or via publication).
What happens if you don’t comply with the new law?	Individuals can face penalties of up to $420,000, while companies can face penalties of up to $2.1 million. These are big figures!

 
What steps can your organisation take to ensure compliance with the new Scheme?
No organisation is immune to data breaches, but there are plenty of measures you can take to ensure your organisation is ready to act when and if a data breach occurs. You should:

1. Conduct a privacy audit to understand the ins-and-outs of how your organisation deals with data.
2. Update your privacy documents so that they include reference to the new scheme.
3. Prepare a Data Breach Response Plan to ensure that you have an effective and legally-compliant action plan for responding to data breaches.
4. Review the terms of your agreements with third party suppliers/data hosts. As much as possible, your organisation should retain ownership of the data breach response process.   

In a digital age it is very easy for you to lose sight of the management of important data. By undertaking the steps above you will be leading your organisation in the right direction in your data management and ensuring compliance with the new scheme.