the changing face of privacy laws
DESCRIPTION
On 12 March 2014, Australia’s privacy laws were significantly amended. The amendments go further than merely requiring businesses to update their privacy policy, as the new laws mandate businesses to critically examine how they collect, use and disclose individuals’ personal information. Find out how these changes affect your business.TRANSCRIPT
The Changing Face of Privacy Laws
Craig SuboczBE (Hons), LLB, LLM, Grad. Cert. in Entrepreneurship & Innovation
Senior Associate
1 April 2014
The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly.
Disclaimer
Agenda
What are the new
laws?
How the new laws
may affect you
What should you
do?
A brief history of the Privacy Act
1988: Privacy Act introduced
12/2001: NPPsintroduced
1/2006: ALRC asked
to report on Act’s
effectiveness
8/2008: ALRC delivers 3-volume report, with 295 recommendation
s
10/2009: Govt releases its First Stage Response
10/2010: Govt releases
exposure draft of legislation
12/3/2014: Privacy Act
amendments take effect
12/2012: Enhancing
Privacy Protection Bill
passed by Parliament
5/2012: Enhancing
Privacy Protection Bill
introduced
What are the new laws?
• Distinguished from laws protecting confidential information, Spam Act, Do Not Call Register Act, etc.
• Privacy Act regulates the collection, use and disclosure of “personal information” by “APP entities” from individuals.
• APP entities are organisations bound to comply with the Privacy Act
Disclosure
Collection Use
Third Party
Organisation
Individual
What are the new laws?
• Replace the NPPS with the APPs
• Re-write credit reporting regime
• Greater consumer protections
• Expand OAIC powers
• Greater investigatory powers
• Increase penalties for privacy breaches
• Penalties up to $1.7 million
• Enforceable undertakings
How privacy laws may affect you
You must comply with the Act if you answer ‘yes’ to any of the following questions:
• Is your annual turnover in excess of $3 million?
• Do you provide a “health service”? • a private health service provider
• Do you disclose personal information about another individual to a 3rd party for a benefit, service or advantage?
• Do you provide a benefit, service or advantage to collect personal information about an individual from a 3rd party?
Definition of ‘personal information’
• Although definition of ‘personal information’ amended, little practical change.
• From 12 March 2014, ‘personal information’ means “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
• Whether the information or opinion is true or not; and
• Whether the information or opinion is recorded in a material form or not.”
• NB: ‘employee records’ still exempt from Privacy Act, but note Fair Work Act requirements
APP 1 (openness and transparent management)
• More than just updating your privacy policies (if you have one).
• APP 1 requires “APP entities” to implement practices, procedures and systems to ensure compliance.
• Employee training on privacy
• Clear, transparent complaints handling procedure
• An APP entity is an organisation bound by the Act to comply with the Australian Privacy Principles
Case Study – LSO Pty Ltd
• Annual turnover of $5 million
• Sells fast moving consumer goods
• Online sales
• Retail channels
• Direct to consumer channels
• Offers ‘valued’ customers regular “discount days”
• To qualify, customers must provide LSO with their name, email address and mobile number
• LSO stores this information in a computerised database.
Case Study – LSO Pty Ltd
• In LSO’s privacy policy (last updated in 2006), a director is named the “privacy officer”.
• He has little knowledge of Australia’s privacy laws.
• LSO has not provided its directors and staff with privacy training.
• LSO has no formal privacy compliance policies or procedures.
APP 2 (anonymity and pseudonymity)
• Individuals may deal anonymously or pseudonymously with you.
• But you are not obliged to if:
• You are required or authorised by law or court or tribunal order to deal with identified individuals; or
• It is impracticable for you to deal with individuals who have not identified themselves.
Case study – LSO Pty Ltd
• LSO encourages customer participation on its interactive social media presence
• LSO removes posts made by individuals who do not use their real names.
APP 3 (collection of solicited personal information)
• You solicit personal information if you expressly ask for the information or take active steps to collect the information
• Personal information should only be collected if it is reasonably necessary for your functions or activities
• Your privacy policy should set out the relevant functions and activities for which the information is being collected
• Sensitive information should generally only be collected with individual’s consent
• Personal information should only be collected by lawful and fair means and directly from an individual (unless an exception applies)
APP 3 (examples of soliciting personal information)
• You ask for the personal information to be provided through the completion of a form by an individual relating to the goods/services you supply
• You exchange business cards with an individual at a meeting
• Information is disclosed to you in response to your request by an entity where that information includes personal information
• You offer prizes in a competition that requires entries to be submitted
• You receive a complaint in response to a general invitation on your website to individuals to complain to you
• An individual submits an employment application in response to a job advertisement
APP 4 (unsolicited personal information)
• Personal information is unsolicited if you receive it without asking for it
• misdirected mail, unsolicited employment applications or promotional flyers containing personal information
• Must decide whether you could have collected the information under APP 3.
• If you decide you could not have collected the information, must be destroyed or de-identified as soon as practicable if lawful and reasonable to do so.
• You may need it for tax reasons
• You may be prohibited by law or court order from destroying or de-identifying the information
Case study – LSO Pty Ltd
Solicits PI via numerous methods:
• Customers sign up for daily discounts
• Customers’ social media interactions
• Customer complaints
• Occasional customer surveys
Also receives PI occasionally:
• Misdirected mail
• Promotional materials from suppliers with information identifying a salesperson, including contact information
• Employment applications
Case Study – LSO Pty Ltd
Directors unclear on their legal obligations regarding
collection of PI.
Directors do not understand how the PI which LSO
collects may be used in LSO’s business, whether LSO
needs all the PI it actually collects and from where and
how LSO collects PI.
APP 5 (notification of collection)
Before or at the time of collection, clients must notify individuals, or otherwise ensure that individuals are aware of:
• Your identity and contact details• The fact and circumstances of collection
• Whether the collection is authorised or required by law• Why you collected the PI
• What happens if the PI is not collected• Your usual disclosures of collected PI• Information about your privacy policy
• Whether you are likely to disclose PI overseas
APP 6 (use and disclosure)
Personal information may only be used or disclosed for the purpose of collection (‘primary purpose’) or for a secondary purpose if an exception applies:
Individual consents
Individual would reasonably expect our client to use or disclose his/her PI for that purpose and that purpose is related to the primary purpose
Other exception applies
APP 6 (use and disclosure)
If using or disclosing personal information for a secondary purpose, must record the use or disclosure in writing:
• Date of use or disclosure
• Details of information used or disclosed
• How the information was used
• To whom was the information disclosed
• The exception on which use or disclosure is based
Case study – LSO Pty Ltd
• To frame LSO’s purposes for use and disclosure, its directors should understand:
• When does LSO use PI
• How LSO uses PI
• To whom LSO discloses PI
• For example, PI could be used or disclosed for:
• Order fulfilments
• Marketing and promotions
• Credit checks
• Debt recovery
APP 7 (direct marketing)
APP 7 prohibits you from using or disclosing PI in direct marketing unless
exception applies:
Collection direct from individual and individual would reasonably expect
their PI to be used for direct marketing
Individual would not reasonably expect their PI to be used for direct marketing, but consents to the use
APP 7 (direct marketing)
• NB: fine distinction between ‘reasonable expectation’ and ‘consent’
• Whether an individual would reasonably expect depends on circumstances
• Consent can be express or inferred
• If permitted to use PI for direct marketing, each message must contain an ‘opt out’ provision.
• APP 7 remains subject to the Do Not Call Register Act and the Spam Act.
Case Study – LSO Pty Ltd
• LSO constantly markets products to its customers.
• Posts customers catalogues
• Emails customers ‘daily deals’
• Tracks customers’ browsing habits and buys ad-words to trigger ads in search engines and social media sites
• Whether LSO must comply with APP 7 depends on the context of the marketing.
APP 8 (cross-border disclosures)
• Regulates cross-border disclosure of PI.
• Two choices for compliance:
• APP 8.1 - before disclosure, take reasonable steps to ensure overseas recipient does not breach the APPs.
• Contract with recipient
• APP 8.2 allows compliance in a variety of ways:
• Reasonable belief about overseas laws
• Individual consents to disclosure
• Disclosure is required or authorised by law
Case Study – LSO Pty Ltd
• LSO uses a multinational cloud provider to host its critical business systems.
• Cloud provider hosts information about LSO’s customers, including their PI.
• LSO agrees to cloud provider’s terms.
APP 9 (government identifiers)
• Prohibits an organisation from adopting, using or disclosing a government related identifier (except ABNs).
• An ‘identifier’ is a number, letter or symbol (or combination) that is used to identify an individual or verify that individual’s identity.
• A ‘government related identifier’ is an identifier assigned by any government agency.
APP 10 (qualify of personal information)
When holding PI, you must take reasonable steps to ensure:
• the PI collected is accurate, up-to-date and complete.
• the PI used and disclosed is, having regard to the purpose of use or disclosure, accurate, up-to-date, complete and relevant.
APP 10 (quality of personal information)
‘Reasonable steps’ depend on the circumstances, including:
• The nature of the PI
• The adverse consequences for the individual if poor quality PI is collected, used or disclosed
• Method or time of collection
• The practicability of taking steps to ensure quality.
APP 11 (security of personal information)
• Reasonable steps to protect PI against misuse, interference and loss
• Unless information is in a Cwth record or you must by law retain PI, if PI is no longer needed, must take reasonable steps to destroy PI
• You should consider document destruction, tax records and other legal obligations on preservation of documents
Case study – LSO Pty Ltd
• PI of LSO’s customers becomes inadvertently public when the sales director loses an unencrypted USB drive containing latest survey results in a pub.
• Privacy Commissioner investigates LSO’s alleged privacy breach.
• Privacy Commissioner concludes that LSO breached APPs 1, 2, 3, 8 and 11.
• LSO gives enforceable undertakings to the Privacy Commissioner.
APP 12 (access)
• If you hold PI about an individual, our client must, on the individual’s request, grant the individual access to the PI.
• Access may be denied on a number of grounds, including:
• Serious threat to life, health or safety
• Unreasonable impact on other individuals’ privacy
• Frivolous or vexatious request
• Anticipated legal proceedings
• Prejudice negotiations between you and the individual
• Law enforcement matters
APP 12 (access)
• You must deal with access requests within a reasonable period of time
• If reasonable and practicable, grant access in the manner requested
• If access is refused, must give written notice setting out reasons for refusal and the mechanisms available for complaint
• You can charge for access
APP 13 (correction)
• You must take reasonable steps to correct PI that is inaccurate, incomplete, etc.
• Take reasonable steps to notify third parties to whom PI was previously disclosed, if requested
• Reasons must be given if correction is refused
• Must deal with correction requests within a reasonable period after request is made
What should you do?
THE NEW PRIVACY LAWS ARE COMPREHENSIVE
What should you do now?
Complete a privacy audit to understand what PI you collect, hold, use and disclose:
Include a review of client’s privacy policy, collection statements, etc
Assess what, if any, complaints resolution process the client may have
If disclosing PI to third parties, review the basis on which disclosure is made
The audit’s outcome should help prepare you for the new privacy laws
What should you ASAP?
Don’t dawdle – the new laws are already in effect!
Design and implement a privacy compliance program
Focus on:
risk identification and management
training for all staff
compliance monitoring
Don’t forget to update your privacy policy
Review interactions with your customers
What should you do in the future?
• Apart from complying with the Privacy Act, document how you comply with the Act
• If OAIC investigates, documentary proof will help your arguments
• Remember – the Act is designed to protect individuals, not you
• In particular, treat complaints appropriately and responsively
• Generally, take no longer than 30 days to deal with a complaint
