The changing face of privacy laws

50 %
50 %
Information about The changing face of privacy laws

Published on April 1, 2014

Author: Russell_Kennedy



On 12 March 2014, Australia’s privacy laws were significantly amended. The amendments go further than merely requiring businesses to update their privacy policy, as the new laws mandate businesses to critically examine how they collect, use and disclose individuals’ personal information. Find out how these changes affect your business.

The Changing Face of Privacy Laws Craig Subocz BE (Hons), LLB, LLM, Grad. Cert. in Entrepreneurship & Innovation Senior Associate 1 April 2014

The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly. Disclaimer

Agenda What are the new laws? How the new laws may affect you What should you do?

A brief history of the Privacy Act 1988: Privacy Act introduced 12/2001: NPPs introduced 1/2006: ALRC asked to report on Act’s effectiveness 8/2008: ALRC delivers 3-volume report, with 295 recommendations 10/2009: Govt releases its First Stage Response 10/2010: Govt releases exposure draft of legislation 12/3/2014: Privacy Act amendments take effect 12/2012: Enhancing Privacy Protection Bill passed by Parliament 5/2012: Enhancing Privacy Protection Bill introduced

What are the new laws? • Distinguished from laws protecting confidential information, Spam Act, Do Not Call Register Act, etc. • Privacy Act regulates the collection, use and disclosure of “personal information” by “APP entities” from individuals. • APP entities are organisations bound to comply with the Privacy Act Disclosure Collection Use Third Party Organisation Individual

What are the new laws? • Replace the NPPS with the APPs • Re-write credit reporting regime • Greater consumer protections • Expand OAIC powers • Greater investigatory powers • Increase penalties for privacy breaches • Penalties up to $1.7 million • Enforceable undertakings

How privacy laws may affect you You must comply with the Act if you answer ‘yes’ to any of the following questions: • Is your annual turnover in excess of $3 million? • Do you provide a “health service”? • a private health service provider • Do you disclose personal information about another individual to a 3rd party for a benefit, service or advantage? • Do you provide a benefit, service or advantage to collect personal information about an individual from a 3rd party?

Definition of ‘personal information’ • Although definition of ‘personal information’ amended, little practical change. • From 12 March 2014, ‘personal information’ means “information or an opinion about an identified individual, or an individual who is reasonably identifiable: • Whether the information or opinion is true or not; and • Whether the information or opinion is recorded in a material form or not.” • NB: ‘employee records’ still exempt from Privacy Act, but note Fair Work Act requirements

APP 1 (openness and transparent management) • More than just updating your privacy policies (if you have one). • APP 1 requires “APP entities” to implement practices, procedures and systems to ensure compliance. • Employee training on privacy • Clear, transparent complaints handling procedure • An APP entity is an organisation bound by the Act to comply with the Australian Privacy Principles

Case Study – LSO Pty Ltd • Annual turnover of $5 million • Sells fast moving consumer goods • Online sales • Retail channels • Direct to consumer channels • Offers ‘valued’ customers regular “discount days” • To qualify, customers must provide LSO with their name, email address and mobile number • LSO stores this information in a computerised database.

Case Study – LSO Pty Ltd • In LSO’s privacy policy (last updated in 2006), a director is named the “privacy officer”. • He has little knowledge of Australia’s privacy laws. • LSO has not provided its directors and staff with privacy training. • LSO has no formal privacy compliance policies or procedures.

APP 2 (anonymity and pseudonymity) • Individuals may deal anonymously or pseudonymously with you. • But you are not obliged to if: • You are required or authorised by law or court or tribunal order to deal with identified individuals; or • It is impracticable for you to deal with individuals who have not identified themselves.

Case study – LSO Pty Ltd • LSO encourages customer participation on its interactive social media presence • LSO removes posts made by individuals who do not use their real names.

APP 3 (collection of solicited personal information) • You solicit personal information if you expressly ask for the information or take active steps to collect the information • Personal information should only be collected if it is reasonably necessary for your functions or activities • Your privacy policy should set out the relevant functions and activities for which the information is being collected • Sensitive information should generally only be collected with individual’s consent • Personal information should only be collected by lawful and fair means and directly from an individual (unless an exception applies)

APP 3 (examples of soliciting personal information) • You ask for the personal information to be provided through the completion of a form by an individual relating to the goods/services you supply • You exchange business cards with an individual at a meeting • Information is disclosed to you in response to your request by an entity where that information includes personal information • You offer prizes in a competition that requires entries to be submitted • You receive a complaint in response to a general invitation on your website to individuals to complain to you • An individual submits an employment application in response to a job advertisement

APP 4 (unsolicited personal information) • Personal information is unsolicited if you receive it without asking for it • misdirected mail, unsolicited employment applications or promotional flyers containing personal information • Must decide whether you could have collected the information under APP 3. • If you decide you could not have collected the information, must be destroyed or de-identified as soon as practicable if lawful and reasonable to do so. • You may need it for tax reasons • You may be prohibited by law or court order from destroying or de-identifying the information

Case study – LSO Pty Ltd  Solicits PI via numerous methods: • Customers sign up for daily discounts • Customers’ social media interactions • Customer complaints • Occasional customer surveys  Also receives PI occasionally: • Misdirected mail • Promotional materials from suppliers with information identifying a salesperson, including contact information • Employment applications

Case Study – LSO Pty Ltd Directors unclear on their legal obligations regarding collection of PI. Directors do not understand how the PI which LSO collects may be used in LSO’s business, whether LSO needs all the PI it actually collects and from where and how LSO collects PI.

APP 5 (notification of collection) • Your identity and contact details • The fact and circumstances of collection • Whether the collection is authorised or required by law • Why you collected the PI • What happens if the PI is not collected • Your usual disclosures of collected PI • Information about your privacy policy • Whether you are likely to disclose PI overseas Before or at the time of collection, clients must notify individuals, or otherwise ensure that individuals are aware of:

APP 6 (use and disclosure) Personal information may only be used or disclosed for the purpose of collection (‘primary purpose’) or for a secondary purpose if an exception applies: Individual consents Individual would reasonably expect our client to use or disclose his/her PI for that purpose and that purpose is related to the primary purpose Other exception applies

APP 6 (use and disclosure) If using or disclosing personal information for a secondary purpose, must record the use or disclosure in writing: • Date of use or disclosure • Details of information used or disclosed • How the information was used • To whom was the information disclosed • The exception on which use or disclosure is based

Case study – LSO Pty Ltd • To frame LSO’s purposes for use and disclosure, its directors should understand: • When does LSO use PI • How LSO uses PI • To whom LSO discloses PI • For example, PI could be used or disclosed for: • Order fulfilments • Marketing and promotions • Credit checks • Debt recovery

APP 7 (direct marketing) APP 7 prohibits you from using or disclosing PI in direct marketing unless exception applies: Collection direct from individual and individual would reasonably expect their PI to be used for direct marketing Individual would not reasonably expect their PI to be used for direct marketing, but consents to the use

APP 7 (direct marketing) • NB: fine distinction between ‘reasonable expectation’ and ‘consent’ • Whether an individual would reasonably expect depends on circumstances • Consent can be express or inferred • If permitted to use PI for direct marketing, each message must contain an ‘opt out’ provision. • APP 7 remains subject to the Do Not Call Register Act and the Spam Act.

Case Study – LSO Pty Ltd • LSO constantly markets products to its customers. • Posts customers catalogues • Emails customers ‘daily deals’ • Tracks customers’ browsing habits and buys ad-words to trigger ads in search engines and social media sites • Whether LSO must comply with APP 7 depends on the context of the marketing.

APP 8 (cross-border disclosures) • Regulates cross-border disclosure of PI. • Two choices for compliance: • APP 8.1 - before disclosure, take reasonable steps to ensure overseas recipient does not breach the APPs. • Contract with recipient • APP 8.2 allows compliance in a variety of ways: • Reasonable belief about overseas laws • Individual consents to disclosure • Disclosure is required or authorised by law

Case Study – LSO Pty Ltd • LSO uses a multinational cloud provider to host its critical business systems. • Cloud provider hosts information about LSO’s customers, including their PI. • LSO agrees to cloud provider’s terms.

APP 9 (government identifiers) • Prohibits an organisation from adopting, using or disclosing a government related identifier (except ABNs). • An ‘identifier’ is a number, letter or symbol (or combination) that is used to identify an individual or verify that individual’s identity. • A ‘government related identifier’ is an identifier assigned by any government agency.

APP 10 (qualify of personal information) When holding PI, you must take reasonable steps to ensure: • the PI collected is accurate, up-to-date and complete. • the PI used and disclosed is, having regard to the purpose of use or disclosure, accurate, up-to-date, complete and relevant.

APP 10 (quality of personal information) ‘Reasonable steps’ depend on the circumstances, including: • The nature of the PI • The adverse consequences for the individual if poor quality PI is collected, used or disclosed • Method or time of collection • The practicability of taking steps to ensure quality.

APP 11 (security of personal information) • Reasonable steps to protect PI against misuse, interference and loss • Unless information is in a Cwth record or you must by law retain PI, if PI is no longer needed, must take reasonable steps to destroy PI • You should consider document destruction, tax records and other legal obligations on preservation of documents

Case study – LSO Pty Ltd • PI of LSO’s customers becomes inadvertently public when the sales director loses an unencrypted USB drive containing latest survey results in a pub. • Privacy Commissioner investigates LSO’s alleged privacy breach. • Privacy Commissioner concludes that LSO breached APPs 1, 2, 3, 8 and 11. • LSO gives enforceable undertakings to the Privacy Commissioner.

APP 12 (access) • If you hold PI about an individual, our client must, on the individual’s request, grant the individual access to the PI. • Access may be denied on a number of grounds, including: • Serious threat to life, health or safety • Unreasonable impact on other individuals’ privacy • Frivolous or vexatious request • Anticipated legal proceedings • Prejudice negotiations between you and the individual • Law enforcement matters

APP 12 (access) • You must deal with access requests within a reasonable period of time • If reasonable and practicable, grant access in the manner requested • If access is refused, must give written notice setting out reasons for refusal and the mechanisms available for complaint • You can charge for access

APP 13 (correction) • You must take reasonable steps to correct PI that is inaccurate, incomplete, etc. • Take reasonable steps to notify third parties to whom PI was previously disclosed, if requested • Reasons must be given if correction is refused • Must deal with correction requests within a reasonable period after request is made


What should you do now? Complete a privacy audit to understand what PI you collect, hold, use and disclose: Include a review of client’s privacy policy, collection statements, etc Assess what, if any, complaints resolution process the client may have If disclosing PI to third parties, review the basis on which disclosure is made The audit’s outcome should help prepare you for the new privacy laws

What should you ASAP? Don’t dawdle – the new laws are already in effect! Design and implement a privacy compliance program Focus on: risk identification and management training for all staff compliance monitoring Don’t forget to update your privacy policy Review interactions with your customers

What should you do in the future? • Apart from complying with the Privacy Act, document how you comply with the Act • If OAIC investigates, documentary proof will help your arguments • Remember – the Act is designed to protect individuals, not you • In particular, treat complaints appropriately and responsively • Generally, take no longer than 30 days to deal with a complaint

Please Contact Craig Subocz Senior Associate (03) 9609 1646 Questions

Add a comment

Related presentations

This brief presentation covers the concept of 'Fit for purpose' obligation in vari...

The Affordable Care Act (ACA) has met with further hurdles as a DC Court of Appeal...

An impartial and clear mindset is needed when presiding over court proceedings tha...

VONNIS waarbij Hedwig Van Roy niet meer mag zeggen uitvinder te zijn van CLICS. Er...

Constitucional habeas corpus cc liminar


A truly comprehensive estate plan will address the eventualities that you may face...

Related pages

Seminar: The changing face of privacy law » Russell ...

Seminar: The changing face of privacy law 1 April 2014 Tweet; Email; Print; On 12 March 2014, Australia’s privacy laws are significantly amended.
Read more

The Changing Face of Privacy Protection in the European ...

Among the wide variety of national and multinational legal regimes for protecting privacy, ... of Law Indiana Law Review, Vol. 33 ... The Changing Face of ...
Read more

The changing Face of the Law of Homicide | jeremy horder ...

Review of Law Commission proposals for reform of the law of homicide. ... 28 The Changing Face of the Law of Homicide a basis for ... Privacy; Copyright ...
Read more

The Changing Face of Privacy Protection in the European ...

The Changing Face of Privacy Protection in the European Union and the United States ... Part of theComputer Law Commons,International Law Commons, ...
Read more

"The Changing Face of Privacy Protection in the European ...

Among the wide variety of national and multinational legal regimes for protecting privacy, two dominant models have emerged, reflecting two very different ...
Read more

The changing face of protection for individual privacy ...

... > The changing face of protection for individual privacy against ... The changing face of protection for ... a remedy for privacy ...
Read more

Indiana Law Review - The Changing Face of Privacy ...

The Changing Face of Privacy Protection in the European Union and the United States. Indiana Law Review ... Indiana Law Review; Home > Vol 33, No 1 ...
Read more

The Changing Face of Employment and Labour Law in Ontario

The Changing Face of Employment and Labour Law in Ontario Carissa Tanzola and Patrick Ganley, Sherrard Kuzz LLP ... The Changing Workplaces Review ...
Read more

Privacy Law in the USA - Dr. R. Standler's professional ...

Modern Privacy Law. ... while the right of publicity protects against unauthorized commercial exploitation of a person's name or face.
Read more