Published on April 1, 2014
The Changing Face of Privacy Laws Craig Subocz BE (Hons), LLB, LLM, Grad. Cert. in Entrepreneurship & Innovation Senior Associate 1 April 2014
The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly. Disclaimer
Agenda What are the new laws? How the new laws may affect you What should you do?
A brief history of the Privacy Act 1988: Privacy Act introduced 12/2001: NPPs introduced 1/2006: ALRC asked to report on Act’s effectiveness 8/2008: ALRC delivers 3-volume report, with 295 recommendations 10/2009: Govt releases its First Stage Response 10/2010: Govt releases exposure draft of legislation 12/3/2014: Privacy Act amendments take effect 12/2012: Enhancing Privacy Protection Bill passed by Parliament 5/2012: Enhancing Privacy Protection Bill introduced
What are the new laws? • Distinguished from laws protecting confidential information, Spam Act, Do Not Call Register Act, etc. • Privacy Act regulates the collection, use and disclosure of “personal information” by “APP entities” from individuals. • APP entities are organisations bound to comply with the Privacy Act Disclosure Collection Use Third Party Organisation Individual
What are the new laws? • Replace the NPPS with the APPs • Re-write credit reporting regime • Greater consumer protections • Expand OAIC powers • Greater investigatory powers • Increase penalties for privacy breaches • Penalties up to $1.7 million • Enforceable undertakings
How privacy laws may affect you You must comply with the Act if you answer ‘yes’ to any of the following questions: • Is your annual turnover in excess of $3 million? • Do you provide a “health service”? • a private health service provider • Do you disclose personal information about another individual to a 3rd party for a benefit, service or advantage? • Do you provide a benefit, service or advantage to collect personal information about an individual from a 3rd party?
Definition of ‘personal information’ • Although definition of ‘personal information’ amended, little practical change. • From 12 March 2014, ‘personal information’ means “information or an opinion about an identified individual, or an individual who is reasonably identifiable: • Whether the information or opinion is true or not; and • Whether the information or opinion is recorded in a material form or not.” • NB: ‘employee records’ still exempt from Privacy Act, but note Fair Work Act requirements
APP 1 (openness and transparent management) • More than just updating your privacy policies (if you have one). • APP 1 requires “APP entities” to implement practices, procedures and systems to ensure compliance. • Employee training on privacy • Clear, transparent complaints handling procedure • An APP entity is an organisation bound by the Act to comply with the Australian Privacy Principles
Case Study – LSO Pty Ltd • Annual turnover of $5 million • Sells fast moving consumer goods • Online sales • Retail channels • Direct to consumer channels • Offers ‘valued’ customers regular “discount days” • To qualify, customers must provide LSO with their name, email address and mobile number • LSO stores this information in a computerised database.
APP 2 (anonymity and pseudonymity) • Individuals may deal anonymously or pseudonymously with you. • But you are not obliged to if: • You are required or authorised by law or court or tribunal order to deal with identified individuals; or • It is impracticable for you to deal with individuals who have not identified themselves.
Case study – LSO Pty Ltd • LSO encourages customer participation on its interactive social media presence • LSO removes posts made by individuals who do not use their real names.
APP 3 (examples of soliciting personal information) • You ask for the personal information to be provided through the completion of a form by an individual relating to the goods/services you supply • You exchange business cards with an individual at a meeting • Information is disclosed to you in response to your request by an entity where that information includes personal information • You offer prizes in a competition that requires entries to be submitted • You receive a complaint in response to a general invitation on your website to individuals to complain to you • An individual submits an employment application in response to a job advertisement
APP 4 (unsolicited personal information) • Personal information is unsolicited if you receive it without asking for it • misdirected mail, unsolicited employment applications or promotional flyers containing personal information • Must decide whether you could have collected the information under APP 3. • If you decide you could not have collected the information, must be destroyed or de-identified as soon as practicable if lawful and reasonable to do so. • You may need it for tax reasons • You may be prohibited by law or court order from destroying or de-identifying the information
Case study – LSO Pty Ltd Solicits PI via numerous methods: • Customers sign up for daily discounts • Customers’ social media interactions • Customer complaints • Occasional customer surveys Also receives PI occasionally: • Misdirected mail • Promotional materials from suppliers with information identifying a salesperson, including contact information • Employment applications
Case Study – LSO Pty Ltd Directors unclear on their legal obligations regarding collection of PI. Directors do not understand how the PI which LSO collects may be used in LSO’s business, whether LSO needs all the PI it actually collects and from where and how LSO collects PI.
APP 6 (use and disclosure) Personal information may only be used or disclosed for the purpose of collection (‘primary purpose’) or for a secondary purpose if an exception applies: Individual consents Individual would reasonably expect our client to use or disclose his/her PI for that purpose and that purpose is related to the primary purpose Other exception applies
APP 6 (use and disclosure) If using or disclosing personal information for a secondary purpose, must record the use or disclosure in writing: • Date of use or disclosure • Details of information used or disclosed • How the information was used • To whom was the information disclosed • The exception on which use or disclosure is based
Case study – LSO Pty Ltd • To frame LSO’s purposes for use and disclosure, its directors should understand: • When does LSO use PI • How LSO uses PI • To whom LSO discloses PI • For example, PI could be used or disclosed for: • Order fulfilments • Marketing and promotions • Credit checks • Debt recovery
APP 7 (direct marketing) APP 7 prohibits you from using or disclosing PI in direct marketing unless exception applies: Collection direct from individual and individual would reasonably expect their PI to be used for direct marketing Individual would not reasonably expect their PI to be used for direct marketing, but consents to the use
APP 7 (direct marketing) • NB: fine distinction between ‘reasonable expectation’ and ‘consent’ • Whether an individual would reasonably expect depends on circumstances • Consent can be express or inferred • If permitted to use PI for direct marketing, each message must contain an ‘opt out’ provision. • APP 7 remains subject to the Do Not Call Register Act and the Spam Act.
Case Study – LSO Pty Ltd • LSO constantly markets products to its customers. • Posts customers catalogues • Emails customers ‘daily deals’ • Tracks customers’ browsing habits and buys ad-words to trigger ads in search engines and social media sites • Whether LSO must comply with APP 7 depends on the context of the marketing.
APP 8 (cross-border disclosures) • Regulates cross-border disclosure of PI. • Two choices for compliance: • APP 8.1 - before disclosure, take reasonable steps to ensure overseas recipient does not breach the APPs. • Contract with recipient • APP 8.2 allows compliance in a variety of ways: • Reasonable belief about overseas laws • Individual consents to disclosure • Disclosure is required or authorised by law
Case Study – LSO Pty Ltd • LSO uses a multinational cloud provider to host its critical business systems. • Cloud provider hosts information about LSO’s customers, including their PI. • LSO agrees to cloud provider’s terms.
APP 9 (government identifiers) • Prohibits an organisation from adopting, using or disclosing a government related identifier (except ABNs). • An ‘identifier’ is a number, letter or symbol (or combination) that is used to identify an individual or verify that individual’s identity. • A ‘government related identifier’ is an identifier assigned by any government agency.
APP 10 (qualify of personal information) When holding PI, you must take reasonable steps to ensure: • the PI collected is accurate, up-to-date and complete. • the PI used and disclosed is, having regard to the purpose of use or disclosure, accurate, up-to-date, complete and relevant.
APP 10 (quality of personal information) ‘Reasonable steps’ depend on the circumstances, including: • The nature of the PI • The adverse consequences for the individual if poor quality PI is collected, used or disclosed • Method or time of collection • The practicability of taking steps to ensure quality.
APP 11 (security of personal information) • Reasonable steps to protect PI against misuse, interference and loss • Unless information is in a Cwth record or you must by law retain PI, if PI is no longer needed, must take reasonable steps to destroy PI • You should consider document destruction, tax records and other legal obligations on preservation of documents
Case study – LSO Pty Ltd • PI of LSO’s customers becomes inadvertently public when the sales director loses an unencrypted USB drive containing latest survey results in a pub. • Privacy Commissioner investigates LSO’s alleged privacy breach. • Privacy Commissioner concludes that LSO breached APPs 1, 2, 3, 8 and 11. • LSO gives enforceable undertakings to the Privacy Commissioner.
APP 12 (access) • If you hold PI about an individual, our client must, on the individual’s request, grant the individual access to the PI. • Access may be denied on a number of grounds, including: • Serious threat to life, health or safety • Unreasonable impact on other individuals’ privacy • Frivolous or vexatious request • Anticipated legal proceedings • Prejudice negotiations between you and the individual • Law enforcement matters
APP 12 (access) • You must deal with access requests within a reasonable period of time • If reasonable and practicable, grant access in the manner requested • If access is refused, must give written notice setting out reasons for refusal and the mechanisms available for complaint • You can charge for access
APP 13 (correction) • You must take reasonable steps to correct PI that is inaccurate, incomplete, etc. • Take reasonable steps to notify third parties to whom PI was previously disclosed, if requested • Reasons must be given if correction is refused • Must deal with correction requests within a reasonable period after request is made
What should you do? THE NEW PRIVACY LAWS ARE COMPREHENSIVE
What should you do in the future? • Apart from complying with the Privacy Act, document how you comply with the Act • If OAIC investigates, documentary proof will help your arguments • Remember – the Act is designed to protect individuals, not you • In particular, treat complaints appropriately and responsively • Generally, take no longer than 30 days to deal with a complaint
Please Contact Craig Subocz Senior Associate (03) 9609 1646 firstname.lastname@example.org rk.com.au Questions
This brief presentation covers the concept of 'Fit for purpose' obligation in vari...
The Affordable Care Act (ACA) has met with further hurdles as a DC Court of Appeal...
An impartial and clear mindset is needed when presiding over court proceedings tha...
VONNIS waarbij Hedwig Van Roy niet meer mag zeggen uitvinder te zijn van CLICS. Er...
Constitucional habeas corpus cc liminar
Seminar: The changing face of privacy law 1 April 2014 Tweet; Email; Print; On 12 March 2014, Australia’s privacy laws are significantly amended.
Among the wide variety of national and multinational legal regimes for protecting privacy, ... of Law Indiana Law Review, Vol. 33 ... The Changing Face of ...
Review of Law Commission proposals for reform of the law of homicide. ... 28 The Changing Face of the Law of Homicide a basis for ... Privacy; Copyright ...
The Changing Face of Privacy Protection in the European Union and the United States ... Part of theComputer Law Commons,International Law Commons, ...
Among the wide variety of national and multinational legal regimes for protecting privacy, two dominant models have emerged, reflecting two very different ...
... > The changing face of protection for individual privacy against ... The changing face of protection for ... a remedy for privacy ...
The Changing Face of Privacy Protection in the European Union and the United States. Indiana Law Review ... Indiana Law Review; Home > Vol 33, No 1 ...
The Changing Face of Employment and Labour Law in Ontario Carissa Tanzola and Patrick Ganley, Sherrard Kuzz LLP ... The Changing Workplaces Review ...
Modern Privacy Law. ... while the right of publicity protects against unauthorized commercial exploitation of a person's name or face.