Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
239
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
23
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Copyright © 2013 by K&L Gates. All rights reserved. Getting privacy compliance right Vanessa Baic Senior Associate
  • 2. 1 Good and not-so-good news!
  • 3. 2 Good news!  Aware of the importance of proper handling of information  Strong compliance culture  Process driven Not-so-good news…  Repeated “mistakes”
  • 4. 3 What is today about?  Privacy 101  The Golden Rules  Implementation
  • 5. 4 Privacy 101 The basics
  • 6. 5 Privacy 101 – The information lifecycle
  • 7. 6 COLLECT USE/DISCLOSE STORE
  • 8. 7 COLLECT USE/DISCLOSE STORE COLLECTION
  • 9. 8
  • 10. 9 Personal information means information or an opinion about an identifiable individual, or an individual who is reasonably identifiable whether the information or opinion is: • true or not; and • recorded in a material form or not Sensitive information includes race, ethnic origin, political opinions, membership of professional/trade associations, religious or philosophical beliefs, sexual preferences, criminal history and health information Health information includes: • information or an opinion about the health or disability of an individual or a health service provided to, or to be provided to, an individual • other PI collected to provide, or in providing, a health service
  • 11. 10 COLLECT USE/DISCLOSE STORE COLLECTION
  • 12. 11 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E COLLECTION
  • 13. 12 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E A C C E S S COLLECTION
  • 14. 13 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E A C C E S S COLLECTION
  • 15. 14 Privacy 101 – New laws  10 National Privacy Principles replaced with 13 Australian Privacy Principles  The Commissioner’s powers have been increased  New laws commence on 12 March 2014
  • 16. 15 The Golden Rules What you need to know to comply with the current and new laws
  • 17. 16 Collection Rules
  • 18. 17
  • 19. 18 Do not collect PI unless you need it  You must not collect PI unless the information is necessary for one or more of your functions or activities  eg. Membership application form
  • 20. 19
  • 21. 20 Obtain consent before collecting sensitive information  An organisation must not collect SI about an individual unless (amongst other things) the individual has consented  eg. Information from a CDMP provider
  • 22. 21 Provide a collection statement before or at the time of collection
  • 23. 22 Collection statements – current requirements:  Your identity and how to contact you  The fact he/she can gain access to the information  The purposes for which the information is collected  The organisations (or types of organisations) to which you usually disclose information of that kind  Any law that requires or authorises the particular information to be collected  The main consequences (if any) for the individual if all or part of the information is not provided Collection statements – additional requirements:  Whether you collect PI about the individual from a third party and the circumstances of that collection  The fact that your privacy policy contains information about how the individual may:  access and correct PI  complain about a breach of the APPs and how you will deal with such a complaint  Whether you are likely to disclose PI overseas and, if so, the countries where such recipients are likely to be located
  • 24. 23 Are you properly providing collection statements and obtaining necessary consents? Members? Healthcare providers?
  • 25. 24
  • 26. 25 Collecting unsolicited information  Decide within a reasonable period whether you could have collected the PI if you had solicited it  If you could not have collected the PI, and it is not contained in a “Commonwealth record”, destroy or de- identify it  If you could have collected the PI, then the APPs apply
  • 27. 26 Use and Disclosure Rules
  • 28. 27 Use and disclosure  Do not use or disclose PI about an individual for a purpose (the secondary purpose) other than the primary purpose of collection without consent unless:  The secondary purpose is related to the primary purpose of collection (directly related in the case of SI)  The individual would reasonably expect you to use or disclose the information for the secondary purpose  eg. CDMP programs
  • 29. 28 Direct marketing New “prohibition” on direct marketing – APP 7.1 • information collected from individual • reasonably expect use or disclosure • opt out options • has not opted out • information collected from individual • not reasonably expect use or disclosure • impracticable to obtain consent • opt out options • prominent statement or draw attention to opt out • has not opted out • information collected from third party • consent or impracticable to obtain consent • opt out options • prominent statement or draw attention to opt out • has not opted out Actions – review collection notices and information collection methods unless APP 7.3 APP 7.3APP 7.2
  • 30. 29 Disclosure overseas
  • 31. 30 Disclosure overseas (cont.) APP 8 – New accountability approach to cross border disclosure of personal information Overseas recipient subject to similar principles as APPs and enforcement action available Individual consents to disclosure after being expressly informed that APP 8.1 will not apply • Must take reasonable steps to ensure compliance of APPs by the overseas recipient – contractual obligation, audit • Sender is potentially liable for misuse by overseas recipient! Implication If: disclosure of personal information to overseas recipient
  • 32. 31 Disclosure overseas (cont.) Weak Medium Strong • Singapore – draft bill • China • Bangladesh • Pakistan • Sri Lanka • Nepal • Hong Kong • Macau • India • Philippines • Thailand • Vietnam • Malaysia – legislation still to come into force • South Korea • Taiwan • Japan Privacy in Asia – indicative examples
  • 33. 32 Storage and Disposal Rules
  • 34. 33
  • 35. 34 Storage and disposal  You must take reasonable steps to protect PI:  from misuse, interference and loss  unauthorised access, modification or disclosure  You must take reasonable steps to destroy or permanently de- identify PI if you do not need it  Take care of other obligations to retain information
  • 36. 35 Other Rules
  • 37. 36 Parent Co. ABC Health Insurance ABC Insurance ABC Life Insurance ABC General Insurance XYZ Health Insurance XYZ Healthcare XYZ Allied Health XYZ CDMP
  • 38. 37 You are not one big happy family!  Related bodies corporate exemption does not apply where:  SI is concerned  the related body corporate is overseas
  • 39. 38 You need to have robust privacy processes and policies  Standard operating procedures  Privacy policy
  • 40. 39 Privacy policy  The kinds of PI you collect and hold  How you collect and hold PI  The purposes for which you collect, hold, use and disclose PI  How an individual can access PI held by you and seek correction of such PI  How an individual can complain about a breach of the APPs and how you will deal with the complaint  Whether you are likely to disclose PI overseas and, if so, the countries in which such recipients are likely to be located
  • 41. 40 Implementation What should you do to comply?
  • 42. 41 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 43. 42 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 44. 43 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 45. 44 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 46. 45 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 47. 46 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 48. 47 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 49. 48 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 50. 49 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 51. 50 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 52. 51 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 53. 52 Why bother?  Because you cannot afford not to!  What will adverse publicity do for your business?  New powers afforded to the Commissioner
  • 54. 53 Commissioner’s new powers Office of the Australian Information Commissioner Investigate complaints about interference with privacy Monitoring related functions – security and accuracy of credit reports Conduct on assessment relating to APPs Apply to Federal Court for civil penalty orders Request copy of privacy impact assessment from an agency Accept enforceable undertakings Undertake investigations and order actions
  • 55. 54 Questions Further information Vanessa Baic Senior Associate K&L Gates Phone: +61 9205 2046 vanessa.baic@klgates.com www.klgates.com