Madeleine Kearney, Gadens Lawyers - Privacy Law Update – How do reforms to the Privacy Act impact the pharmaceutical industry?


Published on

Madeleine Kearney delivered the presentation at 2014 Pharmaceutical Law Conference.

The Pharmaceutical Law Conference is the foremost meeting place and networking hub of the pharmaceutical law industry, and the only pharmaceutical law event in the Asia-Pacific region. The 2014 event highlights included pharma law reform, IP, competitive strategies, industry transparency, sustainable drug pricing and patenting life sciences and more.

For more information about the event, please visit:

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Madeleine Kearney, Gadens Lawyers - Privacy Law Update – How do reforms to the Privacy Act impact the pharmaceutical industry?

  2. 2. Brief History • The Privacy Amendment (Enhancing Privacy Protection) Act 2012 commenced on 12 March 2014. • Represents the end point of a law reform process that started in 2004 when the A-G requested the Privacy Commissioner to undertake a review of the provisions of the Privacy Act 1998 applying to the private sector.
  3. 3. Summary of Reforms • Old National Privacy Principles and Information Privacy Principles replaced by new Australian Privacy Principles (APPs) which apply to both private and public sector organisations. • Enhanced investigation and enforcement powers (including introduction of pecuniary penalties of up to $1.1 million). • Other changes not relevant to pharmaceutical industry (eg, credit reporting).
  4. 4. “Personal information” • Definition of “personal information” (section 6 Privacy Act 1988): “information or an opinion about an identified individual, or an individual who is reasonably identifiable” • Examples of personal information collected/held by pharmaceutical companies subject to Privacy Act: ‒ Customers (eg, patient support programs, competitions/promotions for OTC products, pharmacovigilance); ‒ Participants in clinical trials; ‒ Healthcare professionals.
  5. 5. APPs • The more things change, the more they stay the same…. ‒ With some important exceptions (discussed later) the new APPs largely echo the old National Privacy Principles. ‒ Underlying principle of “informed consent” – businesses are (and were) required to be open and transparent regarding how they collect, use and share individuals’ personal information. ‒ Does not expressly deal with challenges arising from new technology.
  6. 6. APPs • Privacy policies/statements ‒ APP 1 imposes more prescriptive requirements regarding content of privacy policy, eg: • Information regarding how an individual may complain about a breach of the APPs and how the entity will deal with the complaint; • Whether the entity is likely to disclose personal information to overseas recipients and if so, the countries where such recipients are likely to be located (if practicable). ‒ APP 5 imposes additional requirements regarding content of disclosures to be made when collecting personal information.
  7. 7. APPs • Privacy policies (cont.) ‒ Companies must take reasonable steps to make its privacy policy available free of charge in an appropriate form or in the form requested by an individual – in most cases it will need to be made available on the company’s website. ‒ ACTION • Review privacy policy against requirements of APPs and ensure available on website. • Identify other privacy disclosure documents (eg, informed consent documents for clinical trials) to ensure compliance with disclosure obligations.
  8. 8. APPs • Unsolicited personal information ‒ APP 4 introduces new requirements regarding unsolicited personal information. ‒ General principle is that unsolicited personal information must be afforded same privacy protection as solicited personal information. ‒ ACTION • Analyse potential sources of unsolicited personal information: › Eg letters, emails, social media. • Develop policies and procedures for dealing with unsolicited personal information.
  9. 9. APPs • Direct marketing: ‒ New APP 7 deals exclusively with direct marketing • Previous approach was that direct marketing activities were dealt with as exceptions (general and specific) to the general requirement that personal information can only be used for primary purpose of collection in NPP 2 • In practice, however, despite increased emphasis on direct marketing, little change in substance particularly when provisions of Spam Act 2003 taken into account: › Now, in all cases where personal information used for direct marketing, companies must provide a simple means by which an individual can request not to receive direct marketing.
  10. 10. APPs • Direct marketing (cont.) ‒ ACTION • Review direct marketing practices to ensure that they comply with APPs • Note “direct marketing” is not defined in Privacy Act but likely includes both consumer directed marketing practices (OTC products) and marketing activities directed at healthcare professionals (prescription products).
  11. 11. APPs • Transborder data flows: ‒ Very significant change. ‒ Previous position was that transfer of personal information to a foreign country permissible where (among other things): “the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles”. ‒ Previously any issues could be overcome by entering into a contract with overseas recipient requiring recipient to comply with the National Privacy Principles.
  12. 12. APPs • Transborder data flows (cont): ‒ Not so easy any more! New approach under APP 8: • APP 8.1 provides that before disclosing information to an overseas recipient the entity must take “such steps that are reasonable” to ensure that the recipient does not breach the APPs. › HOWEVER – even when an organisation takes reasonable steps to ensure the recipient complies with APPs, under the deeming provisions of section 16C may be liable for any breach by the recipient. • Very limited exceptions to deeming provisions, the most significant of which is informed consent to the transfer.
  13. 13. APPs • Transborder data flows (cont): ‒ “Reasonable belief” exception now only available where: “the entity reasonably believes that… the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and …. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme”. ‒ Is “disclosing” different to “transferring”? • Could impact where information hosted in Australia but accessed overseas
  14. 14. APPs • Transborder data flows (cont): ‒ ACTIONS • Carefully review circumstances where information may be “disclosed” overseas and revise privacy consents accordingly. • Existing information: › Unlikely to be practical to retrospectively seek consent: » Consider whether purpose can be achieved using de- identified data » Review data storage and offshoring arrangements to ensure complies with new requirements: • Status of encrypted data?
  15. 15. Enforcement • Introduction of civil penalty of up to $1.1 million where: ‒ the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or ‒ the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals. • Breach of an APP amounts to an interference with privacy.
  16. 16. Enforcement • Other enhancements to Commissioner’s enforcement powers include: ‒ Audit powers. ‒ Ability to accept enforceable undertakings. ‒ Binding privacy codes - power to request that entities develop and register an APP code, or the Commissioner can develop and register the code him/herself.
  17. 17. Data breach notification requirement? • Currently no mandatory requirement for businesses to notify affected individuals/government of data security breaches, however, this may change in short to medium term. • ALRC has recommended that a mandatory data security breach notification be introduced – rationale is that notification requirement will allow affected individuals to take steps to limit adverse impacts of breach (eg, by changing passwords). • Privacy Amendment (Privacy Alerts) Bill 2014 was introduced on 20 March 2014 – reintroduction of previously lapsed 2013 bill.
  18. 18. Data breach notification requirement? • Not clear whether the Bill will pass in its current form (or at all) however the concept of a mandatory data breach notification does appear to have bipartisan support. • If passed will impose a reporting requirement where a serious data breach occurs: ‒ Both government and significantly affected individuals will need to be notified. • Watch this space!
  19. 19. Questions? Madeleine Kearney Special Counsel, Sydney T +61 2 9931 4801 E