Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Privacy Law Landscape: Issues for the research community


Published on

Presentation by Anna Johnston of Salinger Privacy to ARDC's 'GDPR and NDB scheme: Intersection with the Australian research sector' webinar on 13 September 2018

Published in: Education
  • Be the first to comment

  • Be the first to like this

The Privacy Law Landscape: Issues for the research community

  1. 1. The Privacy Law Landscape: Issues for the research community ARDC webinar 13 September 2018 Presentation by Anna Johnston
  2. 2. This webinar • the regulatory landscape for researchers • common privacy issues for researchers: consent and de-identification • new developments: GDPR and notifiable data breaches • what’s coming next
  3. 3. Use & disclosure for research
  4. 4. APP 6 APP 6 allows use or disclosure of personal information if it is … • for the primary purpose of collection • for a directly related secondary purpose within reasonable expectations, or • required/authorised by another law, or • with consent, or • under a public interest exemption – e.g. law enforcement, or research.
  5. 5. Defining de-identification GDPR test: • Recital 26 says the GDPR does not apply to anonymous data • Anonymous data means data “which does not relate to an identified or identifiable natural person”, or “personal data rendered anonymous in such a manner that the data subject is… no longer identifiable” Australian test: • Law says “personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable” • So ‘de-identified’ data has a low risk, but not zero risk, of re- identification. It is not necessarily ‘anonymous’ data.
  6. 6. Our approach • To de-identify (or to anonymise or to confidentialise) is to do something to data to try and break the identifiability aspect • De-identification is a set of processes / methodologies, not a description of the end-state • So ‘de-identified data’ means data to which a de- identification process has been applied, but is not necessarily a statement that the data is ‘anonymous’ • Anonymous data is very difficult to achieve
  7. 7. When deID is useful • to make data perfectly ‘anonymous’ such that privacy/data protection laws no longer apply at all • as a tool to minimise data security risks (which in turn lessens the need to notify data breaches) • as a ‘Privacy by Design’ feature • to enable processing for secondary purposes • ‘legitimate interest’ test may be easier to meet • research: ethics approval may require deID to be at least attempted
  8. 8. Consent To be valid under privacy law, ‘consent’ must be voluntary, informed, specific, current, and given by a person with capacity. It must be proactive (opt-in). It must be as easy to withdraw consent as to give it. It cannot be a condition of doing business with you.
  9. 9. When can we proceed in the absence of consent? When relying on a research exemption that says “it is impracticable to seek consent” – e.g. Privacy Act s.16B(3). The fact that seeking consent is inconvenient or would involve some effort or expense is not of itself sufficient to warrant it impracticable. It needs to be at least ‘very difficult’ to track down the individuals. Note: There are a number of additional hoops to jump through for the research exemption.
  10. 10. New developments • mandatory notification of data breaches under the Privacy Act 1988 (Cth) • the General Data Protection Regulation (GDPR), a European privacy law with extra- territorial reach into Australia
  11. 11. Data breach notification
  12. 12. Breach notification: scope • All orgs holding TFNs : re TFNs • Credit providers and credit reporting bodies : re credit info • ‘APP entities’ : re personal information
  13. 13. APP entities • Australian government agencies • Businesses and non-profits with a turnover of more than $3M pa • Health service providers • Contracted service providers to the Commonwealth • Orgs covered by AML-CTF rules
  14. 14. What is required • data breach = loss, unauthorised access, unauthorised disclosure • ‘notifiable’ if ‘likely to result in serious harm’ to 1+ individuals • notification ASAP to OAIC and affected individuals • $2.1M fines for non-compliance
  15. 15. GDPR
  16. 16. (Don’t believe) the hype • GDPR is a revolutionary new law • we have to treat European citizens differently • argh, we need consent for everything!! • oh yay, we can get consent via T&Cs! • the right to erasure is going to ruin everything
  17. 17. GDPR overview • updated and harmonised privacy laws in 28 EU Member States • significant penalties €20M or 4% • extended reach outside Europe: if you offer goods or services (including free services) to, or monitor the behaviour of, people in the EU
  18. 18. GDPR rules • 7 Data Protection Principles • 7 Data Subject Rights • 6 Lawful grounds for processing (one of which is consent) • PIAs, Privacy by Design, data breach notification
  19. 19. Research under the GDPR • Data can be ‘processed’ for research if it is anonymous data, or on the basis of consent. • For data processed under one of the other five lawful grounds, “compatible purposes” will also be allowed, including research in the public interest. • Anonymisation or pseudonymisation should be the default for protecting privacy during research. • ‘Right to erasure’ does not apply to research data. • ‘Right to object’ applies to research unless public interest proven.
  20. 20. The next big thing(s) • Data Sharing & Release Bill • National Data Custodian Commissioner • Consumer Data Right (data portability)
  21. 21. Tools to assist The Salinger Privacy Comprehensive Compliance Kit includes: • eBooks including Demystifying De-identification • Online privacy awareness training & advanced modules • The Privacy Officer’s Handbook • Checklists such as 10 Steps Towards GDPR Compliance • Template privacy-related policies & procedures (to meet both AU and EU requirements) including: – Privacy Policy – Data Breach Response Plan – Collection notices, Consent forms, Contract clauses – PIA Framework & Questionnaire
  22. 22. Thank you Anna Johnston Director Salinger Privacy We know privacy inside out. We consult, train, publish, blog and tweet on all things privacy. Find out more or sign up for our email newsletter at