The changing face of privacy laws

The Changing
Face of Privacy
Laws
Craig Subocz
BE (Hons), LLB, LLM, Grad.
Cert. in Entrepreneurship &
Innovation
Senior Associate
1 April 2014

The information contained in this
presentation is intended as general
commentary and should not be
regarded as legal advice. Should you
require specific advice on the topics or
areas discussed please contact the
presenter directly.
Disclaimer

Agenda
What are the
new laws?
How the new
laws may
affect you
What should
you do?

A brief history of the Privacy Act
1988: Privacy Act
introduced
12/2001: NPPs
introduced
1/2006: ALRC
asked
to report on Act’s
effectiveness
8/2008: ALRC
delivers 3-volume
report, with 295
recommendations
10/2009: Govt
releases its First
Stage Response
10/2010: Govt
releases
exposure draft of
legislation
12/3/2014:
Privacy Act
amendments
take effect
12/2012:
Enhancing
Privacy
Protection Bill
passed by
Parliament
5/2012:
Enhancing
Privacy
Protection Bill
introduced

What are the new laws?
• Distinguished from laws protecting
confidential information, Spam Act, Do Not
Call Register Act, etc.
• Privacy Act regulates the collection, use and
disclosure of “personal information” by “APP
entities” from individuals.
• APP entities are organisations bound to
comply with the Privacy Act
Disclosure
Collection Use
Third Party
Organisation
Individual

What are the new laws?
• Replace the NPPS with the APPs
• Re-write credit reporting regime
• Greater consumer protections
• Expand OAIC powers
• Greater investigatory powers
• Increase penalties for privacy breaches
• Penalties up to $1.7 million
• Enforceable undertakings

How privacy laws may affect you
You must comply with the Act if you answer ‘yes’ to
any of the following questions:
• Is your annual turnover in excess of $3 million?
• Do you provide a “health service”?
• a private health service provider
• Do you disclose personal information about
another individual to a 3rd party for a benefit,
service or advantage?
• Do you provide a benefit, service or advantage to
collect personal information about an individual
from a 3rd party?

Definition of ‘personal
information’
• Although definition of ‘personal information’
amended, little practical change.
• From 12 March 2014, ‘personal information’
means “information or an opinion about an
identified individual, or an individual who is
reasonably identifiable:
• Whether the information or opinion is true or
not; and
• Whether the information or opinion is recorded
in a material form or not.”
• NB: ‘employee records’ still exempt from Privacy
Act, but note Fair Work Act requirements

APP 1 (openness and
transparent management)
• More than just updating your privacy policies (if you
have one).
• APP 1 requires “APP entities” to implement
practices, procedures and systems to ensure
compliance.
• Employee training on privacy
• Clear, transparent complaints handling procedure
• An APP entity is an organisation bound by the Act
to comply with the Australian Privacy Principles

Case Study – LSO Pty Ltd
• Annual turnover of $5 million
• Sells fast moving consumer goods
• Online sales
• Retail channels
• Direct to consumer channels
• Offers ‘valued’ customers regular “discount days”
• To qualify, customers must provide LSO with their
name, email address and mobile number
• LSO stores this information in a computerised
database.

• In LSO’s privacy policy (last updated in 2006), a
director is named the “privacy officer”.
• He has little knowledge of Australia’s privacy
laws.
• LSO has not provided its directors and staff with
privacy training.
• LSO has no formal privacy compliance policies
or procedures.

APP 2 (anonymity and
pseudonymity)
• Individuals may deal anonymously or
pseudonymously with you.
• But you are not obliged to if:
• You are required or authorised by law or court or
tribunal order to deal with identified individuals;
or
• It is impracticable for you to deal with individuals
who have not identified themselves.

Case study – LSO Pty Ltd
• LSO encourages customer participation on its
interactive social media presence
• LSO removes posts made by individuals who do
not use their real names.

APP 3 (collection of solicited
personal information)
• You solicit personal information if you expressly ask for
the information or take active steps to collect the
information
• Personal information should only be collected if it is
reasonably necessary for your functions or activities
• Your privacy policy should set out the relevant
functions and activities for which the information is
being collected
• Sensitive information should generally only be collected
with individual’s consent
• Personal information should only be collected by lawful
and fair means and directly from an individual (unless
an exception applies)

APP 3 (examples of soliciting
personal information)
• You ask for the personal information to be provided through
the completion of a form by an individual relating to the
goods/services you supply
• You exchange business cards with an individual at a meeting
• Information is disclosed to you in response to your request by
an entity where that information includes personal
information
• You offer prizes in a competition that requires entries to be
submitted
• You receive a complaint in response to a general invitation
on your website to individuals to complain to you
• An individual submits an employment application in response
to a job advertisement

APP 4 (unsolicited personal
information)
• Personal information is unsolicited if you receive it without
asking for it
• misdirected mail, unsolicited employment applications
or promotional flyers containing personal information
• Must decide whether you could have collected the
information under APP 3.
• If you decide you could not have collected the information,
must be destroyed or de-identified as soon as practicable if
lawful and reasonable to do so.
• You may need it for tax reasons
• You may be prohibited by law or court order from
destroying or de-identifying the information

 Solicits PI via numerous methods:
• Customers sign up for daily discounts
• Customers’ social media interactions
• Customer complaints
• Occasional customer surveys
 Also receives PI occasionally:
• Misdirected mail
• Promotional materials from suppliers with information
identifying a salesperson, including contact information
• Employment applications

Directors unclear on
their legal obligations
regarding collection of
PI.
Directors do not
understand how the
PI which LSO collects
may be used in LSO’s
business, whether
LSO needs all the PI
it actually collects and
from where and how
LSO collects PI.

APP 5 (notification of collection)
• Your identity and contact details
• The fact and circumstances of collection
• Whether the collection is authorised or required
by law
• Why you collected the PI
• What happens if the PI is not collected
• Your usual disclosures of collected PI
• Information about your privacy policy
• Whether you are likely to disclose PI overseas
Before or at the time of collection, clients
must notify individuals, or otherwise ensure
that individuals are aware of:

APP 6 (use and disclosure)
Personal information may only be used or disclosed
for the purpose of collection (‘primary purpose’) or
for a secondary purpose if an exception applies:
Individual consents
Individual would reasonably expect our client
to use or disclose his/her PI for that purpose
and that purpose is related to the primary
purpose
Other exception applies

APP 6 (use and disclosure)
If using or disclosing personal information for a
secondary purpose, must record the use or
disclosure in writing:
• Date of use or disclosure
• Details of information used or disclosed
• How the information was used
• To whom was the information disclosed
• The exception on which use or disclosure is
based

• To frame LSO’s purposes for use and disclosure, its directors
should understand:
• When does LSO use PI
• How LSO uses PI
• To whom LSO discloses PI
• For example, PI could be used or disclosed for:
• Order fulfilments
• Marketing and promotions
• Credit checks
• Debt recovery

APP 7 (direct marketing)
APP 7 prohibits you
from using or disclosing
PI in direct marketing
unless exception
applies: Collection direct from
individual and individual
would reasonably
expect their PI to be
used for direct
marketing
Individual would not
reasonably expect their
PI to be used for direct
marketing, but consents
to the use

APP 7 (direct marketing)
• NB: fine distinction between ‘reasonable
expectation’ and ‘consent’
• Whether an individual would reasonably
expect depends on circumstances
• Consent can be express or inferred
• If permitted to use PI for direct marketing, each
message must contain an ‘opt out’ provision.
• APP 7 remains subject to the Do Not Call
Register Act and the Spam Act.

• LSO constantly markets products
to its customers.
• Posts customers catalogues
• Emails customers ‘daily deals’
• Tracks customers’ browsing
habits and buys ad-words to
trigger ads in search engines
and social media sites
• Whether LSO must comply with
APP 7 depends on the context of
the marketing.

APP 8 (cross-border disclosures)
• Regulates cross-border disclosure of PI.
• Two choices for compliance:
• APP 8.1 - before disclosure, take reasonable steps
to ensure overseas recipient does not breach the
APPs.
• Contract with recipient
• APP 8.2 allows compliance in a variety of ways:
• Reasonable belief about overseas laws
• Individual consents to disclosure
• Disclosure is required or authorised by law

• LSO uses a multinational cloud
provider to host its critical
business systems.
• Cloud provider hosts information
about LSO’s customers, including
their PI.
• LSO agrees to cloud provider’s
terms.

APP 9 (government identifiers)
• Prohibits an organisation from adopting, using
or disclosing a government related identifier
(except ABNs).
• An ‘identifier’ is a number, letter or symbol (or
combination) that is used to identify an
individual or verify that individual’s identity.
• A ‘government related identifier’ is an identifier
assigned by any government agency.

APP 10 (qualify of personal
information)
When holding PI, you must take reasonable
steps to ensure:
• the PI collected is accurate, up-to-date and
complete.
• the PI used and disclosed is, having regard
to the purpose of use or disclosure,
accurate, up-to-date, complete and
relevant.

APP 10 (quality of personal
information)
‘Reasonable steps’ depend on the
circumstances, including:
• The nature of the PI
• The adverse consequences for the
individual if poor quality PI is collected,
used or disclosed
• Method or time of collection
• The practicability of taking steps to ensure
quality.

APP 11 (security of personal
information)
• Reasonable steps to protect PI
against misuse, interference and
loss
• Unless information is in a Cwth
record or you must by law retain
PI, if PI is no longer needed,
must take reasonable steps to
destroy PI
• You should consider document
destruction, tax records and other legal
obligations on preservation of
documents

• PI of LSO’s customers becomes
inadvertently public when the sales
director loses an unencrypted USB drive
containing latest survey results in a pub.
• Privacy Commissioner investigates LSO’s
alleged privacy breach.
• Privacy Commissioner concludes that LSO
breached APPs 1, 2, 3, 8 and 11.
• LSO gives enforceable undertakings to the
Privacy Commissioner.

APP 12 (access)
• If you hold PI about an individual, our client must,
on the individual’s request, grant the individual
access to the PI.
• Access may be denied on a number of grounds,
including:
• Serious threat to life, health or safety
• Unreasonable impact on other individuals’ privacy
• Frivolous or vexatious request
• Anticipated legal proceedings
• Prejudice negotiations between you and the individual
• Law enforcement matters

APP 12 (access)
• You must deal with access requests within a
reasonable period of time
• If reasonable and practicable, grant access in
the manner requested
• If access is refused, must give written notice
setting out reasons for refusal and the
mechanisms available for complaint
• You can charge for access

APP 13 (correction)
• You must take reasonable steps to correct PI
that is inaccurate, incomplete, etc.
• Take reasonable steps to notify third parties to
whom PI was previously disclosed, if requested
• Reasons must be given if correction is refused
• Must deal with correction requests within a
reasonable period after request is made

What should you do?
THE NEW PRIVACY LAWS ARE
COMPREHENSIVE

What should you do now?
Complete a privacy audit to understand what PI
you collect, hold, use and disclose:
Include a review of client’s privacy policy,
collection statements, etc
Assess what, if any, complaints resolution
process the client may have
If disclosing PI to third parties, review the
basis on which disclosure is made
The audit’s outcome should help prepare you for
the new privacy laws

What should you ASAP?
Don’t dawdle – the new laws are already in effect!
Design and implement a privacy compliance
program
Focus on:
risk identification and management
training for all staff
compliance monitoring
Don’t forget to update your privacy policy
Review interactions with your customers

What should you do in the future?
• Apart from complying with the Privacy Act,
document how you comply with the Act
• If OAIC investigates, documentary proof will
help your arguments
• Remember – the Act is designed to protect
individuals, not you
• In particular, treat complaints appropriately
and responsively
• Generally, take no longer than 30 days to
deal with a complaint

Please Contact
Craig Subocz
Senior Associate
(03) 9609 1646
csubocz@rk.com.au
rk.com.au
Questions

The changing face of privacy laws

Recommended

Recommended

More Related Content

What's hot

What's hot (12)

Viewers also liked

Viewers also liked (8)

Similar to The changing face of privacy laws

Similar to The changing face of privacy laws (20)

More from Russell_Kennedy

More from Russell_Kennedy (20)

Recently uploaded

Recently uploaded (20)

The changing face of privacy laws