Australian Finance Conference - Home - OAIC Finance Conference Level 8, 39 Martin Place, Sydney 2000...

Australian Finance Conference Level 8, 39 Martin Place, Sydney 2000 GPO Box 1595, Sydney 2001 ABN 13 000 493 907 Telephone: (02) 9231-5877 Facsimile: (02) 9232-5647 e-mail: [email protected]

8 October 2013 Mr Timothy Pilgrim Australian Privacy Commissioner Office of the Australian Information Commissioner GPO Box 5218 SYDNEY NSW 2001 By email: [email protected] cc: [email protected]

Dear Mr Pilgrim

DRAFT APP GUIDELINES 1 – 5 – AFC FEEDBACK

The Australian Finance Conference (AFC) appreciates the opportunity for consultation provided by the invitation to comment on draft APP Guidelines 1 – 5 and the additional time to facilitate our response with the first tranche. With a view to assisting finalisation of the Guidelines at the earliest opportunity, our consideration has included components of the second tranche. However a more involved analysis is being undertaken by our Members, and we propose to include feedback through this process in a further submission. General comments on the draft APP Guidelines including the introduction, key concepts and Chapters 1-5 follow. More detailed comment is included in the attachment. Background By way of context and as you are aware, as the national finance association, the AFC represents a broad range of institutions that operate in the banking and finance sector, including financial service providers and credit reporting bodies that operate in both the consumer and commercial sectors of the market. The collection and handling of personal information of individuals remains fundamental to the business of AFC Members. Personal information remains a significant business asset warranting protection. Its status therefore continues to drive a compliance framework that endeavours to ensure adequate protection supported by other regulatory imperatives, predominantly the Privacy Act [the Act]. What’s Changed between the NPPs vs APPs – Impacts for NPP Guidelines + Private Sector Organisation Compliance? We note the outcome of the reformed Act that sees the regulatory design move from a set of principles that diverged dependent on whether the entity handling was in the public sector (eg and therefore subject to the IPP and the IPP Guidelines) or the private sector (eg subject to the NPPs and the NPP Guidelines) to one that applies uniformly (ie the APPs + APP Guidelines). As we understand from reviewing relevant background material, including the Explanatory Memoranda that accompanied enactment of the amendments, in large measure the policy that underpinned enactment of the APPs largely reflected the parameters that underpinned the NPPs when originally enacted. There have been changes (eg in the move from NPP 9 to APP 8 + s. 16C with information flows to offshore recipients; from NPP 2.1(c) to APP 7 for direct

Personal information removed

Draft APP Guidelines AFC October Comments

of 38 ___________________

marketing compliance). But otherwise, the standard for information-handling compliance set within the principles appears largely unchanged. We therefore submit that previous guidance provided by you and your predecessors, in particular in the NPP Guidelines remains a relevant and critical component of the ongoing compliance requirements of AFC Members and others. We accept that to the extent there is a sound policy basis for change, that this will (and should) be reflected in the revision and replacement of the NPP Guidelines with the APP Guidelines. We also acknowledge that this process equally sees the public sector challenged with the need to review and refine compliance programs given the repeal and replacement of the IPPs (and associated guidance) with the APPs. We therefore also anticipate that in areas of particular relevance to public sector APP entities that there may be a need for specific guidance necessitated either because of variation in the application of the APPs (eg in APP 3.1 Collection of personal Information Other than Sensitive Information – Directly related to entity’s functions / activities) or reflecting a public policy outcome (eg law enforcement; public health and safety). Hierarchy of Compliance Our Members fall within the definition of APP entity, credit providers and TFN recipients. Consequently, other components of the Act, in particular the credit reporting provisions (including the operational Credit Reporting Code) and the TFN Guidelines/Rules equally have relevance to the compliance requirements of the majority of our Members. As you’d appreciate, these other components have the status of law. In contrast, based on the amended provisions and views expressed in the NPP Guidelines and reflected also in the APP Guidelines, we understand that these Guidelines, while clearly relevant to the design of compliance programs by our Members and influential because they reflect the regulator’s view, have the status of advice rather than law. As a consequence, while we acknowledge that the focus of the consultation is on the APPs, we note the challenge for our Members and others that have obligations beyond the general requirements, to set a compliance default that appropriately caters for all and may see compliance set to a level that meets the highest requirement, particularly if set through a legislatively based requirement (eg the Credit Reporting Code) as the default position to facilitate compliance in a manner that best achieves privacy compliance via an efficient and effective business outcome with the resourcing and cost savings that flow. As a consequence, where relevant, our consideration has included implications in the draft APP Guidelines that may have a flow on effect in other areas of the Act, particularly for credit reporting, and have attempted to also raise concerns with a view to ensuring an outcome that supports a holistic compliance outcome for all areas of information handing within the business of our Members. Best Practice Guidance vs Legal Compliance Guidance As was the case with the development of the NPP Guidelines, we regard the APP Guidelines as providing the foundation for our members to build upon current compliance programs with amended provisions. We therefore see that it is essential that the APP Guidelines appropriately balance the privacy rights of individuals with other equally valid human rights and social interests, including the right of business to achieve its objectives in an efficient way (as reflect in the objects provision of the Act to be inserted through inclusion of s. 2A). As presently drafted, however, we view the APP Guidelines as potentially favouring the privacy right to the detriment of these other rights. In consequence, we submit that the compliance framework that would be required of our members would not enable them to conduct their business efficiently or at profit, and therefore modification of the Guidelines is required. To this end, we have analysed in detail the draft APP Guidelines and identified areas that raise concern for our members. This is set out in the attached. In large measure our concerns could be addressed through a simple process that reflects the approach taken in the NPP Guidelines and which clearly delineates between ‘best practice’ guidance and that which is required by you to


of 38 ___________________

meet the strict legal requirements. This has the benefit of including relevant and clear parameters against which our Members can test compliance while also providing a general level to aspire to with attendant customer relation benefits. To leave as currently drafted is not in our view appropriate. We do not believe that in providing Guidelines on the APPs, that you can or should impose or dictate a higher compliance standard than is contained in the APPs themselves. For example, we do not believe that it appropriate for you to dictate the appropriate form of consent. Consent has been defined broadly in the law (means express consent or implied consent - s. 6 Privacy Act) and it is this meaning that the term would be given when used in the APPs. We accept that it might be appropriate for the you to assist compliance by explaining what “express” and “implied” consent is, including appropriate illustration. However, we believe that statements about what form of consent would be would be acceptable (eg limited use of opt-out mechanisms to infer consent by omission to act) should be avoided. Further, concepts like consent have been in place since inception f the NPPs and are also fundamental to current compliance processes. Unless there has been clear policy basis for change or there are particular acts or practices which have been found to constitute an interference with privacy through breach of the NPPs containing concepts like consent, re-engineering or revision that impedes on the current well-understood parameters should be avoided. As noted in the draft APP Guidelines, the APPs (like their earlier NPP counterparts), are high-level principles that do not spell out in detail exactly what an APP entity (whether an agency or organization) must do to comply with them. This was deliberate to reflect the final balance of competing views of the various interests impacted by the Principles. The APPs deliberately include words like “reasonable” and “practicable” so that it might be left to the regulated-APP entity to determine how to structure their operations to appropriately accord the individual his / her right to privacy in a manner efficient and cost-effective to the business. Further, the APPs include these words to enable them to be technology neutral and to be applicable in a wide-range of organisations and industries. Another benefit of having a high-level, rather than a prescriptive, approach in the APPs is that it is less likely that they will have to be changed as technology develops or public attitudes about privacy change. We suggest that it is equally important that the APP Guidelines also be drafted to ensure they remain contemporary despite technological advances. Accordingly, their approach should not be prescriptive and dictate the form of compliance, but should effectively be technology-neutral to enable business to determine the best means for it to achieve compliance. Timing of Final Release of APP Guidelines & Compliance Readiness As you would also appreciate, AFC Members have invested considerable resources to ensure a compliance outcome that meets the Act’s requirements, including compliance with the current general information handling requirements set down in the NPPs. Compliance has also been designed to meet customer expectations. Across our Membership this is tested on a daily basis as our Members’ engage in transactions involving the handling of personal information of hundreds of thousands (if not millions) of individuals reflecting the dynamic and iterative nature of information flows in our Members’ businesses. We submit a useful measure to test current compliance may be statistics of customer privacy complaints reported annually by your Office or others that have jurisdiction to consider customer allegations of compliance failure (eg External Dispute Resolution Schemes). On review, given the volume of information flow and potential for breach, the reported complaint statistics, particularly since the December 2001 commencement of the NPPs, would appear to indicate the compliance programs of AFC Members accord with the Act’s requirements. As a consequence, given the APPs are largely designed to align with compliance obligations in the NPPs, we would anticipate that the processes currently in place within the operations of our Members will continue to have relevance and applicability post-12 March 2014. We acknowledge that revision and update, particularly to ensure a compliance framework that


of 38 ___________________

includes new requirements (eg APP1 – Privacy Policy, APP4 – process for dealing with unsolicited information collections, APP7 – process for use/disclosure of personal information for direct marketing purpose, APP8 – process for disclosures to off-shore recipients; APP10 – use/disclosure also has to meet “relevance” test; APP 11 – information also has to be protected against “interferences”; APPs 12+13- processes when refusing to give access or correct information) will be required. But, in the absence of change, current compliance processes remain relevant and an integral part of determining the scope of and developed of revised compliance. This is important in the context of the breadth of the implementation project and cost likely to be incurred by AFC Members to meet the 12 March 2014 commencement. It is also relevant to the time that AFC Members require to be ready. We note that we will not know the final detail of the APP guidelines until later this year. We make this comment not as a criticism as we fully understand and appreciate the significant challenge for your Office to produce relevant material to support the amendments with resources that have been impacted by budget constraints. However, given when final detail of the APP Guidelines (and the registered Credit Reporting Code and requisite regulations) is likely to be known and taking the seasonal factors into account which sees staff-levels diminish from mid-December to late January and freezes on IT development processes, this at best leaves organisations, including AFC members, a little over three months to settle the parameters and implement an appropriate compliance program for the new amendments. When seeking to implement compliance programs for similarly significant regulatory changes, feedback from our members has been that a period of at least six months from release of the final detail of the all relevant components of the law is required in order to make the appropriate documentary, systems, procedural and staff training changes. We therefore strongly encourage the final version of the APP Guidelines should in large measure reflect current guidance in the NPP Guidelines, subject to our comments on the need for revision based on a clear variance in policy. This will have the benefit of enabling a streamlined compliance process with flow on benefits in terms of resources, cost and timing as well as reinforce the privacy compliance culture in relation to general information handling that has been embedded in our Members’ businesses from December 2001 in particular. Proposed Enforcement Approach – Conciliation vs Strict Enforcement The compliance requirement is significant. As a consequence our Members have had to make assumptions on the likely parameters of the final version of the law, including guidance on the APPs from your Office, and have pressed ahead with compliance design to enable the commencement date deadline to be met. This has been influenced both by the potential sanctions for breach and published statements from you in relation to the likely approach to compliance that will be taken following commencement. While we appreciate the need for you as regulator to ensure appropriate compliance focus across the regulated community, we note and encourage the value of the approach to enforcement that was adopted by your predecessor following commencement of the NPPs and published in a letter to the AFC. A copy is attached for your information (at Attachment 2). In summary, in response to the AFC’s request for clarification, the Privacy Commissioner wrote to Members outlining the compliance approach he proposed to adopt when administering the new private sector privacy laws. The approach is one that he then used of conciliation rather than deliberately seeking early breaches of the law to make public examples of the organisations involved. The Commissioner proposed to encourage the individual and organisation to resolve any complaint between themselves, where possible. If not successful, he indicated that he might intervene and through conciliation attempt to resolve the issue. His experience with this approach for areas of complaint (eg credit reporting and tax file numbers) that existed in the Act prior to commencement of the private sector amendments had been that it usually results in settlement on the basis that the credit provider, for example, has adequately dealt with the matter. We would encourage a similar approach to be adopted by you in relation to the amendments to the Act resulting from the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.


of 38 ___________________

Conclusion In conclusion, for just over a decade, the NPPs have provided a benchmark against which our Members have structured compliance programs in their handling of personal information. This has been supported in large measure by useful and operationally effective guidance provided by your predecessor in the NPP Guidelines. These Guidelines were arrived at through a similar consultation process that development of the APP Guidelines is following. We commend and thank you for providing stakeholders with this opportunity for input. As happened with the NPP Guidelines, our expectation is that the APP Guidelines when finalised will similarly provide a solid foundation of compliance to enable AFC members, and others, to transact their financing business enhanced by a privacy culture, rather than detracted by it. This consultation process should also assist you and your Office effectively and efficiently administer the privacy laws building from the strong foundation put in place following commencement of the NPPs. We look forward to continue to work with you and your Office to ensure all tranches of the APP Guidelines provide a solid foundation for the privacy compliance of our members that will take them forward into the decade and beyond. Please feel free to contact me on or via e-mail on , should you wish to discuss our comments in more detail. Kind regards.

Helen Gordon Regional Director & Corporate Lawyer

Personal information removedPersonal information

removed



AFC COMMENTS – DRAFT APPs INTRODUCTORY MATTERS, KEY CONCEPTS + APPs 1-5

CHAPTER A: INTRODUCTORY MATTERS PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION Purpose A.1 + A.2 Status of guidelines –

Legally binding vs. advisory The statement of purpose contained in these paragraphs is essential. It sets the status of the guidance provided in the Guidelines. This is critical for AFC Members (and others) when designing and implementing a compliance framework to meet the Act’s requirements (including for the APPs). As the APP Guidelines are not legislative instruments, they are advisory in nature.

We note our general comments on this issue. In summary, the APPs are principles-based law designed to enable regulated entities to design compliance which meets the requirements but in a manner that best suits its particular business model allowing the free flow of information in a way that appropriately protects the individual’s right to privacy in its handling. We therefore anticipate a similar approach in the APP Guidelines (eg to facilitate flexibility, enable regulated entities to tailor practices to their diverse needs and business models and the diverse needs of their clients). As with their predecessors (the NPP / IPP Guidelines), the APP Guidelines have been developed with the purposes of giving regulated entities practical help on how to apply the APPs to their operations. In contrast to Guidelines made by the Commissioner exercising legislative power (eg under the current Act s. 17 Tax File Number Guidelines), the APP Guidelines are advisory only and do not have the status of law (ie are not legally binding). We acknowledge that the APP Guidelines will clearly be persuasive in the compliance design of our Members’ given they reflect the Commissioner’s views as regulator on how he sees the APPs applying. The veracity of claims of interferences with privacy, as a result of an alleged breach of the APPs by acts or practices engaged in by a regulated entity, will no doubt be assessed by the Commissioner against the APPs and guidance provided in the Guidelines to support his views of their interpretation. However, given the principles-based nature of the APPs it should remain for regulated entities to determine what the legal requirements are, taking into account the Commissioner’s views, to arrive at a compliance outcome that is defensible if challenged. This is particularly the case should the Commissioner continue the current practice in the NPP Guidelines of including best practice guidance in addition to what may be required at the basest level of legal compliance. We understand this is the intention and acknowledge the value of continuing this approach (though note our general comments about a need for a better delineation in the draft APP Guidelines to differentiate best practice guidance).


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION In our view, the combination of paragraphs A.1 + A.2 when read together fail to clearly establish the status of the Guidelines as advisory rather than legally binding. This has the potential to create in a reader (including a consumer / consumer advocate) the misconception that regulated entities are legally obliged to set compliance to meet the requirements detailed by the Commissioner in the Guidelines. The outcome may see unwarranted complaints of breach. In our view, this should be avoided and could be achieved by clarity in the statement of purpose. This clarity then flows to consideration (and therefore compliance design) for the balance of the Guidelines. AFC Recommendation: The AFC recommends the statement of purpose be clarified to ensure the status of the APP Guidelines as advisory, not legally binding. We suggest the following revision: A.1 The Australian Information Commissioner …. These guidelines are not a legislative instrument (s. 28(4)) and are advisory, not legally binding. A.2 The APP guidelines outline relevant factors the Information Commissioner may take into account when exercising functions and powers under the Privacy Act relating to the APPs.

Who is covered?

Employees, service providers, etc

Similar to the provisions relating to contracted service providers [Do the APPs apply to a contracted service provider under a Commonwealth contract?], we suggest it may be useful for an additional paragraph to be included in this Chapter at this point, detailing the application of the Act to reflect the different legal character of the regulated entities that are organisations. For example, for organisations that have a corporate character, when the entity will be taken to be responsible for the acts or practices engaged in by its employees or service providers etc (eg PA s. 8).

A.8 Typo – reference in second sentence should be to s. 5B(1A)


of 38

CHAPTER B: KEY CONCEPTS As with the definitions in the Act, we note the significant role “key concepts” have to the parameters and understanding of the APP Guidelines. We also submit that where a concept has been defined in the Act, normal rules of statutory interpretation should dictate its parameters. While there may be benefit in the Commissioner enunciating these in guidance in the APP Guidelines, the challenge will be to ensure alignment. Our Members have expended significant resource and cost to fully understand the legal requirements and would be concerned with guidance that effectively mandated a standard higher than what their legal advisers had indicated and which has been used to establish compliance design and implementation. Because “key concepts” are fundamental, it is essential that their parameters align with the legal requirements contained in the APPs. Should there be a departure, for example where the Commissioner may be encouraging a ‘best practice’ compliance outcome, this should be clearly identified. This approach would assist provide the requisite delineator given an allegation of breach would not be assessed against this higher suggested approach but what is required under the law. It would facilitate a compliance approach that allowed entities to initially ensure compliant processes at the basest level, while encouraging a more sophisticated level of compliance that could be incorporated as business maturity and enhanced profitability enabled. Without a clear delineator, the effect in practice will be that a regulated entity will understand that the highest standard in the Commissioner’s guidance will be the “default” minimum and effectively mandate compliance to this standard to ensure a claim of privacy breach is defensible. Such an outcome is in our view at odds with the Act’s objects (in s. 2A) which facilitate an outcome that appropriately balances the individual’s right to privacy with the interests of entities in carrying out their functions or activities. PROVISION ISSUE AFC PROPOSED SOLUTION /

RECOMMENDATION Access – not

currently included We note draft Guidelines relating to the access principle – APP 12 are yet to be released. We anticipate that the relevant chapter (we assume Chapter 12) may include guidance around the concept of “access” and suggest it may useful to include this in the Key Concept chapter against the concept of access (similar to other relevant concepts like use, disclosure).

AUSTRALIAN LINK

B.8 Typo – reference in second sentence should be to s. 5B(1A)

Personal information collected “in Australia” B.12

In the interests of certainty, we suggest the following additional words be included: Personal information is collected “in Australia” …, if it is collected from an individual who is physically within the borders of Australia or an external Territory, regardless of where the collecting entity is located or incorporated.

COLLECTION B.15 In the interests of compliance certainty and noting

that “record” is a defined term, we suggest the example be revised as follows:


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION For example, if an entity has a newspaper containing an article with personal information of an individual delivered to it, whether it “collects” it or not depends on its intention. The mere act of physical acquisition through delivery to its premises is not sufficient. However, if the entity were intending to include the article with other documents it handles or to scan the article to save it in the entity’s electronic database this would be considered to be “collection” for APP purposes.

B.16 We note the example given in relation to web browsing and suggest that it would be useful to highlight that it is the collection of personal information of a reasonably identifiable individual through the use of cookies that is relevant. To the extent that the identity of the individual is not “reasonably identifiable” from the process (eg only the browser’s email address is collected without the entity having the ability to reasonably link the address to the individual who owns it) this would not be “collection” of “personal information”.

CONSENT Legal parameters of

consent vs. best practice parameters

Consent is a fundamental concept for individuals and regulated entities alike. For individuals it is a significant means by which they can endeavour to place parameters around the handling of their personal information once it is in the control of another. For entities, it can be a clear and relatively unequivocal means by which it can defend allegations of breach of a number of the APPs (eg APP 6 – use and disclosure; APP 8 – disclosure to offshore recipients). Consent is a defined term in the Act. As noted in the draft Guidelines, it encompasses express and implied consent. These concepts though not defined in the Act have been the subject of consideration by courts and, as a consequence, are generally well-understood as a matter of law and practice. The current NPP Guidelines have endeavoured to broadly reflect what is encompassed within the legal terms of express consent and implied consent. Recognised within this are the concepts of capacity and competence; also concepts that have meaning shaped by the general law. As a consequence, the NPP Guidelines reflect the law. Equally, as noted by the ALRC, “what is required to demonstrate that consent has been obtained is often


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION highly dependant on the context in which the personal information is collected, used and disclosed” (ALRC Report 108: FYI at page 683). The amendments have not changed the parameters of the definition of consent. Consequently, general legal principles of interpretation remain valid. Our Members have structured compliance with the NPPs on the basis of this interpretation (as reflected in the NPP Guidelines). To the extent the definition of consent under the Act remains unchanged by the amendments taking effect from 12 March 2014, we submit that the compliance processes of our Members should remain valid for the purposes of compliance under the APPs. We acknowledge the Commissioner is intending guidance designed to address a need for contextual guidance. However, we are concerned that in endeavouring to meet this need that the guidance in the area of consent in the draft APP Guidelines “key concept” is broader than AFC Members’ have determined the legal requirements to be and has the potential to increase the compliance obligations of our Members. For example, we note the inclusion of a new key element of consent, namely that:

• it must be current and specific. This has been repeated at relevant points in the guidelines (eg Chapter 6 APP 6 para 6.18; Chapter 7 APP 7 para 7.24; Chapter 8 APP 8 para 8.29). Should there be a legal basis for the expansion we acknowledge revision of compliance is appropriate. However, we recommend that this should be clearly established by the Commissioner and, as currently drafted, this detail has yet to be included. We encourage this omission to be addressed. In its absence, the basis for a more expansive interpretation of the legal requirements of “consent” appears to be more akin to encouraging a ‘best practice’ approach than a strict legal interpretation. If this is the case, we recommend this should be clearly indicated by the Commissioner so that compliance programs can be structured accordingly.

Express or Implied Consent B.27

The use of opt-out as a means of inferring an individual’s consent is commercially sensible and well-accepted both in law and in practice. We acknowledge that the context in which it is obtained will impact on determinations by third parties


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION (including the Commissioner) of whether a customer has consented to something or not. However, we submit that this limitation should not provide a basis for the Commissioner to indicate in guidance a blanket conclusion that use of an opt-out mechanism creates a greater compliance challenge for APP entities seeking to rely on consent than other forms and consequently that an opt-out mechanism to infer consent will be appropriate only in limited circumstances. We submit that this conclusion is unwarranted and recommend its omission. Instead, the list of relevant factors (contained in the dot points to B.27) appropriately provides guidance on attributes that AFC members and other should take into account when seeking to rely on such a mechanism. Nothing further is required. The approach adopted in the Tips for Compliance in the NPP Guidelines under the section in NPP 2.1(b) is suggested as appropriate and preferable to this area in the draft APP Guidelines. We would note, however, that the second dot point should be amended to reflect a more practical approach that the individual “had an opportunity to read” the information rather than the current approach which may not be a matter within the control of the APP entity (namely that the individual “read” the information). We also recommend that the last dot point should be amended to reflect the prospective effect of the withdrawal of consent through opting-out. As presently drafted, it implies some retrospectivity that we submit as both a matter of legal interpretation and practice lacks substance. AFC Recommendation: • Omission of first two sentences from B.27 and

revision of the paragraph to focus on the relevant attributes that would assist allay concerns for an APP entity to be able to infer consent from particular circumstances.

• Omission or revision of the last dot point to reflect the prospective nature of a withdrawal of consent through the subsequent exercise of an opt-out mechanism by the individual.

Bundled Consent B. 32-33

We acknowledge the Commissioner’s concerns with “bundled consent.” However, we again note the operational context in which our Members operate that sees them challenged with competing legal requirements arising from a range of laws and regulators each dictating


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION compliance outcomes necessitating plain English, non-legal disclosures that provide a customer with relevant information in an accessible and readable form. For example, for a customer applying for a standard consumer credit card product, the credit provider will be obliged to give the customer: • a fact sheet with key information in a prescribed

form; • a pre-contractual statement with key information

in a prescribed form; • if the product potentially includes insurance,

requisite disclosure documents about the product;

• a prescribed Information Statement giving a range of information relevant to NCCP Act regulated credit;

• a contract with: o a stand-alone consent to enable the credit

provider to offer credit limit increases at appropriate times throughout the relationship;

o an express consent facility to enable the credit provider to comply with its Anti-Money Laundering obligations to verify the customer’s identity including through disclosing identity data to a credit reporting body and having it verified against the information data held for that individual by the body;

o it may also include relevant consents to enable telephone and / or electronic communication for the purposes of the DNC Register Act and SPAM Act.

The customer may have close to a hundred pages of documentation that the credit provider is legally obliged to give, even before the Privacy Act requirements are considered. If each regulator continues a process of requiring separate, stand-alone opt-in consents for each component within the process, the number of pages continues to increase. In turn, this impacts on the customer’s ability to understand and recall exactly what he or she has consented to. Further, the regulated entity will need to develop and maintain a sophisticated system that records and keeps current the customer’s consent (or withdrawal) to each aspect of the process. We submit that at present no system has this level of sophistication. Further, while in theory its design may be achievable, the cost


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION would be prohibitive. We also question the basis for this cost given the earlier concerns about value of the process to the customer. It is in this context we have considered the guidance on express or implied consent. AFC Recommendation: In the context of privacy as one of a range of laws imposing a form and timing obligation on AFC Members in relation to disclosure and consent, we recommend a holistic review by Government is required as a pre-cursor to imposing further regulation on APP entities. The review should involve empirical research to determine whether disclosure and opt-in consent is an appropriate means of customer engagement as a pre-cursor to regulatory design revision. In the interim, current processes should recognise that risk of breach of the privacy laws remains with the APP entity. As a consequence, the APP entity should retain the ability to determine a compliance process that appropriately reflects the context of its business and client base. It may be that a process of bundling some subject matter on which consent is being solicited is able to achieve the consumer protection objective (whether it be under the privacy laws or other laws) while enabling a streamlined and resource/cost effective compliance outcome for the regulated entity. For these reasons, the AFC recommends omission of paragraph B.33

Current + specific B.35-36

Dynamic nature of information collection, use + disclosure – appropriate point within that transaction for consent to be obtained + be able to be relied on by APP entity

We note our earlier comments in relation to the lack of basis for inclusion of this “new” element as a key requirement of the definition of “consent” for the purposes of the Privacy Act. We also note that the approach adopted in the guidance fails to recognise the operational context in which information is collected, used and disclosed. If adopted literally, the outcome could see an APP entity required to approach a customer frequently as a pre-cursor to each use / disclosure. We do not believe this was intended. We believe the guidance was more about highlighting a potential concern of the Commissioner in relation to extensive timeframes between the act of obtaining consent and the use or disclosure in reliance on the consent. The Commissioner is keen to encourage a process to


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION ensure the currency of consent by APP entities. We acknowledge the objective, but suggest that again this appears an area of best practice rather than strict legal requirement. AFC Recommendation: We recommend revision of the guidelines in this area to better distinguish this as an area of best practice.

Capacity B. 21 + B.37

Elements of capacity + courts approach

We submit that the fourth dot point at B.21 should be revised to encompass all components relevant to capacity as follows:

• the individual must have the capacity to consent (ie be capable of understanding the issues relating to the decision, forming a view based on reasoned judgment and communicating their decision).

Further, as we understand, capacity is a legal term and is presumed unless a court has determined that an individual lacks capacity in the particular circumstances. This is reflected in the current NPP Guidelines: “….only a competent individual can give consent, although an organisation can ordinarily assume capacity unless there is something to alert it otherwise.” As we understand, the guidance in the NPP Guidelines (including the words highlighted above in italics) continues to reflect the legal requirement for consent. In an operational context, the highlighted words are particularly important for compliance design. They do not appear to have been reflected in the discussion of competence in the draft APP Guidelines. Their omission potentially sees a significant shift in compliance obligation for the APP entity. The reason for the omission and consequently this shift has not been provided. In the absence of a clear legal basis, we submit that they remain relevant and should be re-introduced. AFC Recommends: The AFC recommends the inclusion of an additional sentence after the second sentence in B.37 as follows: “… communicating their decision. An APP entity can ordinarily assume capacity unless there is something to alert it otherwise. If an APP entity…”

B. 38 In the interests of consistency “ability” should be


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION replaced with “capacity”.

B. 39 We suggest this provision may require revision. As we understand, whether an individual has capacity to consent or not is a question of fact determined based on the circumstances. Therefore the issue is not whether or not an individual has exercised their capacity, rather whether in the circumstances the individual would be determined to have had capacity.

DISCLOSURE B.50 We recommend that the last dot point be revised to

better reflect the operational and compliance risk as follows:

• an APP entity does not take reasonable steps to ensure the security of personal information as required by APP 11 (see Chapter 11) resulting in unauthorised access to that information by another entity.

HOLDS B.62 We recommend that the first dot point may need to

be revised to better reflect the operational and compliance risk as follows: For example, an APP entity “holds” personal information where:

• it physically possesses a record containing the personal information and is able to physically or electronically to access it (including through decryption software)

This would address situations where records may be physically stored off-site in locked containers with a specialised document storage agency but they are not able to access the containers, or where information is kept encrypted but the entity with possession has no software capacity to be able to de-crypt the information to access it.

NECESSARY + REASONABLY NECESSARY

B. 67 We note the shift from the current approach in the NPP Guidelines in relation to the handling of de-identified information as a Tip for Compliance to the status of the balance of guidance material in the draft APP Guidelines in this area. We are concerned with what this approach may


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION mean for our Members’ compliance design and risk of allegations of breach. In short, the circumstances in which our Members by virtue of the nature of the financial services business in which they are engaged and the laws and commercial imperatives for prudency that bind them, will see the ability for them to transact with information on a de-identified basis extremely limited. We acknowledge the qualification of alternatives with “reasonable” but submit on the interests of compliance certainty this is another area where a clear distinction between the law and best practice is warranted. AFC Recommendation: As a consequence, we recommend revision of B.67.

PERSONAL INFORMATION

B.70 AFC Recommendation: In line with the Explanatory Memorandum, we recommend inclusion of an additional sentence to conclude B.70 as follows: What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances. The application of “reasonably identifiable” ensures the definition continues to be based on factors that are relevant to the context and circumstances in which the information is collected and held.

B.71 In the first dot point, we are unsure what attribute “extent” of the information is intended to cover and suggest it may need revision to assist understanding.

B.72-73 We note the current approach under relevant road traffic laws which has seen a shift from registered owner to registered operator. In short, registration is no longer determinative of ownership.

PURPOSE Purpose is another fundamental component of

compliance design for AFC members. Concepts like primary purpose and secondary purpose have been firmly embedded in compliance since December 2001 with the introduction of the NPPs. We are concerned with the narrow approach to the concept of purpose that has been adopted in these paragraphs and question the basis on which it has been taken. In short, the primary purpose will largely turn on the facts surrounding collection of the


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION information. If the APP entity has clearly notified the individual of the primary purpose with some specificity beyond a generic statement (eg for the functions of the entity), we see no reason for any suggestion that it should be construed more narrowly that what has been notified. We accept that had the APP entity been reliant solely on the circumstances of collection without anything further, that it may be appropriate for the Commissioner in the interests of protecting the individual, to adopt a narrow interpretation to the purpose of collection. AFC Recommendation: To alleviate potential operational concerns, we submit the second sentence in B.80 should be revised as follows: In general, should the purpose of collection be ambiguous in the particular circumstances, the Commissioner is likely to interpret it narrowly to protect the individual’s privacy.

B.81 We accept that the dot points are intended as examples only. However, we are concerned with the level of specificity, particularly noting the current approach in the NPP Guidelines which has provided the foundation of the compliance of AFC Members and given there has not been a change in policy reflected in the shift from the NPPs to the APPs in this area. AFC Recommendation: In particular, we note guidance in the NPP Guidelines which remains relevant and recommend inclusion of an additional sentence at B.81 as follows: Rather, the specific activity for which particular personal information is collected should be identified as the primary purpose. An APP entity could keep the description of the purpose reasonably general as long as the description is adequate to ensure that the individual is aware of what the entity is going to do with information about them. The entity does not have to describe internal purposes that form part of normal business practices. As a corollary we recommend omission of dot point one which in our view would either be immediately obvious from the circumstances and therefore not warranting identification or, if part of a broader transaction, should defer to a description of the broader purpose. We also suggest dot point three is too narrow and should also be omitted or revised more broadly to


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION encompass more than assessment of eligibility of a loan if the transaction involved is a loan offered by an AFC member.

RELATED BODY CORPORATE

B.97 We suggest that the final sentence include examples as follows: ..and an exception to APP 6 does not apply (eg the individual has not consented to the use).

REQUIRED OR AUTHORISED BY LAW

Meaning of Court / Tribunal Order B.104

We are not sure of the basis for the inclusion of the phrases (including a judge / magistrate acting in a personal capacity) in paragraph B.104. We submit it would be useful for this information to be provided to facilitate understanding of the guidance. If the intention is to ensure a decision by a single judge / magistrate either in a court hearing or when issuing an order is sufficient for it to meet the definition, this may require further clarification. At present, as currently drafted, the qualification may be read as encompassing a broader concept to include actions by a person in their personal life that, if they were a judge, would be regarded as falling within this defined term. We do not believe this was intentional.

USE B.108

In the interests of compliance certainty and to align with the concepts introduced in the clarification of “disclosure” we suggest the concept of effective control should be used in this concept as well. AFC Recommendation: Revise B.108 as follows: Generally, an APP entity uses personal information when it the information is retained within its effective control.


of 38

CHAPTER 1: APP 1 - OPEN & TRANSPARENT MANAGEMENT OF PERSONAL INFORMATION PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION Key Points We are concerned that the short hand summary of

APP 1 fails to reflect the APP. The summary appears to imply a positive obligation on the APP entity to do something / take some action. In contrast, APP 1 is qualified and indicates that no action may be required in the particular circumstances. AFC Recommendation: We submit the Key Points should be revised to align with APP 1.

1.2 For reasons given above, we recommend that where reference is made to the APP obligations that it should reflect the law. In dot point one and dot point three, the obligation to take reasonable steps should be drafted to read to take such steps as are reasonable in the circumstances.

1.3 We suggest that APP 1 provides the overview of the framework for the lifecycle management of information handling by the APP entity rather than laying down the first step.

1.4 We note the same concerns raised in relation to para 1.2.

1.5 Structured compliance vs guidance dictating the form of the structure

Given the qualification of the compliance obligation by the term “such steps as are reasonable in the circumstances” we question whether paragraph 1.5 reflects the law. For example, we are concerned that by effectively requiring record-keeping of compliance steps the Commissioner is introducing a compliance obligation greater than that required by APP 1.2. The obligation in APP 1.2 is to implement not to document. If the Commissioner is proposing ‘best practice’ guidance, by failing to distinguish it from the balance of guidance it takes on a higher status for compliance purposes. If his intention is the latter, we suggest revision to reflect that what is proposed is a compliance tip rather than a compliance requirement. For example, revising the third sentence as follows: A way that an entity could establish that it had taken reasonable steps to comply with APP 1.2 may be to keep a record of steps it has taken.

1.6 + 1.7 We suggest in 1.6 “include” should be qualified by “could” include or “may” include to reflect the flexible / entity-specific nature of compliance in line with the principles-based approach in the law.


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION Similarly in 1.7 – “should” be replaced with “could”.

1.7 Dotpoint 4

We submit that in the absence of a mandatory breach reporting provision in the Act, that there is no obligation to have procedures to report breaches. Compliance with the Commissioner’s guidance on this remains voluntary. As a consequence, we recommend “reporting” privacy breaches should be replaced with “appropriately responding to” privacy breaches.

1.7 Dotpoint 6

We note the limited relevance this example has for AFC Members and others in the financial services sector.

Developing an APP Privacy Policy

We note that as currently drafted these components of the guideline do not appear to as yet have taken up a range of findings of the Commissioner following the sweep of websites as part of the global initiative to get a sense of how compliant with APP 1 transparency requirements the organisations involved were together with considerations of accessibility, readiblity and content. For example, relevant factors appear the number of words, reading age at which policy pitched, level of complexity, a layered approach to disclosure, disclosure targeted to the particular application being used by the individual (eg mobile platforms vs. PC). We assume this may be addressed as part of the finalisation of this Chapter. (For example, we anticipate Footnote 3 was intended to refer to this work – though we suggest it should be included in para 1.11 rather than para 1.10). We note and recommend that a clear delineation to distinguish best practice from the balance of guidance is critical to this process also.

1.8 We submit it would be valuable for the Commissioner to continue in the draft APP current guidance where it remains relevant. AFC Recommendation: For example, in line with Private Sector Info Sheet 3 – 2001 Openness, we recommend that an additional sentence should be included in para 1.8 as follows: …A note to APP 1.5 advises that the policy will usually be available on the entity’s website. This could be either on the home page or on a prominent and accessible link from the home page. Accordingly, …

1.9 We note and re-iterate our earlier comments about effectively mandating a process to record compliance with APP 1.2 giving it a status beyond the legal


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION requirement to take reasonable steps. We recommend omission of the second sentence from paragraph 1.9 as a consequence. We also suggest omission of the words “from the individual” in the last sentence to paragraph 1.9 given it is permissible for an APP entity to collect information about an individual from others.

1.12; 1.14; 1.16;

We are concerned that the Commissioner’s guidance creates compliance tension. For example, on the one hand the Commissioner is requiring a policy that is not too long and complex yet in paragraph 1.12 is indicating that granular detail is appropriate (eg explanation relevant to separate business units or service units). The inclusion of this granular detail will of necessity result in a longer more complex policy. We again note if the Commissioner is indicating a “best practice” approach this should be clearly delineated from the balance of the guidance. This would assist AFC Members to ensure compliance by 12 March 2014 and enable revision and updating at an appropriate point post commencement when the organisation is better able to structure compliance at a higher best practice level.

1.20 Purposes for collection etc

For reasons given earlier in relation to the key concept of “purpose” we recommend that the guidance in the NPP Guidelines at NPP 1.3(c) is equally relevant and should be included in this part of the APP 1 guidance. We also recommend that in line with the APP 1.3 + 1.4 requirement, the reference should be to people or entities to which information may be disclosed rather than introducing a new concept of access. AFC Recommendation: Inclusion of an additional paragraph under para 1.20 as follows: An APP entity could keep the description of purposes reasonably general as long as the description is adequate to ensure that the individual is aware of what the entity is going to do with the information about them. The APP entity does not have to describe internal purposes that form part of normal business practices, such as auditing, business planning or billing. In line with the APP 1.3 + 1.4 requirement, amending para 1.20 second sentence to: the range of people or entities that the entity may disclose personal information to.

1.21 We are concerned that the guidance again imposes


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION greater obligations than the law. In particular we are concerned with the level of detail expressed as a minimum compliance requirement at para 1.21. In particular in relation to the second dot point, we note the different approach that was taken by the Commissioner in the summary of findings in relation to the sweep of websites. We recommend that a similar approach be adopted in the APP guidelines. AFC Recommendation: We recommend the guidance reflect the best practice approach of the Commissioner’s findings following the privacy sweep of websites. Contact information for a particular individual with responsibility for privacy practices within the APP entity. Providing more than one option for contact (eg mail, toll free number and / or an email address) could be considered. A generic number and email address that will not change with staff movements would be adequate (for example, [email protected]).

1.23 AFC Recommendation: The guidance should appropriately recognise that not all APP entities will be (or are required to be either under the Privacy Act or other laws) members of an EDRS recognised by the Commissioner. As a consequence, references to the EDRS facility should be qualified concepts like “if relevant, the procedure for complaining to an EDRS…etc” We are concerned that a time period (eg usually 30 days) has been included in the guidance and recommend omission. While we acknowledge that APP agency-entities have had 30 day timeframes imposed (eg in relation to access and correction requests) and that it may be appropriate to continue this for complaint-handling processes. However, in contrast, a timeframe in relation to access and correction has not been imposed on APP organisation-entities. Instead, a reasonable period from request has been used. We submit that given access and correction rights are arguably more significant than a right to complaint, that equally a “reasonable period for response” should be included in the guidance on complaint-handling for these entities. As noted in para 1.24, timeframes for complaint-handling by these entities may be dictated by other obligations (eg for holders of Australian Credit Licenses obligations under ASIC RG 165). For this reason and to enable streamlining of processes, omission of a particular timeframe is preferred for APP organisation-entities.

1.24 We appreciate the attempt to clarify in the guidance that additional detail relevant to dealing with complaints


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION relating to matters additional to privacy might be covered in the APP 1.3 Policy and regarded as compliant. However, we submit that a more general statement should be adopted.

1.25 We submit that the guidance imposes a more significant compliance obligations than APP 1.3 + APP 1.4(f)(g) in the case of disclosure to off-shore entities. If the Commissioner is suggesting that it would be best practice for the entity to note the kinds of information likely to be sent to particular countries, this should be clearly delineated from other guidance.

1.28 AFC Recommendation: We recommend that as a corollary to the guidance in this paragraph that it would be useful for the Commissioner to acknowledge that an entity could comply with its APP 5.2(j)(k) notification obligations by including the requisite detail in the APP 1.3 Privacy Policy accessible through prominent links.

Other matters for inclusion 1.29 – 1.30

We submit this is another area of Chapter 1 where a different approach to distinguish “best practice” guidance would be appropriate.

Making a Privacy Policy Available

1.31 As proposed in our response above to para 1.8, we note and re-iterate the value in including an equivalent additional sentence in this area also.

1.33 We suggest a different approach might be taken in this paragraph. As we understand, the APP entity remains at liberty under APP 1.5 to determine the form in which it makes its privacy policy available and subject to a test of “reasonable steps.” Online form is merely on form it may choose. Other forms may be equally relevant and could be used in addition to online availability. Restricting the guidance to situations where an entity does not have a website facility may unduly restrict consideration of a layered approach to making the policy accessible in different forms by entities that have a website. We do not think this was intended but suggest revision of para 1.33 may be required to clarify.

1.35 We again note our concern that references to “reasonable steps” throughout the guidance should appropriately reflect the law and refer to “such steps as


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION are reasonable in the circumstances”.


of 38

CHAPTER 2: APP 2 - ANONYMITY & PSEUDONYMITY PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION Key Points We suggest dot point 4 be moved to dot point 2 to

better reflect the approach of APP 2 which recognises that there are circumstances where it is not appropriate for an individual to deal anonymously or under a pseudonym with an APP entity. We also recommend omission of the last dot point in the context of the qualification of the obligation in APP 2.1 given in APP 2.2.

What does APP 2 say?

We submit it would be useful to reiterate current guidance in NPP Guideline 8 (eg after Chapter 2 para 2.2), that APP 2 is not intended to facilitate illegal activity.

Requiring identification 2.15

AFC Recommendation: In the interests of compliance certainty, we recommend either:

• an additional example; or • a broader example to opening a bank account

that covers provision of a financial service by an entity subject to anti-money laundering laws would be useful for inclusion in this paragraph.


of 38

CHAPTER 3: APP 3 - COLLECTION OF SOLICITED PERSONAL INFORMATION PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION Solicit & Collect 3.7

We submit that a couple of the examples in para 3.7 may take the concept of “request” which envisages a positive act on the part of the collecting APP entity and therefore “solicit” further than what was envisaged by Parliament. In particular:

• the example relating to a complaint letter; and • CCTV footage that identifies individuals.

In our view, in these examples we accept that the collecting entity may have established a facility that may result in the capture of information but, in our view, this falls short of the active process that is encompassed by the concept of “request”. As a consequence, collection via these means may be better characterised as unsolicited collection of personal information subject to the APP 4 compliance obligations rather than APP 3 solicited collection. As a consequence, we suggest their omission. We also submit it would be useful for the guidance to cover some scenarios relating to the collection of personal information through the course of normal business dealings. For example, through the exchange of business cards. Further, guidance relating to social media in the context of collection would also be useful. For example, if an organisation holds a page on social media (eg Facebook or Twitter) does the collection of information via this means amount to soliciting collection? As we understand, often time information is disclosed via social media which the organisation has not actively requested.

Collection that is reasonably necessary 3.21

We note that “necessary” and “reasonably necessary” are Key Concepts that have been defined at B.65-68. We recommend that rather than attempt to re-define these again in para 3.21 that this part of Chapter 3 should merely refer readers back to the Key Concept clarification.

Consent 3.27

We note and re-iterate our comments in relation to the Key Concept of consent. We submit omission of the attribute in dot point 3 – consent must be specific and current for reasons given earlier.

Fair means 3.64

We submit that “one that is not oppressive” could be replaced with “one that does not involve undue pressure”


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION Collecting directly from the individual 3.66 – 3.70

Unreasonable and impracticable circumstances which could enable an APP organisation to collect information from a third party (eg consent of the individual).

We submit that APP 3.6 does not provide three exceptions but distinguishes between collection by an APP entity that is an agency from other APP entities. In short, an APP entity that is not an agency could rely on an individual’s consent to collect information from another person on the basis that this would be reasonable. The specification of consent as an option to permit collection by the APP agency from someone other than the individual should not as a matter of statutory interpretation require collection under APP 3.5(b) to be interpreted as not including collection with consent. This interpretation would leave an APP entity with the absurd result that the predominant means by which an individual is able to protect the privacy of their information and to participate in and control what happens to his / her information (ie through consent), including information held by another person, is not available to him / her. We recommend that further consideration of guidance on APP 3.6 including discussion with the Attorney-General’s Department in terms of Parliament’s intention and government policy may be required. We also note that:

• if the individual would reasonably expect information about them to be collected directly from .. another source

is a circumstance relevant to determining whether it is unreasonable or impracticable to collect information only from the individual. If the individual has given consent to collection from a third party, we would argue that this would support an argument that the individual would reasonably expect this manner of collection and comply with APP 3.


of 38

CHAPTER 4: APP 4 - DEALING WITH UNSOLICITED PERSONAL INFORMATION PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION What does APP 4 say?

We note the distinction in application of APP 4 in the guidance relating to Commonwealth record. We also note guidance in Chapter B Key Concept. We suggest it may be appropriate to refer to Chapter B at relevant points in Chapter 4 (eg at para 4.2 or 4.3). We note that this occurs at para 4.14 of the guidance, but it may be useful to bring this forward in the Chapter. At para 4.4 the reference to the definition of solicit should refer readers to s. 6(1) of the Act.

What is unsolicited PI? 4.6 – 4.7

We suggest that it may be useful to clarify in the Guideline whether information provided by an individual in addition to what is specifically required when filling out an application form because the individual believes that it is relevant, but there is no specific field to support it should be characterised asn unsolicited or not.

When is destruction reasonable? 4.23

As noted earlier, it is unclear what the “extent” of personal information is. We suggest that the example in dot-point one may need revision to clarify.

Destroying “as soon as practicable” 4.26

APP 4. 3 imposes a similar concept to APP 5.1 – namely as soon as practicable. We are concerned that the guidance provided in APP 4.3 may impact on the reader’s understanding of the term in APP 5.1. For this reason, we submit that the guidance in APP 4.3 should reflect the current approach the Commissioner has adopted to the term in the NPP Guidelines, at 1.3 Practicability & timing of giving 1.3 information. In short, determining that a timeframe for response is practicable from a given point, depends on the circumstances and may require balancing a number of possible factors. A prompt action is but one of the factors in the balance consideration.

When is destruction reasonable? 4.23

As noted earlier, it is unclear what the “extent” of personal information is. We suggest that the example in dot-point one may need revision to clarify.


of 38

Need to emphasise that APP 5 applies in addition to Part IIIA for collection notices – does not replace it – hence additional need to ensure it can be operationalised. CHAPTER 5: APP 5 – NOTIFICATION OF THE COLLECTION OF PERSONAL INFORMATION PROVISION ISSUE AFC PROPOSED SOLUTION /

RECOMMENDATION Key Points

Reasonable steps vs take such steps (if any) as are reasonable in the circumstances

We recommend that the APP 5 approach should be reflected in the key points. As currently drafted the guidance could be interpreted as imposing a positive obligation on the APP entity to take some action when, in the circumstances, it may be reasonable for no action to be taken.

What does APP 5 say? 5.1

We note the above comments.

Reasonable steps to notify awareness 5.4 – 5.5

As noted in our general comments, the obligation to take reasonable steps to ensure a customer is aware of specified matters at a time linked to the act of collecting personal information is one that is relevant both for APP compliance and, for entities that are also credit providers, for compliance with Part IIIA, particularly s. 21C + relevant components of the Credit Reporting Code (CR Code – draft V5.1 Clause 4.2). As a consequence the hierarchy of compliance influence of a particular component of the framework will drive a default compliance outcome. In short, if the CR Code supported by s. 21C reflects the Commissioner’s guidance in the APP Guidelines, because the Code has legal status, our Members will be obliged to design compliance to meet those requirements. The interface of APP 5 and s. 21C in terms of compliance design also highlights the variation between APP 5 which includes the objective “reasonable steps” test + “ practicability” test for compliance in contrast to s. 21C which obliges a credit provider to notify or otherwise make an individual aware of specific matters contingent with collection. As a result, should the Commissioner’s Guidance be more akin to best practice in the APP Guidelines, the inclusion of that as the standard in the CR Code to achieve alignment, will have the result that the CR Code will make it mandatory for credit providers to set compliance to meet a higher and more costly best practice standard or face significant risk for


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION breach. In this regard we note the Act’s objectives (to be inserted via the amendments), in particular: Act s. 2A(e) “to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected” The timing of the release of the Guidelines (and flow on revision to the CR Code Clause 4.2) is also relevant to this issue. With close to five months to have revised information handling practices, processes and documentation to be compliant by 12 March 2014, our Members are focused on designing and developing compliance outcomes to facilitate sufficient time for implementation and testing prior to commencement. Given the seasonal impacts of the December / January period this leaves barely 3 months for completion of this process; the two months before December being critical. As a consequence, our Members have considered the requirements of APP 5 and s. 21C (including V5.1 CR Code Clause 4.2) to set compliance parameters albeit having to make a range of assumptions (given regulations are not yet made and the CR Code is not yet registered). A significant component included a gap analysis between current NPP / Part IIIA and compliance set to meet areas of change resulting from the move to the APPs / new Part IIIA. This has been assisted by both policy direction contained in the Explanatory Memoranda that accompanied the amendments through their passage, and guidance published by the Commissioner (eg comparison between NPPs and APPs and the What’s Changed in Credit Reporting publication). Our members acknowledge the key change in the move from NPP 1.3 and APP 5 is the inclusion of proscriptive requirements about the content of collection notices. We emphasis this because in contrast, because a change to the form or method by which an individual becomes aware of these content matters does not appear to be something that has changed as a matter of policy. It also reflects current practice both by industry (for NPP compliance) and for the public sector (for IPP compliance). The law has changed to separate notice from other methods that might be adopted, but otherwise remains unchanged. As a consequence, our expectation is that current guidance of the Commissioner (eg in the NPP Guidelines) would


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION remain relevant. We acknowledge that developments in technology may see a need for inclusion of additional guidance (eg for the online environment). However, for other forms of notice (eg oral communications with the customer including telephone calls) our Members have not anticipated a need for change to current processes set to comply taking into account the NPP 1.3 requirements supported by NPP Guidelines. We note the current approach to the drafting of the APP Guidelines (in particular APP 5.5) which, through inclusion of examples without clear delineation between what is best practice and what is the Commissioner’s compliance expectation in line with the law, blurs the level at which our Members should set compliance. For reasons outlined earlier, this is exacerbated should the examples be reflected as the compliance requirement in CR Code 4.2. As a consequence, our Members are faced with a compliance outcome that potentially sees a requirement to:

• in the online environment - re-engineer current notification to effectively require a process more akin to obtaining consent that the APP 5 requirement of giving notice. This does not appear to have been an attribute of compliance reflected in the footnoted decision. Rather that decision appears to give guidance in terms of accessibility and readability of notices. Given an outcome much higher than the law with significant cost outcomes, we do not believe this was intentional.

AFC Recommdentation: The AFC recommends the words “, the individual should be asked to confirm they have reviewed the notice before providing their personal information” should be omitted from this example. This leaves the example appropriately reflecting practice and policy both under the current provisions and the reformed provisions.

• telephone collections – again we note the challenge that the current wording potentially presents for AFC Members. We accept that the guidance is designed for APP 5 but note the intrinsic connection with s. 21C (+ CR Code Clause 4) and the compliance outcome when the normal and daily practice of


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION

collection of credit information / credit eligibility information collection is involved. On current reading, the outcome could see a credit provider’s representative on a phone call for several minutes covering off all the required content matters before engaging in the substantive component to deal with the customer inquiry about a credit product. Again, we think this is beyond the legal requirement and given the significant potential adverse customer relations outcome and compliance cost to an APP entity/credit provider, submit that it was not intended.

AFC Recommendation: The AFC recommends, APP 5 guidance (and s. 21C + CR Code 4) aligned with the Tips for Compliance contained in the relevant NPP Guideline, as follows:

if the personal information is collected by telephone – adopting a layered process by generally covering the requisite APP 5 (s. 21C + CR Code) matters early in the call (including via automated messages). More detail may be subsequently provided (eg through directing the individual to a readily accessible link on the website; giving detail via electronic (eg email; SMS) or through paper-based methods in confirmatory documents.

Reasonable steps + When not taking any steps is reasonable 5.4 + 5.6

Factors to think about when deciding what is reasonable

We note relevant extracts from the Explanatory Memorandum in relation to APP 5 that should be incorporated in the APP 5 guidelines. In particular: The phrase “reasonable in the circumstances” is an objective test that ensures that the specific circumstances of each case have to be considered when determining the reasonableness of the steps in question. This flexibility is necessary given the different types of APP entities and functions/activities that are to be regulated under the APPs. We note current guidance (in NPP Guidelines and Private Sector Info Sheet 18 – Taking Reasonable Steps to Make individuals aware that personal information about them is being collected) and submit that it remains relevant and, where possible, should be reflected in the APP Guidelines. In particular, we note the importance of the factor: an individual’s expectations and existing knowledge about the collection.


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION While we understand the examples in dotpoints 1 + 2 may be an attempt to convey the guidance given in this regard, we submit that it does not achieve the compliance certainty of IS 18. We also note the compliance challenge that the introduction of concepts like “short” period causes for AFC Members. For example, for a home loan transaction which may span 30 years, in theory, the concept of “short” may have a different connotation to a motor vehicle finance product which generally is in place about 4 years. We acknowledge the NPP Guidelines refer to “recently.” This equally presents a compliance challenge and will vary on the particular circumstances. A better approach may be to indicate that the time frame between when information is collected and when notification occurred (if required) may be a relevant factor to test of “reasonableness” in APP 5. Other examples in IS 18 of when taking no steps may be reasonable also remain relevant:

• information collected from publicly available sources;

• information collected during due diligence processes when a company is being sold;

• financial counselor collecting third party information during a session.

AFC Recommendation: IS 18 reflects the outcome of earlier stakeholder consultation and appropriately negotiated compliance positions. Given substantively the amendments should not as a matter of policy have impacted on its content, we recommend that it is appropriate for it to remain in place through inclusion in the APP Guidelines.

Matters to be notified 5.7

Reasonable steps to notify matters vs. reasonable steps to notify such matters as are reasonable in the circumstances.

We submit the obligation to notify (or otherwise ensure awareness) of the APP 5.2 matters is subject to two test of “reasonableness” under APP 5.1. The first in relation to each matter and the second in relation to the steps to be taken (if any) to notify any of the matters which have been identified through the first layer of the process. We do not believe this is clear from the guidance.

APP entity and contact details 5.8

We submit that the notification obligation in relation to the identity and contact details of the APP entity under APP 5.2(a) is a different and separate obligation from the obligation to give details about the complaint process in APP 5.2(h) or the access / correction process in APP 5.2(g). The guidance


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION provided blurs the two concepts and should be revised and focus on the APP 5.2(a) requirement. AFC Recommendation: In this regard we also note and recommend current guidance in the NPP Guidelines is relevant and should be included as follows; Where the circumstances of collection make a matter listed in APP 5.2 obvious, the reasonable step might not involve any active measures because the circumstances speak for themselves. For example, in many cases the identity of the [APP entity] collecting the personal information could be obvious from the circumstances.

Facts + Circumstances of Collection 5.9

Circumstances - specificity

We note the clarification of what might be included in notification of the circumstances of collection but are concerned with the level of specificity. We submit this is an area where clear delineation between best practice and more specific APP 5 compliance is require. By linking the APP 5.2(b) requirements to the examples, this delineation is lost. Given given the examples in 5.10, we submit that the words “such as the date, time, place and method of collection” should be omitted.

5.11 Named entity from which information of individual is collected

We suggest this requirement is beyond the strict requirement of APP 5 and should either be appropriately characterized as best practice or omitted.

Required or authorised by law 5.13

We note the Government response to the ALRC recommendation from which the inclusion of this provision was based and have highlighted a relevant component: On recommendation 23-2(h), agencies or organisations should identify the specific law that requires or authorises the collection of information, though it would not be necessary to identify a specific provision. AFC Recommendation: We acknowledge qualification of the guidance by “if practicable” but remain concerned that the requirement to include specific provisions of the law relied upon for collection appears at odds with what the Government intended. We recommend omission of the last sentence from para 5.13 as a result.

Purposes of AFC Recommendation:


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION

collection 6.1?

We recommend the heading should refer to purposes of collection rather than purpose. We also recommend that reference to secondary purposes should be in the plural not the singular. This is in contrast to primary purpose – which is singular. Given the obligation to notify is contingent to two layers of a reasonable steps test which submit that the obligations in the paragraph should be similarly qualified by concepts like “if required, other purposes could be notified. We again note our earlier comments and recommend inclusion of equivalent NPP Guideline 1.3(c) Informing individuals about the purposes of collection – reinforcing the ability for general descriptions provided it is adequate to ensure awareness in the individual.

Consequences for individual 5.16

We are concerned that the examples given in para 5.16 are ones (with the exception of the last example) which, in the circumstances, it is likely that the individual would be aware of the consequences if personal information is not collected. Their inclusion puts at risk compliance design that endeavours to take into account the likelihood of individual’s knowledge of obvious consequences in particular circumstances. Generally a clear understanding of the primary purpose of collection may mete against this requirement.

Disclosure to other APP entities 5.21

Disclosure to other APP entities & subsequent disclosure by them

We recommend that para 5.21 should be revised to include clear delineation between the APP 5.2 matters to be notified and “best practice.” In particular, the guidance given in the last sentence of para 5.21. For example, it may be impracticable to name all the related bodies corporate to which information is disclosed by a large company within that corporate group. Processes that might achieve the desired effect could be a reference to related bodies corporate with a prominent and accessible link that would take the individual to the more detailed information. We again note the challenge to produce notice that deals with all the matters suggested by the Commissioner while still meeting broader expectations of accessibility, readability and


of 38

PROVISION ISSUE AFC PROPOSED SOLUTION / RECOMMENDATION simplicity.

APP Entity’s Privacy Policy

Link in APP 5 notice to APP 1.3 privacy policy

In the interests of consistency and in line with our earlier comments, we suggest the reference to a link in the APP 5.1 notice to the APP 1.3 privacy policy in para 5.23 should be to “a prominent and accessible” link.

Cross border disclosure 5.28

We reiterate our comments about appropriately adopting a formatting process that distinguishes “best practice” guidance from other guidance.

When is notification to occur 5.29

We recommend an approach in this part of Chapter 5 which better reflects that flexibility in compliance is appropriate. Rather than focus on notification, we submit the guidance should encapsulate notice or otherwise ensuring that the individual is aware.

5.32 We submit that obliging people to build early notification processes into collection processes and systems may be good practice, but is not a requirement under APP 5.1. The test is not whether it is practicable to build this into compliance processes, but whether the particular circumstances of collection meant notification or otherwise ensuring awareness was not practicable at or before time of collection. The guidance should be revised accordingly.

*** *** ***

Attachment 2

F E D E R A L

P R I V A C Y

C O M M I S S I O N E R Mr Ron Hardaker Executive Director Australian Finance Conference Level 22 / 68 Pitt Street SYDNEY NSW 2000 Dear Mr Hardaker PRIVACY ACT ‑ APPROACH TO COMPLIANCE I understand that an area of concern for your members is the approach this Office will take to promoting compliance with the new law after 21 December this year, As I understand it, the concern is that I have stated in a number of public forums that we will be deliberately seeking early breaches of the law then making public examples of the organisations involved, as a warning to others. Let me assure you that this is not an accurate account of what I have been saying. In every public speaking engagement where the question of our approach to compliance has been raised, I have clearly stated that publicising breaches of the Act would be a last resort where it has proved impossible to arrive at a conciliated outcome. Let me outline to you the approach that I have repeatedly espoused. This approach is based on using the lowest cost, lowest profile approach that the complainant and respondent organisation will allow. These arrangements are:

• When we receive a complaint, we first check if the parties have attempted to resolve their differences directly and if not, whether it would be appropriate for them to try.

• In the new legislation, this is mandated by s.40(1A). In other words, we encourage internal complaints handling as a first resort.

• If this fails, we enter a stage of conciliation based on accepted principles of alternative dispute resolution. In most cases, we rely on phone calls and letters to the parties. In a small proportion of more intractable matters, we may meet with the parties face to face. This process has been very successful in the existing jurisdiction and usually results in our Office closing the complaint under s.41(2)(a) on the grounds that the respondent has adequately dealt with the matter. Moreover, in the vast majority of complaints over the last five years, resolution has not involved monetary compensation. Less than 6% of complaints have involved financial compensation. In all but a few serious matters, the amounts have been very modest (500 ‑ $2,000).

• Only twice in the twelve year life of the Privacy Act has the Commissioner had to use the formal determination making powers under s.52 and one of these occasions was at the request of the respondent.

• If the parties do not comply with the terms of a Determination, s.55.A. of the Act allows us to approach the Federal Court or the Federal Magistrates Service to seek enforcement via a de novo hearing. So far, we have never had to resort to this step.

• We also have powers under s.98 of the Act to seek injunctions to ensure compliance with the Act. Again, we have never had to use these powers.

In making these points, I should point out that this includes our jurisdiction over credit reporting activities in the private sector. Against this background, in all of my public speaking, I have noted that

- page 2 -

while publicity is an obvious option, we will only use it as a last resort and I have pointed out that we would much rather celebrate success than condemn failure; and that we are here to help organisations find privacy solutions. This approach is explicitly stated in the Strategic Plan launched in March 2000 and has been reiterated ever since. In the course of making these remarks, I have also pointed out that if an organisation does not do the right thing after a complaint has been resolved, for example continues to flout the law or is clearly and consciously a "repeat offender", then and only then will we seek to put the matter in the public arena. I hasten to add that this approach has had, and will have, an impact on the public standing of this Office in the eyes of some, For example, when I outlined this philosophy in a talk to the Melbourne Press Club last March, I was roundly criticised during debate for being soft. In another instance when we issued a media statement (on request only) that flatly described the terms of a settlement with Harts Financial Services, its clients were described as "outraged that the Federal Privacy Commission (sic) has chosen not to fine the finance company".

I am happy for you to circulate this letter among your members.

1 look forward to working with you to bring this new law into place in a way that is harmonious, helpful and meets the needs of the Australian community and the organisations with which they conduct their affairs.

Yours sincerely

Malcolm Crompton Federal Privacy Commissioner

Australian Finance Conference - Home - OAIC Finance Conference Level 8, 39 Martin Place, Sydney 2000...

Documents

Transcript of Australian Finance Conference - Home - OAIC Finance Conference Level 8, 39 Martin Place, Sydney 2000...