Dianne Beer, Herbert Geer Lawyers: Privacy Reform
-
Upload
informa-australia -
Category
Economy & Finance
-
view
269 -
download
1
description
Transcript of Dianne Beer, Herbert Geer Lawyers: Privacy Reform
PRIVACY REFORM
Dianne Beer, Herbert Geer Lawyers
165130_1
Privacy Reform: Agenda for Presentation
Opening remarks – a few relevant points on privacy reform in Australia
Australian Privacy Principles (APPs)
Credit Reporting Provisions of the Privacy Act (Part IIIA)
Intersection of APPs and Part IIIA
Privacy Reform – global perspective on Australian
reforms
Where do Australia’s recent privacy law reforms sit on the global scale?
Global trend towards introduction of privacy protections – 101 countries
have data privacy laws.
EU is the benchmark and we sit at 60% - we are substandard on: data
export controls; exemptions; lack of compulsory data breach notification;
and enforcement.
Privacy Reform – when it starts and who is covered
Amendments to Privacy Act 1988 made in December 2012 and come into
effect – 12 March 2014
Act covers AAP entities:
a. organisations with an annual turnover of more than $3 million;
b. credit reporting bodies, credit providers and other 3rd party recipients
of credit-related personal information (Part IIIA);
c. Federal Government agencies.
New Australian Privacy Principles apply to all ‘personal information’ that is
not credit-related (and some of them apply to credit-related personal
information also).
Act covers: “acts done” or “practices engaged in” by organisations
established or managed in Australia; entities lacking a physical presence
here, but operating online and collecting personal information here
Privacy Reform – what has changed?
Amended definition of “personal information” and “sensitive information”
Coverage for unsolicited information [APP 4]
Adoption of Australian Privacy Principles (APP’s) in lieu of NPPs
Additional requirements for notice at time of collection [APP 5.2]
Changes to cross-border disclosure [APP 8]
Changes to direct marketing rules [APP 7]
Updated access and correction rights [APP 12 & 13]
Changes to the Australian Privacy Commissioner’s powers
Introduction of comprehensive credit reporting (New Part IIIA)
Introduction of external dispute resolution schemes (EDR schemes)
beyond credit information matters
Privacy Reform – New definitions of ‘Personal
Information’ and ‘Sensitive Information’
New definition of ‘personal information’ (PI): “information or an opinion
about an identified individual, or an individual who is reasonably
identifiable”
a. the information or opinion need not be correct; and
b. an individual could be “reasonably identifiable” from additional
information accessible by the collecting entity (i.e. data that is not
‘personal information’ by itself can become PI because of other data
held by the entity).
In the UK the Information Commissioner has held that information about a
website user built up over time and only linked to an email address, was
‘personal information’.
Biometric information is now ‘sensitive information’.
Unsolicited PI is now covered and may need to be destroyed.
Privacy Reform - Australian Privacy Principles
1. Open and transparent management of personal information
2. Anonymity and pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of the collection of personal information
6. Use and disclosure of personal information
7. Direct marketing using personal information
8. Cross border disclosure of personal information
9. Adoption, use or disclosure of government identifiers
10.Quality of personal information
11.Security of personal information
12.Access to personal information
13.Correction of personal information
Privacy Reform – privacy by design
APP entities required to:
a. implement practices, procedures and a workplace culture that ensure
compliance with APPs throughout the PI lifecycle (including
governance mechanisms);
b. take such steps to comply as are reasonable for that entity in the
circumstances - copy-cat policies and procedures can’t be relied on;
and
c. have an up-to-date privacy policy, expressed in language a 14 year
old can understand, available on website.
Privacy Reform – Changes to direct marketing rules
[APP 7]
APP 7.1 - use of personal information for direct marketing (DM) generally
prohibited.
Broad exceptions in APPs 7.2 and 7.3 (but don’t apply to sensitive
information).
APP entity will generally need an individual’s consent to use or disclose
his / her PI for DM if:
a. the individual has no reasonable expectation that his / her PI will be
used for DM; or
b. PI is collected from a third party.
Entity must provide a simple means for individuals to request not to
receive DM communications.
Sensitive information may only be used/ disclosed for DM if individual has
given express consent (APP 7.4).
Direct marketing – application of APP 7
APP 7 does not apply if Spam Act or Do Not Call Register Act apply (APP
7.8).
APP 7 likely to apply to hard copy direct marketing material but not phone,
fax, SMS or email direct marketing, but other APPs will apply to PI
management.
Unclear whether DM on Facebook, Twitter or other platforms would be
governed by APP 7 or Spam Act but similar result in practice (i.e.
notification/ consent/ unsubscribe requirements).
Privacy Reform – Changes to cross-border disclosure
[APP 8]
APP 8.1: An APP entity disclosing personal information to an overseas
recipient (including a ‘related body corporate’ outside Australia) must
take steps that are “reasonable in the circumstances” to ensure recipient
does not breach the APPs (other than APP 1).
“Accountability principle”: even where it complies with APP 8.1, entity can
still be liable for acts of an overseas recipient (or its subcontractor) that
would breach the APPs (new s16C).
Two ways to avoid liability:
a. obtain individual’s consent to the disclosure, having first notified him /
her that if s/he gives consent, entity won’t have to take reasonable steps
to prevent overseas recipient’s breach (APP 8.2(b)); OR
b. reasonable belief that overseas recipient is subject to a law/ binding
scheme protecting the PI in a way substantially similar to APPs, and
individual can access enforcement mechanisms (APP 8.2(a)).
Cross-border disclosure – application of APP 8
‘Disclosure’ different from ‘unauthorised access’ (addressed in APP
11). A cyber-attack does not amount to cross-border disclosure.
Accountability principle + OAIC’s enhanced enforcement powers
= increased exposure for any organisation dealing with PI
electronically.
Offshoring arrangements may need to be revisited (e.g. terms of
supply for cloud computing services may need review).
Privacy Reform – Updated access and correction rights
[APP 12 & 13]
Upon request by individual, APP entity must grant access to that
individual’s PI.
If entity refuses, it must refer the individual to a complaints process.
The individual has the right to have the PI corrected if it is inaccurate, out-
of-date, incomplete, irrelevant or misleading.
Individual can request that APP entity provide a correction notice to third
parties.
Privacy Reform – Commissioner’s role
New powers for Privacy Commissioner:
a. undertake performance assessments of private sector entities;
b. make a determination following own-initiative investigation;
c. accept undertakings enforceable through courts (e.g. that an entity will take/
refrain from particular action, or take preventative action);
d. apply to courts for civil penalty order where there is a serious or repeated
interference with privacy (penalty up to $1.7 million for companies and
$340,000 for individuals).
“Three-tiered” complaint resolution model:
a. Individual complains to APP entity.
b. If not resolved and entity belongs to an EDR scheme, complaint via EDR
scheme. [Note: a credit provider’s EDR scheme may not cover all privacy
complaints – depends on terms of scheme.]
c. If still not resolved, investigation by Office of the Privacy Commissioner.
Privacy Reform: The new credit reporting provisions –
Part IIIA of the Privacy Act: Agenda for next segment
Initial observations
Overview of new descriptors and new information covered
Changes:
access requests by individuals;
correction requests by individuals;
complaints hierarchy for breaches of Act or CR Code;
penalties for non-compliance.
Direct marketing
Interaction between Part IIIA and APPs
Privacy Reform: The new credit reporting provisions –
Part IIIA – Initial observations
The new Part IIIA:
a. allows for more comprehensive credit reporting and associated
enhanced privacy protection;
b. follows the structure of APPs;
c. is supplemented by the registered CR Code, which is intended to “fill
the gaps” between privacy principles and business operations;
d. is intended to create an Australian credit reporting system so:
i. foreign credit information or information provided by foreign
credit providers is excluded; and
ii. information held in the Australian credit reporting system should
not be available to foreign CRBs or credit providers.
Privacy Reform: The new credit reporting provisions -
Part IIIA – New descriptors and new information
coverage
New descriptors:
a. Credit Reporting Agency is now a Credit Reporting Body (CRB)
b. Affected Information Recipients (AIRs) – various 3rd parties eg
mortgage and trade insurers
c. Categories of credit related personal information
Permitted disclosure of
credit information
CREDIT PROVIDERS Credit information from individuals
(“Credit information”)
“CRB derived information”
(derived by CRBs from credit information)
“Credit reporting information”
(includes CRB derived information)
“CP derived information”
(derived by credit providers from
credit reporting information)
“Credit eligibility information”
(includes CP derived information)
CREDIT REPORTING
BODIES
CREDIT PROVIDERS
AFFECTED INFORMATION
RECIPIENTS
“Regulated information”
Permitted disclosure
Permitted disclosure
Privacy Reform: Information flows in the credit reporting
system
Privacy Reform: The new credit reporting provisions -
Part IIIA - Changes to types of information that can be
held in the credit reporting system
Expanded set of information covered by the regime:
a. type of consumer credit and terms; repayment history; max amount
of credit available under consumer credit;
b. publicly available information relating to creditworthiness;
c. opinions about serious credit infringements;
d. credit scores or risk assessments by either credit provider (CP) or
CRB bearing on creditworthiness.
CRBs are regulated in their use and disclosure of de-identified information
Disclosures of repayment history information between CRBs and CPs
limited to holders of Australian credit licence under the National Consumer
Credit Protection Act 2009
Privacy Reform: The new credit reporting provisions -
Part IIIA – Requests to access credit information
Access must be granted subject to limited exceptions associated with law
enforcement
New timelines for response:
a. CRBs - within 10 days
b. CPs - within a reasonable period
Means of providing access – set out in CR code (CRBs and CPs)
Written reasons for refusal to be provided (unless unreasonable eg.
related to law enforcement), with appeal rights to EDR scheme or
Commissioner noted
Charges:
only possible for CRBs in limited circumstances;
reasonable charges OK for CPs.
Privacy Reform: The new credit reporting provisions -
Part IIIA – Correction requests
If a CRB or CP is asked to correct information it must deal with the request
and not refer to it another CRB or CP
The CRB or CP may be required to consult other CRBs or CPs to satisfy
itself whether or not information needs to be corrected e.g. if you can’t
substantiate correctness of information
subject to court orders to contrary:
a. where correction is made, CRBs and CPs must notify individual and
3rd party recipients (CRBs and AIRs) to which it previously disclosed
information;
b. refusal to correct, with reasons (i.e. substantiate the correctness of
the information) and noting appeal rights.
Privacy Reform: The new credit reporting provisions -
Part IIIA – Correction requests
Correction to be made within 30 days (other responsibilities done within a
reasonable timeframe)
Charges not allowed
For credit providers: Part IIIA deals exclusively with corrections of all credit
information, other than identification information (name, address) which is
covered by APP 13
Privacy Reform: The new credit reporting provisions -
Part IIIA – Changes to complaints procedure
Complaint hierarchy:
a. (other than where complaint is over access or correction) the
individual must first complain to CRB or CP;
b. first stage appeal - EDR scheme;
c. second stage appeal – the Commissioner.
CRBs and CPs can’t charge for complaints handling.
CRB or CP must:
a. within 7 days, acknowledge complaint and indicate how it will be
dealt with; and
b. provide a written decision with details of appeal process within 30
days.
Privacy Reform: The new credit reporting provisions -
Part IIIA – Changes to penalties for non-compliance
Breaches of certain provisions attract civil penalties (up to $1.7 million for
companies or $340,000 for individuals)
Serious or repeated breaches of Part IIIA or CR code attract civil penalties
Commissioner has new power to apply to Federal Court for an order
against a CRB or CP
Unauthorised use and disclosure of false and misleading information
attracts criminal penalties
If civil or criminal penalty applies, an individual may apply for
compensation
Privacy Reform: The new credit reporting provisions -
Part IIIA – Direct marketing
CRB prohibited from using or disclosing credit reporting information for the
purpose of direct marketing
Exception: limited use by CRBs of credit information for pre-screening of
individuals to receive direct marketing from CPs
Individual can request a CRB holding his/her credit information not to use
it for pre-screening
Privacy Reform: Interaction of APPs and Part IIIA
CRB
a. APPs do not apply to a CRB in relation to personal information that is
credit reporting information, CP derived information or a pre-
assessment screening.
b. APPs apply in relation to other kinds of personal information.
CP/ AIR
a. Generally if a CP or AIR is an APP entity, the APPs are either
specifically excluded OR apply in addition to the credit reporting
provisions.
b. The CR Code operates in addition to the APPs.
Privacy Reform: Credit providers - matters where Part
IIIA excludes the operation of the APPs
Privacy Policy for management of credit information and credit eligibility
information must detail:
a. the kind of credit information and credit eligibility information collected
and held;
b. the kind of CP derived information generated from the credit reporting
information;
c. the Part IIIA specific access, correction and complaints rights.
Collection Notice
a. Notify where individual’s PI may be disclosed to CRB
b. Matters specified in CR Code
c. Detail Part IIIA specific access, correction and complaint rights
Privacy Reform: Credit providers - matters where Part
IIIA excludes the operation of the APPs
Use and disclosure (including use for direct marketing) of credit eligibility
information
Integrity and accuracy of credit information collected, used or disclosed
Security of credit eligibility information from unauthorised access
Access and correction regimes for credit information or credit eligibility
information
Privacy Reform: AIRs - matters where Part IIIA excludes
the operation of the APPs
For AIRs:
Privacy Policy: with management rules for Regulated Information and
notification to individuals of access, correction and complaint rights
consistent with Part IIIA
Use and disclosure
Integrity and accuracy of regulated information
Security of credit eligibility information