Dianne Beer, Herbert Geer Lawyers: Privacy Reform

PRIVACY REFORM

Dianne Beer, Herbert Geer Lawyers

165130_1

Privacy Reform: Agenda for Presentation

Opening remarks – a few relevant points on privacy reform in Australia

Australian Privacy Principles (APPs)

Credit Reporting Provisions of the Privacy Act (Part IIIA)

Intersection of APPs and Part IIIA

Privacy Reform – global perspective on Australian

reforms

Where do Australia’s recent privacy law reforms sit on the global scale?

Global trend towards introduction of privacy protections – 101 countries

have data privacy laws.

EU is the benchmark and we sit at 60% - we are substandard on: data

export controls; exemptions; lack of compulsory data breach notification;

and enforcement.

Privacy Reform – when it starts and who is covered

Amendments to Privacy Act 1988 made in December 2012 and come into

effect – 12 March 2014

Act covers AAP entities:

a. organisations with an annual turnover of more than $3 million;

b. credit reporting bodies, credit providers and other 3rd party recipients

of credit-related personal information (Part IIIA);

c. Federal Government agencies.

New Australian Privacy Principles apply to all ‘personal information’ that is

not credit-related (and some of them apply to credit-related personal

information also).

Act covers: “acts done” or “practices engaged in” by organisations

established or managed in Australia; entities lacking a physical presence

here, but operating online and collecting personal information here

Privacy Reform – what has changed?

Amended definition of “personal information” and “sensitive information”

Coverage for unsolicited information [APP 4]

Adoption of Australian Privacy Principles (APP’s) in lieu of NPPs

Additional requirements for notice at time of collection [APP 5.2]

Changes to cross-border disclosure [APP 8]

Changes to direct marketing rules [APP 7]

Updated access and correction rights [APP 12 & 13]

Changes to the Australian Privacy Commissioner’s powers

Introduction of comprehensive credit reporting (New Part IIIA)

Introduction of external dispute resolution schemes (EDR schemes)

beyond credit information matters

Privacy Reform – New definitions of ‘Personal

Information’ and ‘Sensitive Information’

New definition of ‘personal information’ (PI): “information or an opinion

about an identified individual, or an individual who is reasonably

identifiable”

a. the information or opinion need not be correct; and

b. an individual could be “reasonably identifiable” from additional

information accessible by the collecting entity (i.e. data that is not

‘personal information’ by itself can become PI because of other data

held by the entity).

In the UK the Information Commissioner has held that information about a

website user built up over time and only linked to an email address, was

‘personal information’.

Biometric information is now ‘sensitive information’.

Unsolicited PI is now covered and may need to be destroyed.

Privacy Reform - Australian Privacy Principles

1. Open and transparent management of personal information

2. Anonymity and pseudonymity

3. Collection of solicited personal information

4. Dealing with unsolicited personal information

5. Notification of the collection of personal information

6. Use and disclosure of personal information

7. Direct marketing using personal information

8. Cross border disclosure of personal information

9. Adoption, use or disclosure of government identifiers

10.Quality of personal information

11.Security of personal information

12.Access to personal information

13.Correction of personal information

Privacy Reform – privacy by design

APP entities required to:

a. implement practices, procedures and a workplace culture that ensure

compliance with APPs throughout the PI lifecycle (including

governance mechanisms);

b. take such steps to comply as are reasonable for that entity in the

circumstances - copy-cat policies and procedures can’t be relied on;

and

c. have an up-to-date privacy policy, expressed in language a 14 year

old can understand, available on website.

Privacy Reform – Changes to direct marketing rules

[APP 7]

APP 7.1 - use of personal information for direct marketing (DM) generally

prohibited.

Broad exceptions in APPs 7.2 and 7.3 (but don’t apply to sensitive

information).

APP entity will generally need an individual’s consent to use or disclose

his / her PI for DM if:

a. the individual has no reasonable expectation that his / her PI will be

used for DM; or

b. PI is collected from a third party.

Entity must provide a simple means for individuals to request not to

receive DM communications.

Sensitive information may only be used/ disclosed for DM if individual has

given express consent (APP 7.4).

Direct marketing – application of APP 7

APP 7 does not apply if Spam Act or Do Not Call Register Act apply (APP

7.8).

APP 7 likely to apply to hard copy direct marketing material but not phone,

fax, SMS or email direct marketing, but other APPs will apply to PI

management.

Unclear whether DM on Facebook, Twitter or other platforms would be

governed by APP 7 or Spam Act but similar result in practice (i.e.

notification/ consent/ unsubscribe requirements).

Privacy Reform – Changes to cross-border disclosure

[APP 8]

APP 8.1: An APP entity disclosing personal information to an overseas

recipient (including a ‘related body corporate’ outside Australia) must

take steps that are “reasonable in the circumstances” to ensure recipient

does not breach the APPs (other than APP 1).

“Accountability principle”: even where it complies with APP 8.1, entity can

still be liable for acts of an overseas recipient (or its subcontractor) that

would breach the APPs (new s16C).

Two ways to avoid liability:

a. obtain individual’s consent to the disclosure, having first notified him /

her that if s/he gives consent, entity won’t have to take reasonable steps

to prevent overseas recipient’s breach (APP 8.2(b)); OR

b. reasonable belief that overseas recipient is subject to a law/ binding

scheme protecting the PI in a way substantially similar to APPs, and

individual can access enforcement mechanisms (APP 8.2(a)).

Cross-border disclosure – application of APP 8

‘Disclosure’ different from ‘unauthorised access’ (addressed in APP

11). A cyber-attack does not amount to cross-border disclosure.

Accountability principle + OAIC’s enhanced enforcement powers

= increased exposure for any organisation dealing with PI

electronically.

Offshoring arrangements may need to be revisited (e.g. terms of

supply for cloud computing services may need review).

Privacy Reform – Updated access and correction rights

[APP 12 & 13]

Upon request by individual, APP entity must grant access to that

individual’s PI.

If entity refuses, it must refer the individual to a complaints process.

The individual has the right to have the PI corrected if it is inaccurate, out-

of-date, incomplete, irrelevant or misleading.

Individual can request that APP entity provide a correction notice to third

parties.

Privacy Reform – Commissioner’s role

New powers for Privacy Commissioner:

a. undertake performance assessments of private sector entities;

b. make a determination following own-initiative investigation;

c. accept undertakings enforceable through courts (e.g. that an entity will take/

refrain from particular action, or take preventative action);

d. apply to courts for civil penalty order where there is a serious or repeated

interference with privacy (penalty up to $1.7 million for companies and

$340,000 for individuals).

“Three-tiered” complaint resolution model:

a. Individual complains to APP entity.

b. If not resolved and entity belongs to an EDR scheme, complaint via EDR

scheme. [Note: a credit provider’s EDR scheme may not cover all privacy

complaints – depends on terms of scheme.]

c. If still not resolved, investigation by Office of the Privacy Commissioner.

Privacy Reform: The new credit reporting provisions –

Part IIIA of the Privacy Act: Agenda for next segment

Initial observations

Overview of new descriptors and new information covered

Changes:

access requests by individuals;

correction requests by individuals;

complaints hierarchy for breaches of Act or CR Code;

penalties for non-compliance.

Direct marketing

Interaction between Part IIIA and APPs

Privacy Reform: The new credit reporting provisions –

Part IIIA – Initial observations

The new Part IIIA:

a. allows for more comprehensive credit reporting and associated

enhanced privacy protection;

b. follows the structure of APPs;

c. is supplemented by the registered CR Code, which is intended to “fill

the gaps” between privacy principles and business operations;

d. is intended to create an Australian credit reporting system so:

i. foreign credit information or information provided by foreign

credit providers is excluded; and

ii. information held in the Australian credit reporting system should

not be available to foreign CRBs or credit providers.

Privacy Reform: The new credit reporting provisions -

Part IIIA – New descriptors and new information

coverage

New descriptors:

a. Credit Reporting Agency is now a Credit Reporting Body (CRB)

b. Affected Information Recipients (AIRs) – various 3rd parties eg

mortgage and trade insurers

c. Categories of credit related personal information

Permitted disclosure of

credit information

CREDIT PROVIDERS Credit information from individuals

(“Credit information”)

“CRB derived information”

(derived by CRBs from credit information)

“Credit reporting information”

(includes CRB derived information)

“CP derived information”

(derived by credit providers from

credit reporting information)

“Credit eligibility information”

(includes CP derived information)

CREDIT REPORTING

BODIES

CREDIT PROVIDERS

AFFECTED INFORMATION

RECIPIENTS

“Regulated information”

Permitted disclosure

Permitted disclosure

Privacy Reform: Information flows in the credit reporting

system


Part IIIA - Changes to types of information that can be

held in the credit reporting system

Expanded set of information covered by the regime:

a. type of consumer credit and terms; repayment history; max amount

of credit available under consumer credit;

b. publicly available information relating to creditworthiness;

c. opinions about serious credit infringements;

d. credit scores or risk assessments by either credit provider (CP) or

CRB bearing on creditworthiness.

CRBs are regulated in their use and disclosure of de-identified information

Disclosures of repayment history information between CRBs and CPs

limited to holders of Australian credit licence under the National Consumer

Credit Protection Act 2009


Part IIIA – Requests to access credit information

Access must be granted subject to limited exceptions associated with law

enforcement

New timelines for response:

a. CRBs - within 10 days

b. CPs - within a reasonable period

Means of providing access – set out in CR code (CRBs and CPs)

Written reasons for refusal to be provided (unless unreasonable eg.

related to law enforcement), with appeal rights to EDR scheme or

Commissioner noted

Charges:

only possible for CRBs in limited circumstances;

reasonable charges OK for CPs.


Part IIIA – Correction requests

If a CRB or CP is asked to correct information it must deal with the request

and not refer to it another CRB or CP

The CRB or CP may be required to consult other CRBs or CPs to satisfy

itself whether or not information needs to be corrected e.g. if you can’t

substantiate correctness of information

subject to court orders to contrary:

a. where correction is made, CRBs and CPs must notify individual and

3rd party recipients (CRBs and AIRs) to which it previously disclosed

information;

b. refusal to correct, with reasons (i.e. substantiate the correctness of

the information) and noting appeal rights.


Part IIIA – Correction requests

Correction to be made within 30 days (other responsibilities done within a

reasonable timeframe)

Charges not allowed

For credit providers: Part IIIA deals exclusively with corrections of all credit

information, other than identification information (name, address) which is

covered by APP 13


Part IIIA – Changes to complaints procedure

Complaint hierarchy:

a. (other than where complaint is over access or correction) the

individual must first complain to CRB or CP;

b. first stage appeal - EDR scheme;

c. second stage appeal – the Commissioner.

CRBs and CPs can’t charge for complaints handling.

CRB or CP must:

a. within 7 days, acknowledge complaint and indicate how it will be

dealt with; and

b. provide a written decision with details of appeal process within 30

days.


Part IIIA – Changes to penalties for non-compliance

Breaches of certain provisions attract civil penalties (up to $1.7 million for

companies or $340,000 for individuals)

Serious or repeated breaches of Part IIIA or CR code attract civil penalties

Commissioner has new power to apply to Federal Court for an order

against a CRB or CP

Unauthorised use and disclosure of false and misleading information

attracts criminal penalties

If civil or criminal penalty applies, an individual may apply for

compensation


Part IIIA – Direct marketing

CRB prohibited from using or disclosing credit reporting information for the

purpose of direct marketing

Exception: limited use by CRBs of credit information for pre-screening of

individuals to receive direct marketing from CPs

Individual can request a CRB holding his/her credit information not to use

it for pre-screening

Privacy Reform: Interaction of APPs and Part IIIA

CRB

a. APPs do not apply to a CRB in relation to personal information that is

credit reporting information, CP derived information or a pre-

assessment screening.

b. APPs apply in relation to other kinds of personal information.

CP/ AIR

a. Generally if a CP or AIR is an APP entity, the APPs are either

specifically excluded OR apply in addition to the credit reporting

provisions.

b. The CR Code operates in addition to the APPs.

Privacy Reform: Credit providers - matters where Part

IIIA excludes the operation of the APPs

Privacy Policy for management of credit information and credit eligibility

information must detail:

a. the kind of credit information and credit eligibility information collected

and held;

b. the kind of CP derived information generated from the credit reporting

information;

c. the Part IIIA specific access, correction and complaints rights.

Collection Notice

a. Notify where individual’s PI may be disclosed to CRB

b. Matters specified in CR Code

c. Detail Part IIIA specific access, correction and complaint rights

Privacy Reform: Credit providers - matters where Part

IIIA excludes the operation of the APPs

Use and disclosure (including use for direct marketing) of credit eligibility

information

Integrity and accuracy of credit information collected, used or disclosed

Security of credit eligibility information from unauthorised access

Access and correction regimes for credit information or credit eligibility

information

Privacy Reform: AIRs - matters where Part IIIA excludes

the operation of the APPs

For AIRs:

Privacy Policy: with management rules for Regulated Information and

notification to individuals of access, correction and complaint rights

consistent with Part IIIA

Use and disclosure

Integrity and accuracy of regulated information

Security of credit eligibility information

Dianne Beer, Herbert Geer Lawyers: Privacy Reform

Economy & Finance

Transcript of Dianne Beer, Herbert Geer Lawyers: Privacy Reform