Vanessa Baic

Copyright © 2013 by K&L Gates. All rights reserved.

Getting privacy compliance right

Vanessa Baic

Senior Associate

1

Good and not-so-good news!

2

Good news!

Aware of the importance of

proper handling of information

Strong compliance culture

Process driven

Not-so-good news…

Repeated “mistakes”

3

What is today about?

Privacy 101

The Golden Rules

Implementation

4

Privacy 101

The basics

5

Privacy 101 – The information lifecycle

6

COLLECT

USE/DISCLOSE

STORE

7

COLLECT

USE/DISCLOSE

STORE

COLLECTION

9

Personal information means information or an opinion about

an identifiable individual, or an individual who is reasonably

identifiable whether the information or opinion is:

• true or not; and

• recorded in a material form or not

Sensitive information includes race, ethnic origin, political

opinions, membership of professional/trade associations,

religious or philosophical beliefs, sexual preferences, criminal

history and health information

Health information includes:

• information or an opinion about the health or disability of an

individual or a health service provided to, or to be provided

to, an individual

• other PI collected to provide, or in providing, a health

service

10

COLLECT

USE/DISCLOSE

STORE

COLLECTION

11

COLLECT

USE/DISCLOSE

STORE

Hospitals CDMP providers IT service providers Mail houses Ancillary providers

D I S C L O S U R E

COLLECTION

12

COLLECT

USE/DISCLOSE

STORE


D I S C L O S U R E

A C C E S S COLLECTION

13

COLLECT

USE/DISCLOSE

STORE


D I S C L O S U R E

A C C E S S COLLECTION

14

Privacy 101 – New laws

10 National Privacy Principles replaced with 13 Australian Privacy Principles

The Commissioner’s powers have been increased

New laws commence on 12 March 2014

15

The Golden Rules

What you need to know to comply with the current and new laws

16

Collection Rules

18

Do not collect PI unless you need it

You must not collect PI unless the information is necessary for one or more of your functions or activities

eg. Membership application form

20

Obtain consent before collecting sensitive information

An organisation must not collect SI about an individual unless (amongst other things) the individual has consented

eg. Information from a CDMP provider

21

Provide a collection statement before or at the time of collection

22

Collection statements – current requirements: Your identity and how to contact you

The fact he/she can gain access to the information

The purposes for which the information is collected

The organisations (or types of organisations) to which you usually disclose information of that kind

Any law that requires or authorises the particular information to be collected

The main consequences (if any) for the individual if all or part of the information is not provided

Collection statements – additional requirements: Whether you collect PI about the individual from a third party and the

circumstances of that collection

The fact that your privacy policy contains information about how the individual may:

access and correct PI

complain about a breach of the APPs and how you will deal with such a complaint

Whether you are likely to disclose PI overseas and, if so, the countries where such recipients are likely to be located

23

Are you properly providing collection statements and obtaining necessary

consents?

Members?

Healthcare providers?

25

Collecting unsolicited information

Decide within a reasonable period whether you could have collected the PI if you had solicited it

If you could not have collected the PI, and it is not

contained in a “Commonwealth record”, destroy or de-

identify it

If you could have collected the PI, then the APPs apply

26

Use and Disclosure Rules

27

Use and disclosure

Do not use or disclose PI about an individual for a purpose (the secondary purpose) other than the primary purpose of collection without consent unless:

The secondary purpose is related to the primary

purpose of collection (directly related in the case

of SI)

The individual would reasonably expect you to use

or disclose the information for the secondary

purpose

eg. CDMP programs

28

Direct marketing

New “prohibition” on direct marketing – APP 7.1

• information collected

from individual

• reasonably expect use

or disclosure

• opt out options

• has not opted out


from individual

• not reasonably expect

use or disclosure

• impracticable to obtain

consent

• opt out options

• prominent statement or

draw attention to opt out



from third party

• consent or impracticable

to obtain consent

• opt out options

• prominent statement or

draw attention to opt out


Actions – review collection notices and information collection methods

unless

APP 7.3 APP 7.3 APP 7.2

29

Disclosure overseas

30

Disclosure overseas (cont.)

APP 8 –

New accountability

approach to cross

border disclosure of

personal information

Overseas recipient

subject to similar

principles as APPs

and enforcement

action available

Individual consents

to disclosure after

being expressly

informed that APP

8.1 will not apply

• Must take reasonable steps to ensure compliance of APPs by the overseas recipient –

contractual obligation, audit

• Sender is potentially liable for misuse by overseas recipient!

Implication

If:

disclosure of

personal

information to

overseas

recipient

31

Disclosure overseas (cont.)

Weak Medium Strong

• Singapore – draft bill

• China

• Bangladesh

• Pakistan

• Sri Lanka

• Nepal

• Hong Kong

• Macau

• India

• Philippines

• Thailand

• Vietnam

• Malaysia – legislation still to

come into force

• South Korea

• Taiwan

• Japan

Privacy in Asia – indicative examples

32

Storage and Disposal Rules

34

Storage and disposal

You must take reasonable steps to protect PI:

from misuse, interference and loss

unauthorised access, modification

or disclosure

You must take reasonable steps to destroy or permanently de-identify PI if you do not need it

Take care of other obligations to

retain information

35

Other Rules

36

Parent Co.

ABC Health Insurance

ABC Insurance

ABC Life Insurance

ABC General Insurance

XYZ Health Insurance

XYZ Healthcare

XYZ Allied Health

XYZ CDMP

37

You are not one big happy family!

Related bodies corporate exemption does not apply where:

SI is concerned

the related body corporate is

overseas

38

You need to have robust privacy processes and policies Standard operating procedures

Privacy policy

39

Privacy policy

The kinds of PI you collect and hold

How you collect and hold PI

The purposes for which you collect, hold, use and disclose PI

How an individual can access PI held by you and seek correction of such PI

How an individual can complain about a breach of the APPs and how you will deal with the complaint

Whether you are likely to disclose PI overseas and, if so, the countries in which such recipients are likely to be located

40

Implementation

What should you do to comply?

41

Implementation: What should you do?

1. Identify all relevant PI/SI flows now and after 12 March 2014

2. Prepare and confirm “information flows” document based on the

above

3. Assess and report on privacy compliance

4. Prepare (or update) privacy policy and collection statements

(incorporating consents)

5. How will you notify individuals of changes to your privacy policy

and collection statements?

6. Implement transborder transfer agreements

7. Prepare a standard operating procedure

8. Train the privacy officer(s) and delegates

9. Train relevant staff

10. Refresher and induction training programs

11. Regular review and updating of privacy policy and collection

statements (and consents)

42




above













43




above













44




above













45




above













46




above













47




above













48




above













49




above













50




above













51




above













52

Why bother?

Because you cannot afford not to!

What will adverse publicity do for your business?

New powers afforded to the Commissioner

53

Commissioner’s new powers

Office of the

Australian

Information

Commissioner

Investigate complaints

about interference with

privacy Monitoring related

functions – security and

accuracy of credit

reports

Conduct on assessment

relating to APPs Apply to Federal Court

for civil penalty orders

Request copy of privacy

impact assessment

from an agency

Accept enforceable

undertakings

Undertake

investigations

and order actions

54

Questions

Further information

Vanessa Baic

Senior Associate

K&L Gates

Phone: +61 9205 2046

[email protected]

www.klgates.com

Vanessa Baic

Technology

Transcript of Vanessa Baic