LegalWise Seminar - Privacy Implementation Issues 2015 (Clean)

LegalWise Seminar - 13 March 2015

Privacy Implementation Issues

Eugene Foo

Deputy General Counsel

GE Capital

[email protected]

(03) 8807 6970

LegalWise Seminar 3/12/2015

Disclaimer

This presentation provides general information only. The information contained in this presentation does not constitute legal advice and should not be relied upon as such. The views contained in this presentation represents the personal views of the author and does not represent the views of GE Capital.

Agenda

• Status Check – Privacy Compliance

• Update on Privacy Commissioner’s Enforcement Powers

• Elements of the new regime

• Direct marketing – APP 7

• Cross-border disclosure – APP 8

• Credit reporting – Part IIIA

• Security of Personal Information – APP 11

Status Check – Privacy Compliance



• Reform of Privacy law commenced 12 March 2014

• A year has passed what has been the major developments?

o APP Guidelines

o Privacy regulatory action policy

o Guide to securing personal information

o Data breach notification — A guide to handling personal information security breaches

o Review of privacy policies by the Privacy Commissioner (PC)

o Shift of PC’s focus from basic compliance to on-going governance



• By now, you should have the following basics:

• 1. Updated privacy policy (APP 1.3)

o Should be fully reflective of the changes to the law

o References to NPPs should be now references to APPs

o Processes and procedures that underlie the policy have been reviewed and tested

o Overseas disclosure and if so, countries of recipients and risk management of those recipients



• Updated privacy notice (APP 5)

o To be given at time of collection

o Must notify the person of matters under APP 5.2, including:

Id and contact details

Any collection from 3rd parties

Purpose for which PI is collected

If collection is required or authorised under law

Consequences if unable to collect PI

Any disclosures between related bodies corporate and other entities

Access, correction and complaints



• Updated privacy notice (APP 5) cont’d

o Overseas disclosure (use of express consent – practical difficulties?)

• Processes and procedures

o Must align with statements in Privacy Policy and APP 5 notice

o Need to also address and mitigate privacy risk areas (including those processes that are manual) – integration into risk management framework for the organisation

o Purposes must be mapped to business processes and verified

o Processes to monitor and supervise compliance implemented

o Processes for remediation and breach notification / handling developed



• Implement or refresh privacy training

• Security (who has access etc) (APP 11.1)

• Retention and destruction (APP 11.2)

o Need to a clear policy for destruction of records if you no longer need the PI for any purpose and there is no general law obligation to retain

• Part IIIA compliance

o CRBs and CPs or AIRs who hold CI, CEI or CRB derived information

o Credit Reporting Policy and Statement of Notifiable Matters

o s21C notice

Update on Privacy Commissioner’s Enforcement Powers


Update on Privacy Commissioner’s Enforcement Powers • New enforcement powers

• Conduct own motion investigations in addition to those that arise from complaints

• Accept enforceable undertakings and enforce them

• Perform audits to assess compliance with privacy legal obligations

• Seek civil penalties in Federal Court:

• Up to $1.7 million for body corporates or $340,000 for individuals

• Release of Privacy regulatory action policy

• Guide to Privacy regulatory action policy


Update on Privacy Commissioner’s Enforcement Powers • Privacy regulatory action policy

• Promote and ensure the protection of personal information, consistent with the objects of the Privacy Act.

• Other goals also include: ensuring compliance, deterrence, increasing public awareness, obtaining appropriate remedies for aggrieved persons and addressing systemic issues

• PC’s preferred approach is to facilitate voluntary compliance and work with entities to ensure best privacy practice / prevent privacy breaches.


Update on Privacy Commissioner’s Enforcement Powers • However can take targeted regulatory action if there is a

concern

• PC will take into account the steps taken by an entity to comply with its privacy obligations and factors outlined in the policy, including:

o the seriousness of the incident, including:

the number of persons potentially affected

whether the matter involves ‘sensitive information’ or other information of a sensitive nature

the adverse consequences caused or likely to be caused to one or more individuals arising from an incident or conduct

whether conduct was deliberate or reckless


Update on Privacy Commissioner’s Enforcement Powers

remediation efforts of the entity

whether the entity attempted to conceal the breach

level of cooperation of the entity

• Exposure draft guide to regulatory action policy, covers:

o Chapter 1: Introduction

o Chapter 3: Data breach incidents and Commissioner initiated investigations

o Chapter 4: Enforceable undertakings

o Chapter 7: Civil penalties — serious or repeated interference with privacy and other penalty provisions

o Chapter 8: Privacy assessments

o Chapter 9: Directing a privacy impact assessment (PIA)


Update on Privacy Commissioner’s Enforcement Powers • What does this mean for industry?

o Likely to see a more pro-active PC

o Focus on governance and processes

o Focus on remediation efforts and breach notification

Elements of the new regime


Direct marketing – APP 7

• APP 7 provides that use or disclosure of an individual’s PI for Direct Marketing (DM) is prohibited unless you fit within the exceptions

• Two exceptions:

o Where the PI is collected from the individual and the individual would reasonably expect the PI to be used for DM – the APP entity provides a “simple and easy” means of opting out of DM

o Where GE obtains an individual’s PI from a third party (such as a list) or the individual does not have a reasonable expectation that their information will be used for DM – the APP entity must offer a “prominent” opt out in each DM communication



• APP 7 Guidelines (7.19) provide “simple and easy” means:

o a visible, clear and easily understood

o in a font size that is easy to read

o requires minimal time and effort

o uses a straightforward and accessible communication channel

o free, or does not involve more than a nominal cost

o a usual method could be a telephone line, email to a nominated address or link to specific website which provides the opt out function



• APP 7 Guidelines (7.28) state “prominent” means:

o written in plain English, and not use legal or industry jargon;

o be positioned prominently, and not hidden amongst other text. Headings may be necessary to draw attention to the statement, and

o be published in a font size and type which is easy to read, at least the “same font size as the main body of text in the communication”

• N.B. interaction of Spam Act and Do Not Call Register Act and APP 7

• N.B. stop DM facilitation obligation and advise source of PI when requested



• Practical approaches and issues

• Ensure customer consent for DM are obtained

• Can be difficult to determine when PI is obtained from individual or from a third party (say a list) could be simpler to include opt out with each DM communication

• Need to vet and perform due diligence on third party DM lists to ensure that proper customer consent for DM has been obtained


Cross-border disclosure – APP 8

• Before an APP entity discloses personal information about an individual to an overseas recipient, the entity must take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information

• Where an entity discloses personal information to an overseas recipient, it is accountable for an act or practice of the overseas recipient that would breach the APPs (s 16C)



• Exceptions:

o Protections substantially similar to the APPs and there are mechanisms that the individual can access to to enforce that protection of the law; or

o Express warning and specific consent to overseas disclosure

• Disclosure is not defined under the Privacy Act – occurs when an entity makes PI accessible to others outside the entity and releases the subsequent handling of the information from its effective control

• Excludes “unauthorised access” such as hacking or attacks – but note APP 11 risk



• Limited exceptions for “use” where entity does not relinquish effective control, difficult test to satisfy:

o a binding contract requiring the provider only to handle the personal information for limited purposes

o the contract requires any subcontractors to agree to the same obligations

o the contract gives the entity effective control of how the personal information is handled by the overseas recipient



• Risk management of APP 8 risk

o Due diligence of overseas service providers prior to contracting, in particular, capability to comply

o Contractual framework

o Compliance with Privacy laws and entity’s policies and procedures around data and PI security

o Training of staff handling PI

o Monitoring and supervision rights

o Audit rights

o Strengthen return, destruction and de-identification of PI rights and obligations


Credit reporting – Part IIIA

• Regulates CRBs and CPs or AIRs who hold CI, CEI or CRB derived information

• Requires Credit Reporting Policy and Statement of Notifiable Matters

• s21C notice, EDR membership and underlying processes for dealing with CI, CEI

• Compliance with CR Code - additional matters (c 4.1) in terms of the s21C notice

• Compliance with data quality standards (accurate, up-to-date and complete), security, access, correction and complaints processes


Credit reporting – Part IIIA

• Restricted use of CEI, see permitted uses in s21H, for example internal management purposes directly related to the provision or management of consumer credit or to assist an individual avoid default

• CEI cannot be use for DM purposes

• Requires notice (s 21D(2)(d)) of intention to list default prior to default listing

• Record keeping obligations for when an entity uses or discloses CEI

• Civil penalties for disclosure of false and misleading CI and CEI up to $1.7 million


Security of PI – APP 11

• Under APP 11.1 an entity that holds PI must take reasonable steps to protect the information from misuse, interference and loss, and unauthorised access, modification or disclosure

• Under APP 11.2, an entity must also take reasonable steps to destroy or de-identify the PI they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.

• Does not apply where the personal information is contained in a ‘Commonwealth record’ or where the entity is required by law or a court/tribunal order to retain the personal information.

• APP 11 only applies to PI that an APP entity holds.

• An entity holds personal information “if the entity has possession or control of a record that contains the personal information”


Security of PI – APP 11 • Guide to securing personal information

• Focus is on active measures to ensure the security of PI held and to actively consider the issue of retaining PI

• Focus is on information life cycle:

o Consider whether it is actually necessary to collect and hold PI in order to carry out your functions or activities

o Plan how PI will be handled and embed privacy protections into the design of information handling practices (Privacy by design)

o Assess the risks associated with the collection of the PI due to a new act, practice, change to an existing project or as part of business as usual (Privacy Impact Assessment)

o Take appropriate steps and putting into place strategies to protect PI that you hold (reasonable steps / strategies)

o Destruction or de-identification of the personal information when it is no longer needed (e.g. record retention schedule)



• What are “reasonable steps” depends on the circumstances:

o Nature of entity – size, resources, complexity of operations and business model

o Amount and sensitivity of PI held – increases reasonable steps obligation, higher obligation in respect of sensitive information

o Risk of adverse consequences for individual if PI is not secured and there is a breach

o Practical implications of implementation of security measure, including time and cost but not excused if inconvenient, time-consuming or costly – depends on burden being excessive in the circumstances

o Whether the security measure is itself privacy invasive – need to find balance

• The ‘reasonable steps’ that an APP entity should take to ensure the security of personal information will depend upon circumstances that include:

• the amount and sensitivity of the personal information. More rigorous steps may be required as the quantity of personal information increases, or if the information is ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature

• the nature of the entity. Relevant considerations include an entity’s size, resources and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised entity

• the possible adverse consequences for an individual. More rigorous steps may be required as the risk of adversity increases

• the entity’s information handling practices, such as how it collects, uses and stores personal information. This includes whether personal information handling practices are outsourced to third parties, and whether those third parties are subject to the Privacy Act.[3] If a third party is not subject to the Privacy Act, it may be reasonable for the entity to take steps to ensure the third party meets the entity’s obligations under the Privacy Act, for example through specific privacy obligations in contracts and mechanisms to ensure these are being fulfilled

• the practicability, including time and cost involved. However an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances

• whether a security measure is in itself privacy invasive. For example, while an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (APP 12)).



• Reasonable steps and strategies could touch the following areas:

o Governance, culture and training

o Internal practices, procedures and systems

o ICT security

o Access security

o Third party providers (including cloud computing)

o Data breaches

o Physical security

o Destruction and de-identification

o Standards

• Further detail in Guide to securing personal information

Q & A


Q & A

Any Questions?

Documents

LegalWise Seminar - Privacy Implementation Issues 2015 (Clean)