Australian Privacy Principles - Updates presented by WiTH Collective & Marque Lawyers
-
Upload
with-collective -
Category
Law
-
view
923 -
download
0
Transcript of Australian Privacy Principles - Updates presented by WiTH Collective & Marque Lawyers
46% PLAN TO INCREASE
BRAND AWARENESS�
30% INCREASED FOCUS ON
LOCATION BASED MARKETING�
61% PLAN TO INCREASE
INVESTMENT IN DATA & ANALYTICS
60 % PLAN TO INCREASE
INVESTMENT IN MARKETING AUTOMATION�
57 % PLAN TO INCREASE
SOCIAL MEDIA�SPEND
IN 2014, CMO’S:�
*ExactTarget Cloud Marketing Survey 2014
issues we will cover
AUSTRALIAN PRIVACY PRINCIPLES
REASONABLE EFFORTS TO ENSURE COMPLIANCE
IT SECURITY
THE POWERS OF THE COMMISSIONER
SOME CASE STUDIES
what is personal information?PERSONAL INFORMATION IS INFORMATION OR AN OPINION ABOUT AN IDENTIFIED INDIVIDUAL, OR AN INDIVIDUAL WHO IS REASONABLY IDENTIFIABLE WHETHER THE INFORMATION OR OPINION IS TRUE OR NOT, AND WHETHER THE INFORMATION IS RECORDED IN A MATERIAL FORM OR NOT.
what is personal information?
The Australian privacy principles
THIRTEEN PRINCIPLES WHICH SET OUT HOW ORGANISATIONS MUST DEAL WITH PERSONAL INFORMATION
APPLY TO COMMONWEALTH GOVERNMENT AGENCIES AND BUSINESSES WITH TURNOVER OF MORE THAN $3M
Personal information must be managed in an open and transparent way.
You must take reasonable steps to ensure you comply with the APPs, and you
must have a clearly expressed and up to date Privacy Policy (usually posted on
your website).
OPEN AND TRANSPARENT MANAGEMENT OF PERSONAL INFORMATION1
You must provide individuals with the option of not identifying themselves, or
of using a pseudonym when dealing with you.
This obligation doesn’t apply where it is impracticable to do so.
ANONYMITY AND PSEUDONYMITY2
PERSONAL INFORMATION IS INFORMATION OR AN OPINION ABOUT AN IDENTIFIED INDIVIDUAL, OR AN INDIVIDUAL WHO IS REASONABLY IDENTIFIABLE WHETHER THE INFORMATION OR OPINION IS TRUE OR NOT, AND WHETHER THE INFORMATION IS RECORDED IN A MATERIAL FORM OR NOT.
You can only collect personal information where it is reasonably necessary for
your functions or activities.
Higher standards apply to the collection of ‘sensitive information’ (e.g. race,
religion, health information, sexual preference), in which case the individual
must consent to the collection of this information.
COLLECTION OF PERSONAL INFORMATION3
This APP sets out how you must deal with unsolicited information you receive.
Broadly, you will have to determine whether you would have been able to
collect the information in accordance with APP 3. If not, you must destroy or
de-identify the information.
Unsolicited information is that which you receive when you have taken no
active steps to collect it. For example, random job applications, flyers,
purchased mailing lists.
DEALING WITH 4
ANONYMITY AND PSEUDONYMITY
APP 5 sets out when and in what circumstances you must notify an individual
of certain matters including your identity and contact details.
You should notify the ‘APP 5’ matters at or prior to the point of collection.
‘APP 5’ matters include:
Your identity and contact details
The purposes for which you collect the information
To whom you may disclose the information (including overseas)
Details of your privacy policy
Generally a clear and prominent link to the privacy policy at the point of
collection is OK.
NOTIFICATION OF THE COLLECTION OF PERSONAL INFORMATION�5
You can only use information for the purposes for which you collected it,
unless the person has consented or should reasonably expect that you would
use it for other related purposes.
USE OR DISCLOSURE OF PERSONAL INFORMATION�6
Imposes a general prohibition on use or disclosure of personal information for
direct marketing, unless certain criteria are met:
the person has consented or would reasonably expect you to; and
you provide a simple opt out mechanism.
Note this does not include electronic commercial messages (email, text
message), which are covered by the SPAM Act 2003.
DIRECT MARKETING�7
You cannot disclose personal information to overseas recipients unless you
take reasonable steps to ensure that the overseas recipient will comply with
the APPs.
Unless:
You believe that the overseas recipient is subject to a privacy regime
substantially similar to Australia’s;
The individual provided express consent to the disclosure and agreed
that the APPs wouldn’t apply.
What is ‘disclosure’? Cloud computing etc generally not disclosure.
CROSS-BORDER DISCLOSURE OF PERSONAL INFORMATION�8
You cannot use an individual’s government related identifier (eg. passport
number) as your own identifier for that individual.
Example: An accounting firm can’t use tax file numbers as the basis for its
identification system.
You can only use or disclose government related identifier if you reasonably
need to use the identifier to verify the identity of an individual.
ADOPTION, USE OR DISCLOSURE OF GOVERNMENT RELATED IDENTIFIERS9
You must take reasonable steps to ensure that the personal information you
collect, use and disclose is accurate, up-to-date and complete.
‘Reasonable steps’ depend on the size of your organisation, the types of
information, the consequences of having wrong information.
The Commissioner recommends reviewing personal information regularly,
and providing individuals with a simple means of updating details.
QUALITY OF PERSONAL INFORMATION�10
You must take reasonable steps to protect personal information
you hold from:
Misuse;
Interference and loss; and
Unauthorised access, modification or disclosure.
You must destroy personal information which you don’t need.
SECURITY OF PERSONAL INFORMATION11
Generally, you must give individuals access to personal information you hold
about them.
There are a number of exceptions, including where access would threaten life
or safety, it relates to legal proceedings, or the request is frivolous.
You must respond to a request within a reasonable time.
You must verify the identity of an individual before handing over information.
ACCESS TO PERSONAL INFORMATION12
If you know (or the individual tells you) personal information is incorrect,
then you must correct it within a reasonable time.
If you have disclosed information, you must also advise those entities of the corrections.
CORRECTION OF PERSONAL INFORMATION13
REASONABLE EFFORTS to ensure
information security WHAT DOES YOUR BUSINESS NEED TO DO TO PROTECT PERSONAL INFORMATION?
SOME THINGS TO CONSIDER:
Access (eg. strong passwords)
Backing up
Communications security (eg. docs left on printers, emails, discussions outside the office)
Data breaches (have a response plan and know what to do)
Physical security (physical access to the workplace/desks)
Personnel security and training (including contractors and service providers)
Workplace policies
The Commissioner could always investigate breaches, but in the absence of a complaint had no powers but bad publicity.
Now the Commissioner has the full range of remedies even in the event of ‘own motion’ investigations.
investigations
The Commissioner may determine:
To dismiss a complaint;
That a person must take certain steps to redress loss or ensure the breach doesn’t occur again;
That a person is entitled to a specific amount of compensation.
No further action to be taken.
If a person does not comply with a determination, the Commissioner may apply to the Federal Court for an order to enforce.
determinations
The Commissioner has the power to accept undertakings from an entity that it will do certain things to ensure compliance.
If the entity doesn’t comply, the Commissioner may apply to the Court for enforcement.
Enforceable undertakings
The Commissioner may determine:
To dismiss a complaint;
That a person must take certain steps to redress loss or ensure the breach doesn’t occur again;
That a person is entitled to a specific amount of compensation.
No further action to be taken.
If a person does not comply with a determination, the Commissioner may apply to the Federal Court for an order to enforce.
This is new!
If serious or repeated interferences with privacy, the Commissioner may seek a civil penalty order from the Court.
Currently, the maximum penalty for a corporation is $1.7 million, and an individual $340,000.
penalties
A mail out to 60,300 customers inadvertently had the wrong customer addresses.
Telstra’s security measures included:
The contract with the mailing house included privacy and confidentiality obligations;
They always conducted privacy impact assessments on each new job;
Each mail-out went through a series of approvals
Quality control procedures for staff handling of all campaigns
In the circumstances Telstra got off – the Commissioner said it was due to human error, and Telstra’s systems were adequate.
Telstra
McDonalds ran a campaign in which it encouraged customers to send their friends a link on its Happy Meal website, which included promotional games
Result
The Australian Communications and Media Authority (ACMA) thought this was a breach of the SPAM Act as the recipients did not consent to receiving commercial electronic messages from McDonald’s, and they didn’t have an unsubscribe facility.
McDonald’s serves spam
AAPT customer data held by contractor Melbourne IT was hacked and published online.
The Commissioner found AAPT had breached the Act for failing to adequately protect customer data from unauthorised access.
The Commissioner said:
It was not clear contractually who was responsible for addressing and identifying data security issues;
Old versions of applications and software were used; and
Data which was no longer needed was not destroyed.
Under the current Act he couldn’t impose a penalty, but under the changes to the Act he can.
AAPT
Grays sent an email to its customers introducing its new website ‘GraysEscape’.
They had decided that it was not commercial, and therefore sent it to customers who had previously unsubscribed, and it also did not have an unsubscribe facility.
ACMA found that it was commercial, and hit them with a $165,000 fine.
It was made worse by the fact that Grays made a conscious determination that the email was not promotional (ie it was not the result of an error).
Grays don’t escape
Crisis management
CUSTOMER INFORMATION (INCLUDING BANK ACCOUNT DETAILS) OF ABOUT 600 PEOPLE IS INADVERTENTLY EMAILED TO A HOUSEWIFE IN MILWAUKEE.
WHAT DO YOU DO?
CUSTOMER INFORMATION (INCLUDING BANK ACCOUNT DETAILS) OF ABOUT 600 PEOPLE IS INADVERTENTLY EMAILED TO A HOUSEWIFE IN MILWAUKEE.
WHAT DO YOU DO?
What should you do?
FIRST STEP – LOOK AT YOUR OWN PROCEDURES.
HAVE YOUR SYSTEMS FAILED?
NO OBLIGATION TO NOTIFY THE CUSTOMERS OR THE COMMISSIONER.
LOOK AT IMPACT OF THE DISCLOSURE, THREAT TO THE CUSTOMER?
BE REASONABLE