The Australian Privacy Commissioner, Timothy Pilgrim, said that 100% of the high profile investigations he completed in 2011–12 involved data security issues.
Information security obligations for businesses are contained in the National Privacy Principles, the credit reporting provisions in the Privacy Act and the Tax File Number Guidelines.
The guide provides guidance on information security, specifically the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold.
It provides examples of steps and strategies which may be reasonable for an entity to take.
This could include taking steps and implementing strategies to manage the following:
• ICT security
• data breaches
• physical security
• personnel security and training
• workplace policies
• the information life cycle
• regular monitoring and review.
The guide recommends businesses build privacy and information security measures into their processes, systems, products and initiatives at the design stage.
In the amendments that commence on 12 March 2014, the security of personal information is dealt with in APP 11. The obligations in APP 11 are similar to those in NPP/IPP 4. However, APP 11 will require an entity to take reasonable steps to protect personal information from ‘interference’ (eg hacking), as well as from misuse, loss, unauthorised access, modification or disclosure.
If approved by the OAIC, the new CR Code will supplement the privacy protection regime set out in Part IIIA of the Privacy Act as amended in December 2012, and will replace the existing Credit Reporting Code of Conduct, that has operated since 1996. It will set out how the Privacy Act Part IIIA provisions are to be applied or complied with.
The CR Code has been designed to:
address expectations in Part IIIA or the Explanatory Memorandum;
replicate current Credit Reporting Code of Conduct obligations that continue to be relevant given that this Code will be replaced by the new CR Privacy Code;
make credit reporting work from a practical perspective;
provide some assistance to consumers to understand and interact with the new systems; and
address industry uncertainty as to how to interpret aspects of Part IIIA in the interests of consistency of approach within industry.
The CR Code does not encompass all aspects of Part IIIA and so compliance with the CR Code alone will not achieve full compliance with Part IIIA.
The CR Code is being released publicly so that submissions can be received from the public and stakeholder views taken into account as required by Section 26Q of the amended Privacy Act.
The public consultation process closes at 5.00pm on 5 May 2013.
It is expected the finalised draft Code will be lodged with OAIC by 1 July 2013.
The Commonwealth Government has decided that any reforms to small business finance will be deferred. (Background)
This decision is limited to the small business reforms in Phase 2 of the consumer credit reforms.
The draft Bill’s provisions relating to credit provided for investment purposes, private lenders who provide credit contracts or consumer leases through an intermediary, short-term and indefinite term consumer leases and anti-avoidance practices will not be deferred.
Our next Financial Services CPD Seminars will discuss the Privacy Act amendments relating to direct marketing and credit reporting, with separate Credit Act update sessions for marketers and collections managers.
There will also be a “core” breakfast session specifically for Responsible Managers.
* Cost: $550 (incl GST) per person for the whole program
* All sessions bookable separately
* CPD points: 6 points
* Time: 8am – 3pm
* Location: Brisbane, Sydney, Melbourne
* Designed for: Financial Services Managers who wish to stay up to date with all the relevant financial services and credit industry regulatory changes
When and where
Brisbane: Tuesday 19 February 2013
Sydney: Wednesday 20 February 2013
Melbourne: Tuesday 26 February 2013
Repayment history information is defined in Section 6V as:
(a) whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit;
(b) the day on which the monthly payment is due and payable;
(c) if the individual makes the monthly payment after the day on which the payment is due and payable—the day on which the individual makes that payment.
It does not include the amount of any missed payment — only the fact that the borrower made or missed a payment.
It could include payments on a loan or credit card.
From 12 March 2014 licenced credit providers can pass repayment history information on to credit reporting bodies.
Information about any particular payment cannot be held for more than two years from the date it was due.
Repayment history information will not include information about any payment that was due before 12 December 2012.
Langes+ invites you to this CPD seminar for financial services providers.
In response to feedback we have added a breakfast session for Responsible Managers and a session dealing with Privacy (including the new Australian Privacy Principles and credit reporting) which will be relevant to both marketers and collections staff.
The seminar will cover all the ‘must-know’ rules and traps for each topic. Topics are selected for their relevance and contain practical case studies and examples with time allowed for discussion.
We look forward to seeing you.
Session 1 (bookable separately)
8am to 9.45 am Introduction to Responsible Managers’ duties (including light breakfast from 7.30am)
10 am to 11am Marketing issues:
advertising credit and financial services, dealing with referrers and linked credit
11.15 am to 1pm Privacy Act changes (including changes affecting marketing and credit reporting)
Session 4 Collections issues
1.45 pm to 3pm Credit enforcement update: hardship, mortgagee sales and resolving EDR Complaints
When and where Brisbane 19 February 2013 Sydney 20 February 2013 Melbourne 26 February 2013 Adelaide 27 February 2013
Whole Program: $550.00 (incl GST)
$495 if you pay by 31 January 2013
$467.50 per person if 3 or more attend from same organisation
All sessions bookable separately
Session 1 $200 (incl GST) ($180 if paid by 31 January 2013)
Sessions 2, 3 and 4 $165 each (incl GST) ($148.50 each if paid by 31 January 2013)
Although the reforms will likely commence in March 2014, on a date 15 months after Royal Assent, once the credit reporting provisions commence credit providers will be able to use credit information collected from the date of Royal Assent.
Civil penalties of up to 2,000 penalty units (equivalent to $340,000) are imposed for breaches of the credit reporting provisions in the Act.
If the offending entity is a body corporate the maximum penalty is 5 times the amount of the pecuniary penalty specified for the civil penalty provision (ie a maximum of $1.7million.)
You can see the Privacy Commissioner’s response here
The Bill will now been sent back to the House of Representatives to approve the changes. UPDATE: Amendments approved by House of Reps. More here.
The commencement period of the Bill has been delayed to 15 months after Royal Assent (instead of 9 months).
A number of these amendments respond to the recommendations of the Senate Legal and Constitutional Affairs Legislation Committee’s (the Committee) report into the Bill.
Apart from technical clarifications the changes:
Specify that at least 14 days must elapse from the giving of a written notice before a default is recorded as part of an individual’s credit reporting information
allow mortgage insurers, who are not credit licensees, to access repayment history information.
insert additional matters that must be contained in a credit provider’s policy.
insert additional notification obligations which a credit provider must satisfy at, or as soon as practicable after, the collection of information.
Langes will be working with clients to help with the transition.
The Bill amends the Privacy Act to:
• Create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations, which replace the Information Privacy Principles (IPPs) for the public sector and the National Privacy Principles (NPPs) for the private sector
• Introduce more comprehensive credit reporting with improved privacy protections, at the same time updating the provisions to more effectively address the significant developments in the operation of the credit reporting system since the provisions were first enacted in 1990
• Introduce new provisions on privacy codes and the credit reporting code (called the CR code), including powers for the Commissioner to develop and register codes in the public interest that are binding on specified agencies and organisations; and
• Clarify the functions and powers of the Privacy Commissioner and improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.
Time is running out to register for our next Responsible Manager seminars in August 2012.
The seminars will discuss:
preparing for an ASIC compliance audit
specific issues relevant to responsible managers of both AFS licensees and credit licensees
the proposed credit enhancements and the credit card changes.
They will be practical and interactive.
* Cost: $385 (incl GST) per person
* CPD points: 3 points
* Time: 9am – 12:30 noon (registration 8:30am)
* Location: Brisbane, Sydney, Melbourne, Adelaide
* Designed for: Responsible Managers who wish to stay up to date with all the relevant finance industry regulatory news
When and where
Brisbane: Tuesday 21 August 2012
Sydney: Wednesday 22 August 2012
Melbourne: Tuesday 28 August 2012
Adelaide: Wednesday 29 August 2012