feedSubscribe to our news feeds
Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre

 Resources

Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

May 16, 2012

Government’s response to Privacy Amendment recommendations

The Commonwealth Government has published its response to the Senate Finance and Public Administration Legislation Committee Reports on privacy amendments.

The response is in 2 parts: Exposure Drafts of Australian Privacy Amendment Legislation: Part 1 – Australian Privacy Principles and Exposure Drafts of Australian Privacy Amendment Legislation: Part 2 – Credit Reporting. (Background: here, exposure draft legislation)

In respect of the Committee’s twenty nine recommendations on the Australian Privacy Principles, 4 have been accepted in full, 14 have been accepted in principle, 1 has been accepted in part, 6 have been supported and 4 have been rejected in full.

In respect of the Committee’s thirty recommendations on credit reporting, 20 have been accepted in full, seven have been accepted in principle and three have been noted.

The Attorney General recently indicated that legislation would be introduced in the Winter Sittings of Parliament.

In respect of credit reporting, credit reporting information will include the following categories of personal information, in addition to those currently permitted in credit information files under the Privacy Act:
(a) the type of each credit account opened (for example, mortgage, personal loan, credit card);
(b) the date on which each credit account was opened;
(c) the current limit of each open credit account; and
(d) the date on which each credit account was closed.

Amongst other things, the changes will allow the Privacy Commissioner to:

• Accept a written undertaking from an organisation that they will take or refrain from a specified action. This will be enforceable in the Federal Court or Federal Magistrates Court.
• Make a determination following an investigation conducted on the Commissioner’s own initiative. Currently, the Act only allows a determination to be made when investigating a complaint from an individual about an act of practice.
• Seek civil penalties in the case of serious or repeated interferences with privacy.
• Conduct performance assessments of private sector organisations handling personal information. Currently the Commissioner can only conduct audits of government agencies and credit reporting agencies.

Print This Post Print This Post

Posted 16th May 2012 by David Jacobson in Financial Services, Privacy

May 2, 2012

Privacy case note: A and Financial Institution

In A and Financial Institution [2012] AICmrCN 1 the Privacy Commissioner dealt with a complaint from a customer of a financial institution that a mobile phone number provided for security purposes in an internet banking application was used 5 years later by a company marketing insurance products for the financial institution.

The financial institution did not deny the complainant’s claims that the complainant had provided their mobile phone number for security identification purposes. The Commissioner considered the context of the collection of the mobile phone number, and took the view that the primary purpose of collection was to provide extra security protection for banking transactions. The Commissioner took the view that disclosing the mobile phone number for the secondary purpose of enabling the direct marketing company to contact the complainant was not related to the primary purpose of collection.

The financial institution advised the Commissioner that it sent the complainant a letter about its insurance products a week before the complainant received the telephone calls. A notice in fine print at the back of the letter stated that the financial institution would send the complainant’s mobile phone number to the financial institution’s contract company, to call the complainant, unless the complainant contacted a specified number to advise they wanted to be excluded from the calling program.

The financial institution considered that, because the complainant had not responded to the letter by calling to advise it did not want to participate in the calling program, it was entitled to assume that its disclosure of the complainant’s personal information, including the mobile phone number, was within the complainant’s reasonable expectations.

The parties conciliated the matter. To resolve the matter the complainant accepted a letter of apology and assurances from the financial institution that the complainant would not be included in any future marketing campaigns. The financial institution also undertook to conduct a review of its marketing campaign procedures.

The Commissioner accepted that the complainant was unlikely to have closely read the correspondence as the letter sent by the financial institution was about a service that the complainant was not interested in receiving from that organisation.

Further, the Commissioner noted that the information aimed at advising the recipient of the intention to disclose the mobile number for direct marketing purposes was included as part of additional information located on the back of the correspondence. This information entitled ‘Important Information’, was not only on the back of the correspondence but was also in extremely small font which could seem contrary to it being important information.

Print This Post Print This Post

Posted 2nd May 2012 by admin in Financial Services, Insurance, Marketing, Privacy

April 30, 2012

Revised data breach notification guide issued by OAIC

The Office of the Australian Information Commissioner (OAIC) has published a revised guide to handling personal information security breaches.

Although the Privacy Act does not impose a mandatory obligation to notify the Privacy Commissioner (now part of the OAIC) and affected individuals in the event of a data breach that could give rise to a ‘real risk of serious harm’ to the affected individuals, the OAIC’s guide is intended to support and encourage organisations to voluntarily put in place reasonable measures to deal with data breaches (including notification of affected individuals and the OAIC), while legislative change is considered by the Government.

The guide sets out a risk analysis guide to help determining if and when notification is an appropriate response.

Print This Post Print This Post

Posted 30th April 2012 by David Jacobson in Privacy

January 9, 2012

OAIC Privacy case notes 1-13 of 2011

The Office of the Australian Information Commissioner published 13 privacy case notes on 22 December 2011.

The cases include successful complaints against a registered club, an insurer, a credit reporting agency, a financial institution and a retailer.
(more…)

Print This Post Print This Post

Posted 9th January 2012 by David Jacobson in Financial Services, Insurance, Privacy

December 21, 2011

New Tax File Number Guidelines

New tax file number guidelines (Tax File Number Guidelines 2011) have been registered, replacing the previous Tax File Number Guidelines 1992.

The TFN Guidelines, issued under section 17 of the Privacy Act 1988, regulate the collection, storage, use, disclosure, security and disposal of individuals’ TFN information.

While individuals cannot be required to provide their TFN, if they do not quote their TFN to employers and financial institutions then they will have tax deducted from their income or interest payments at the highest marginal rate.

Quotation of TFNs is also a condition of receipt of most Australian Government assistance payments.

The ATO and APRA have published ‘Classes of lawful tax file number recipients‘ which contains information on the classes of persons or bodies who are authorised by law to request an individual quote that individual’s TFN.

The TFN Guidelines only apply to the TFN information of individuals and do not apply to TFN information about other legal persons such as corporations, partnerships, superannuation funds and trusts.

The TFN Guidelines are legally binding. A breach of the TFN Guidelines is an interference with privacy under the Privacy Act.

Unauthorised use or disclosure of TFNs can be an offence under the Taxation Administration Act 1953 and can attract penalties including imprisonment and monetary fines.

The Office of the Australian Information Commissioner has issued a Fact Sheet.

Print This Post Print This Post

Posted 21st December 2011 by David Jacobson in Financial Services, Privacy, Tax

December 14, 2011

Privacy complaint: Wentworthville Leagues Club gambling records

In ‘D’ and Wentworthville Leagues Club [2011] AICmr 9 the Australian Privacy Commissioner determined that the Club interfered with the complainant’s privacy by disclosing the complainant’s membership details and gaming information to the complainant’s ex-partner.

The Club was ordered to apologise in writing to the complainant, review its training of staff in the handling of personal information and legal requests for personal information including court subpoenas and pay the complainant $7500 for non-economic loss caused by the interference with the complainant’s privacy.

The Club received a letter from the complainant’s ex-partner which attached a copy of a subpoena issued by the Federal Magistrates Court in family law proceedings involving the complainant and their ex-partner. The subpoena required the Club to provide gambling records to the Court. But instead an employee provided computer printouts of information about the complainant to the ex-partner at the Club. The documents were a printout of the complainant’s full membership details and their bonus point activity statements for the periods July–August 2002 and January–June 2003. The statements showed the complainant’s total turnover and winnings and the complainant’s then balance on their account with the Club.

The Privacy Commissioner determined that the Club is an ‘organisation’ for the purposes of the Privacy Act and is therefore obliged to comply with the National Privacy Principles. The disclosure was not authorised by law as the documents were not provided to the court as the subpoena required.

The Privacy Commissioner accepted that the disclosure contributed to serious anxiety, panic attacks and physical symptoms of the complainant but rejected claims for economic loss and punitive and aggravated damages.

Print This Post Print This Post

Posted 14th December 2011 by David Jacobson in Privacy

December 7, 2011

Privacy implications of digital photocopiers

The Privacy Commissioner has issued a Fact Sheet on Digital photocopiers: inadvertent collection and storage of personal information.

The Fact Sheet discusses the implications of unnecessarily (albeit inadvertently) collecting personal information by digital copiers and multi-function printers which store information they copy or scan.

Additionally if you are collecting and storing personal information, the Privacy Act requires that you take reasonable steps to make sure that information is secure and will not be accessed, modified or disclosed without authorisation. Networked devices may be accessible to the internet and email.

The Fact Sheet also contains a caution relating to selling a used photocopier or MFP or returning a leased photocopier or MFP.As best practice, before selling or disposing of a photocopier or MFP, or returning a leased photocopier or MFP, make sure that all scanned images on the integrated hard drive have been completely erased.

Print This Post Print This Post

Posted 7th December 2011 by David Jacobson in Privacy

October 31, 2011

Electronic customer identity verification and privacy

The e-verification provisions in section 35A of the AML/CTF Act expressly permit the use and disclosure of credit reporting information for electronic identity verification purposes to satisfy obligations under the AML/CTF Act, instead of documents, provided the reporting entity has obtained express and informed consent from an individual prior to making a verification request.

A breach of these requirements is a breach of section 13A Privacy Act: section 35L AML/CTF Act.

In summary the e-verification provisions:
• permit a reporting entity to disclose specified personal information (including name, date of birth and residential address) to a credit reporting agency (CRA) for identity verification purposes with the express consent of the individual whose identity is being verified;
• permit a CRA to conduct a matching process between personal information provided to it by a reporting entity and the personal information held on its own files and provide an assessment to the reporting entity of the outcome of the verification process;
• require reporting entities to notify their customers, or other individuals required to be identified under the AML/CTF Act, of unsuccessful attempts to verify identity using credit reporting data;
• require credit reporting agencies and reporting entities to retain information about verification requests and assessments for 7 years from the date of the request for CRAs and for 7 years after ceasing to provide designated services to a customer for reporting entities and to delete it at the end of those periods;
• require a CRA to keep information about verification requests separate from the individual’s credit information file;
• create offences to address unauthorised access to, and disclosure of, verification information.

The use of personal information contained in a credit information file is limited to verification of identification information for customers, or other individuals the reporting entity is required to identify, who are natural persons.

Reporting entities are required to obtain express and informed consent from an individual prior to making a verification request: express consent can be indicated in writing (eg in an account application), online, or on the phone. However, records must be retained to evidence the process followed and the consent given by the individual.

In an online context a customer may be required to ‘check’ a box indicating that the customer has read the information and consents but a failure to opt out (by unchecking a ticked consent box) will not indicate consent.

To ensure that the consent is informed, the consent must be specifically about the disclosure of personal information by the reporting entity to the CRA and use by the CRA of the personal information contained in credit information files for an assessment. The consent must specify that the reporting entity will only use the assessment by the reporting entity for the purpose of verifying the individual’s identity for the purposes of the AML/CTF Act: a general consent to the use of information to verify identity will not be sufficient. If an individual other than the customer is being identified, that person will also have to consent to the process.

The individual must be given information about the reason for making the request for verification, the personal information that may be provided to the CRA, and the fact that the reporting entity is seeking, and the CRA may provide an assessment of whether the personal information matches (in whole or in part) information on the individual’s credit information file.

To ensure that the consent is genuine, paragraph 35A(2)(c) requires that the individual must be given another option, not reliant upon credit reporting information, for verifying their identity.

The reporting entity must retain a record containing specified information relating to a verification request. Section 35F of the AML/CTF Act requires a reporting entity to retain this information for a period starting from the date of the verification request and ending 7 years after the reporting entity ceased providing a designated service to the individual, and must delete it at the end of that period.

The record must contain the name of the CRA to which the request was made, the personal information provided to the CRA, the assessment received, and any other information specified in the AML/CTF Rules.

An individual has the right to:
• Choose whether to agree to verification using information held on their credit information file (section 35A of the AML/CTF Act).
• Be advised if a verification attempt is unsuccessful (section 35C of the AML/CTF Act), including details of which CRA was involved, and offered an alternative means of verification.
• Access information relating to verification requests from the reporting entity and from the CRA (section 35G of the AML/CTF Act).

Print This Post Print This Post

Posted 31st October 2011 by David Jacobson in Anti-money laundering, Privacy

October 7, 2011

Senate Committee report on credit reporting

The Senate Finance and Public Administration Legislation Committee has published its report on the Exposure Drafts of Australian Privacy
Amendment Legislation Part 2—Credit Reporting.

The report makes 30 recommendations for changes to the draft.

The exposure draft contains new provisions relating to collection, use and disclosure of information for credit reporting purposes.

The new scheme will be underpinned by a new industry-agreed Credit Reporting Code of Conduct which will be subject to approval by the Australian Information Commissioner.

Print This Post Print This Post

Posted 7th October 2011 by David Jacobson in Financial Services, Privacy

October 3, 2011

Sony PlayStation privacy investigation report

The Australian Privacy Commissioner has published the report of his own motion investigation under the Privacy Act 1988 (Cth) following media reports that an unauthorised person accessed personal information of approximately 77 million customers of the Sony PlayStation Network/Qriocity, including customers in Australia.

He found that Sony Computer Entertainment Australia (SCE Australia) did not breach the Privacy Act when it fell victim to a cyber-attack.

The investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Privacy Commissioner found no evidence that Sony intentionally disclosed any personal information to a third party. Rather, its Network Platform was hacked into.He also found that Sony took reasonable steps to protect its customers’ personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place.

While the Privacy Commissioner found no breach of the Privacy Act by SCE Australia, he was concerned about the time that elapsed between Sony becoming aware of the incident and notifying customers and the Office of the Australian Information Commissioner.

Print This Post Print This Post

Posted 3rd October 2011 by David Jacobson in Privacy
Older Posts »