Preview
Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre

Resources

Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

January 23, 2014

Credit Reporting Privacy Code registered

The Credit Reporting Privacy Code (CR Code), a mandatory code that binds credit providers and credit reporting bodies, was registered on the OAIC’s Codes Register on 22 January 2014 and will take effect from 12 March 2014.

Among other things, the new Part IIIA of the Privacy Act and the Privacy Regulations 2013 restricts the types of credit information that may be disclosed to Credit Reporting Bodies (CRBs), the circumstances in which that information may be disclosed by a CRB to Credit Providers (CPs) and affected information recipients and their handling of that disclosed information.

The CR code supplements the new credit reporting laws by further defining the obligations of CRBs, CPs, and affected information recipients. It replaces the Credit Reporting Code of Conduct issued under Section 18A of the Privacy Act 1988 (which will be repealed on 12 March 2014).

The CR code contains both mandatory provisions and a high level summary of the provisions of Part IIIA of the Privacy Act 1988 that provide the context for the CR code obligations.

A breach of a mandatory provision of the CR code is a breach of the Privacy Act and the Information Commissioner can use his enhanced powers under the privacy reforms, including agreeing enforceable undertakings or seeking civil penalties, in relation to any breaches.

The CR code was developed by the Australian Retail Credit Association (ARCA) in consultation with industry and consumer groups.

While the CR code adds to aspects of the credit reporting obligations, the CR code does not encompass all aspects of Part IIIA: compliance with the CR code alone will not achieve full compliance with Part IIIA.

From 12 March 2014, a credit provider must be a member of an EDR scheme recognised under the Privacy Act to be able to participate in the credit reporting system.

Commercial lenders and businesses who are not already in a consumer credit EDR scheme will be required to join an EDR scheme.

Credit providers, as defined in s 6G of the Privacy Act, includes a bank, an entity where a substantial part of its business is provision of credit, a retailer that issues a credit card in connection with sale of goods or supply of services, a supplier which provides credit in relation to sale of goods or supply of services where repayment of credit is deferred for at least 7 days and a lessor who provides credit in connection with hiring, leasing or renting of goods and credit is in force for at least 7 days.

Only credit providers who are licensees under Chapter 3 of the National Consumer Credit Protection Act or prescribed by the Regulations and mortgage insurers will be able to access repayment history information. But all credit providers will be able to access an expanded range of consumer credit information.

Print This Post Print This Post

Posted 23rd January 2014 by David Jacobson in Compliance, Financial Services, Privacy

December 30, 2013

The regulatory schedule for 2014

2014 begins with some uncertainty: in addition to its legislation repealing the carbon tax and the mining tax, the Government has indicated it will be changing FOFA and conducting a Financial System Inquiry. Its charities changes have also been held up in the Senate.

It will also be "cleaning up" announced but unimplemented tax and superannuation changes. The Superannuation Guarantee charge percentage increase from 9.25% to 9.5% scheduled for 1 July 2014 has been postponed. The rate will remain at 9.25% until 30 June 2016.

But some significant changes will definitely commence in 2014, particularly the privacy changes commencing on 12 March.

1 January 2014

Anti-bullying law: anti-bullying legislation comes into effect on 1 January 2014 and will enable victims of workplace bullying to apply directly to the Fair Work Commission for an order that the bullying stop.

Small businesses will be apply to apply for External Dispute Resolution for disputes on loans up to $2 million

Risk management: New APRA standards for ADIs requiring a chief risk officer commence.

The Financial Claims Scheme single customer view commences.

The National Regulatory Scheme for Community Housing will also start in January.

The new statutory definition of charities will commence, notwithstanding the Government's proposed changes to the sector.

Other key dates

Personal Property Securities Act transition ends on 31 January 2014: pre-30 January 2012 securities must be registered on the PPS Register to retain priority.

National Gambling Reforms (including daily ATM limits in gambling venues) commence on 1 February 2014.

The Co-operatives National Law commences in NSW and Victoria on 3 March and later in the year in other States and Territories.

The Privacy Amendment Act commences on 12 March 2014 including changes to credit reporting.

Gender equality: from 1 April 2014 businesses with 100 or more employees will be required to lodge reports each year containing information relating to various gender equality indicators.

Print This Post Print This Post

Posted 30th December 2013 by David Jacobson in Charities, Compliance, Corporations Act, Financial Services, Privacy, Superannuation, Tax, Workplace

December 20, 2013

Privacy Regulations amended: credit reporting provisions

Privacy Regulation 2013 was registered on 17 December 2013. It updates and consolidates the Privacy Regulations with changes made to implement the Privacy Amendment (Enhancing Protection) Act 2012 which commences on 12 March 2014.

The main changes relate to credit reporting as a result of amendments to Part IIIA of the Privacy Act.

Regulation 6 – Consumer credit liability information
This Regulation prescribes the terms or conditions of the consumer credit for the purposes of the definition of consumer credit liability information in paragraph 6(1)(e) of the Act. These are:

(a) how the principal and interest on the consumer credit are to be paid (with the regulation specifying that payments be classified as either principal and interest, principal plus interest with a residual balloon, or interest only);

(b) whether the term of the consumer credit is fixed or revolving;

(c) if the term of the consumer credit is fixed – the length of the term;

(d) whether the individual is a guarantor to another individual is in relation to that particular line of credit of the other individual;

(e) whether the consumer credit is secured or unsecured; and

(f) any variation that may be made to items contained in the above paragraphs (a) to (e).

Regulation 10 – Meaning of credit provider
Regulation 10(2) excludes from the definition of credit provider under subsection 6G(6) of the amended Privacy Act any organisation or small business operators acting in the capacity of a current or prospective landlord in relation to the individual with whom an organisation or small business may be transacting. Any landlord which receives rent in arrears is therefore excluded from the definition of a credit provider.

Regulation 11 – Meaning of credit reporting business
This Regulation excludes from the definition of credit reporting business under subsection 6P(4) of the amended Privacy Act those businesses which provide personal information to a credit provider for the purposes of verifying an individual’s identity or validating other information relating to the individual’s financial position (such as real property assets) provided by an individual to a credit provider.

Regulation 12 – Meaning of repayment history information
This regulation specifies the circumstances in which an individual has not met an obligation to make a monthly payment that is due and payable, pursuant to subsection 6V(2) of the amended Privacy Act. The Regulation provides that where an individual misses any or all repayments due in a month, irrespective of the actual payment cycle for that obligation, then the individual is taken to have missed a payment. The intention of this section is to ensure that there is only one report each month per credit account of an individual’s repayment history information.

Regulation 22 – Transitional
The Regulation provides that information requests that are being processed on or before the commencement date of the Privacy Amendment Act may be processed under the existing Part IIIA of the Privacy Act up to, and including, 31 March 2014.

More about the Privacy Amendment Act

Print This Post Print This Post

Posted 20th December 2013 by David Jacobson in Compliance, Financial Services, National Credit Code, Privacy

December 17, 2013

Privacy Commissioner’s approach to privacy enforcement

In a recent speech Timothy Pilgrim, the Privacy Commissioner, gave an update on his approach to enforcement and preparation for the new rules on 12 March 2014.

OAIC's Enforcement approach

" I have been telling businesses and government since I became Privacy Commissioner in mid-2010, my focus will always be on resolving the majority of complaints via conciliation. However, I will not shy away from using new and existing powers where it is appropriate to do so. My publication of reports into major breaches is an example of this.

I have been asked whether I will I be taking a ‘softly, softly’ approach after implementation of the reforms. Well, I have never been known to be subtle so the answer to that question is probably ‘no’. Now before people get too excited about the bluntness of that response remember that I said I would always start by trying to resolve matters through conciliation. But please do not interpret conciliation to mean softly, softly."

Credit Reporting Code

"We have also been working with the Australian Retail Credit Association (ARCA) on the credit reporting code, which will be an important tool. This has been a big task for our Office and I am pleased to say that it is nearing completion — all the substantive issues have been addressed and we are expecting to receive the final amended version from ARCA before Christmas."

Guidelines

"People have noted the delay in the release of Guidelines, and we have been asked whether this will mean the OAIC will be taking a lenient approach for the period immediately following commencement, as entities will still be designing processes and policies.

My answer to that is ‘no’. Reference to the NPP Guidelines would tell you that the guidelines on privacy principles are not intended to be a step by step guide to developing process and procedures, and this continues to apply to the APP guidelines."

Preparation for 12 March

"If your policies and procedures are robust and up-to-date then you will be well on your way to best privacy practice. To this end, I recommend you:

  • Get working on your APP privacy policy: Establishing a comprehensive and practical privacy policy that is ready to go in March will get you started with a ‘privacy by design’ approach to your business.
  • Review information security: The Guide to information security that we released in Privacy Awareness Week this year gives some practical advice about how to ensure your systems comply with information security requirements.
  • Review your data breach plan: Do you have a response plan ready for if you have a data breach? The OAIC’s Data breach notification guide will provide you with processes to follow if your business does find itself in this situation. Remember, although mandatory data breach laws did not pass this year, being transparent about data breaches, and acting quickly to mitigate the damage is the best way to protect your business reputation.
  • Conduct a privacy impact assessment for new projects: Conducting a PIA for any new processes will help you to identify any potential problems before they impact on your business. The Privacy impact assessment guide is available on our website to assist you conduct a PIA."

More Privacy articles

Print This Post Print This Post

Posted 17th December 2013 by David Jacobson in Privacy

Do Not Call Register review

The Government has issued a discussion paper reviewing the optimal period of registration on the Do Not Call Register to opt out of receiving most unsolicited telemarketing calls and marketing faxes.

When the Register was first established, registrations were valid for three years from registration. Since 2007, the registration period has been extended on three occasions, and is now set at eight years.

Public comment is sought on four options:
1.Reduce the period of registration to three years
2.Retain the current eight year registration period
3.Extend the registration period to indefinite
4.Remove the need to register

Print This Post Print This Post

Posted 17th December 2013 by David Jacobson in Do Not Call Register, Marketing, Privacy

November 29, 2013

Privacy: telling your customers about your arrangements with overseas contractors

Australian Privacy Principle 8 deals with the cross-border disclosure of personal information.

For example if an Australian businesses outsources business processes to an overseas contractor (such as a cloud service provider) which involves disclosure of its customers' data the Australian business must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

Depending on the purpose for which the information is used other APPs may also apply.

The draft APP 8 guidelines discuss the effect of foreign laws:

"where an overseas recipient of personal information does an act or practice that is required by an applicable foreign law, this will not breach the APPs. The APP entity will also not be responsible for the act or practice under the accountability provision...For example, the Patriot Act (USA) may require the overseas recipient to disclose personal information to the Government of the United States of America. In these circumstances, the APP entity would not be responsible under the accountability provision for the disclosure required by that Act.... An APP entity should consider notifying an individual, if applicable, that the overseas recipient may be required to disclose their personal information under a foreign law. The entity could also explain that the disclosure will not breach the APPs. This information could be included in the APP entity’s APP 5 notice."

With respect to the US Patriot Act Microsoft’s standard explanation is as follows:

“We will not disclose Customer Data to law enforcement unless required by law. Should enforcement contact us with a demand for Customer Data, we will attempt to redirect the law enforcement agency to request it directly from you. As part of this effort we may provide your basic contact information to the agency. If compelled to disclose Customer Data to law enforcement, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited.”

If your customers' information is made available to overseas companies, for example to process purchases or provide technical and billing support, you need to understand where that information will be held, who else will be able to access the information and for what purposes, and what type of security measures will be used for the storage and management of the personal information so that you can tell your customers.

Print This Post Print This Post

Posted 29th November 2013 by David Jacobson in Privacy, Web/Tech

November 20, 2013

Final stage of draft Australian Privacy Principles Guidelines released

The Office of the Australian Information Commissioner has commenced consultation on the third and final stage of its draft APP guidelines.

It has released draft chapters of the Australian Privacy Principles (APP) Guidelines on APPs 12 and 13 (Chapters 12 and 13):

  • Chapter 12 — APP 12 access to personal information
  • Chapter 13 — APP 13 correction of personal information

The Privacy Act amendments commence on 12 March 2014.

Langes is advising clients on their privacy policies and on the impact on direct marketing, credit reporting and storage of data.

Print This Post Print This Post

Posted 20th November 2013 by David Jacobson in Compliance, Privacy

October 21, 2013

Failure to protect customer data: AAPT breaches Privacy Act

The Australian Privacy Commissioner, Timothy Pilgrim, has found AAPT Limited breached the Privacy Act by failing to adequately protect customer data from unauthorised access. The Commissioner also found that AAPT had failed to comply with its obligation to destroy or permanently de-identify information no longer in use(see Investigation Report here).

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers and provide a quoting and billing system for AAPT sales staff. The personal information included information collected for the purpose of obtaining credit reports of AAPT business customers and information used for the purpose of transferring telephone numbers from other telecommunications carriers.

AAPT took the server offline immediately and worked closely with Melbourne IT to investigate and rectify the incident. A configuration change to the server by Melbourne IT closed the vulnerability exploited by the hacker.

The Commissioner made a number of recommendations to AAPT including implementing regular training for staff in relation to data retention and destruction, ensuring all IT applications are subject to vulnerability assessment and testing, as well as ensuring effective lifecycle management, and conducting regular audits of AAPT’s IT security framework. AAPT has implemented these recommendations.

Separately, the Australian Communications and Media Authority found that AAPT contravened clause 6.8.1 of the Telecommunications Consumer Protections Code by failing to protect the privacy of small business customers whose personal information was stored in a server which was the subject of unauthorised access.

Because of the terms of its contract with AAPT, no findings were made against Melbourne IT.

Print This Post Print This Post

Posted 21st October 2013 by David Jacobson in Privacy, Web/Tech

October 10, 2013

New conditions for obtaining credit reports

From 12 March 2014, under Part IIIA of the Privacy Act, a credit provider must be a member of an EDR scheme recognised under the Privacy Act to be able to participate in the credit reporting system.

Commercial lenders and businesses who are not already in a consumer credit EDR scheme will be required to join an EDR scheme.

Credit providers, as defined in s 6G of the Privacy Act, includes a bank, an entity where a substantial part of its business is provision of credit, a retailer that issues a credit card in connection with sale of goods or supply of services, a supplier which provides credit in relation to sale of goods or supply of services where repayment of credit is deferred for at least 7 days and a lessor who provides credit in connection with hiring, leasing or renting of goods and credit is in force for at least 7 days.

The Information Commissioner has published the conditions that must be met by EDR schemes to be recognised under the Privacy Act, its approach to existing EDR schemes and when it will allow the EDR scheme to deal with a privacy-related credit complaint rather than the OAIC.

Only credit providers who are licensees under Chapter 3 of the National Consumer Credit Protection Act or prescribed by the Regulations and mortgage insurers will be able to access the repayment history information

Background

Print This Post Print This Post

Posted 10th October 2013 by David Jacobson in Privacy

October 2, 2013

Privacy and data bases: back to basics

We were at a meeting recently when some surprise was expressed that there were privacy issues associated with the purchase of another business's data base of customers.

Every business has a data base whether it is individual computer files, a software program or even filing cabinets full of folders.

And every data base which contains personal information about customers is potentially regulated by the Privacy Act, regardless of whether you got the information from the customer or another source.

The Privacy Act sets out how information you collect from customers can be used, stored and provided to others.

There are special rules if the information is "sensitive" (eg health information").

The Privacy Principles (which will change from 12 March 2014) set out how you can use your data base for direct marketing (whether by you or someone else).

And if any of your customers' information is stored or processed overseas ("big data" in "the cloud") then you are accountable for ensuring that the data is handled overseas in accordance with the provisions of the Privacy Act. Normally this would involve you entering into a contractual relationship with an overseas recipient.

If you use a third party service and you don't know where they store or process your information you must find out and tell your customers in a privacy notice.

Your customers are entitled to know what information you have about them.

If your business processes have changed in the last 5-10 years then it is time to think about the privacy implications.

Print This Post Print This Post

Posted 2nd October 2013 by David Jacobson in Business Planning, Privacy, Web/Tech
Older Posts »