Preview
Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre

 Resources

Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

June 17, 2013

Privacy Regulations

Regulations to support the amendments to the Privacy Act from 12 March 2014 are currently being developed by the Attorney-General's Department.

The department has developed a position paper which sets out the detail of those regulations so that entities can implement and prepare for the reforms as soon as possible.

The proposals include:

  • the meaning of "consumer credit liability information" will be prescribed and that a regulation will specify amortisation type, term type, term of loan and whether there is a guarantor;
  • the meaning of "credit provider" will exclude an organisation or small business operator acting in the capacity of a current or prospective landlord in relation to the individual;
  • the only transitional issue to be regulated will be information requests being processed on or before the commencement date, which will be permitted to be processed under the current credit reporting system until 31 March 2014.

More on privacy reform

Print This Post Print This Post

Posted 17th June 2013 by David Jacobson in Privacy

June 11, 2013

Privacy Data Breach Bill update

The Privacy Amendment (Privacy Alerts) Bill 2013 has been passed by the House of Representatives and will now be considered by the Senate.

To comply with your obligations in the Privacy Act to keep customers' personal information secure and to avoid being put in the situation of notifying your customers of a hacking of your system you should consider the Commonwealth Department of Defence's Strategies to Mitigate Targeted Cyber Intrusions.

It lists the top 35 measures to counter risk, in order of efficacy and categorised by user resistance and cost. Its top 4 strategies are the place to start.

The Top 4 mitigations are: application whitelisting; patching applications and operating systems and using the latest versions; and minimising administrative privileges.

"While no single strategy can prevent malicious activity, the effectiveness of implementing the Top 4 strategies remains very high. At least 85% of the intrusions that DSD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package. ...

The combination of all four strategies, correctly implemented, will help protect an organisation from low to moderately sophisticated intrusion attempts. Put simply, they will make it significantly more difficult for an adversary to get malicious code to run on your ICT system, or continue to run undetected. This is because the Top 4 strategies enable multiple lines of defence against cyber intrusions."

Print This Post Print This Post

Posted 11th June 2013 by David Jacobson in Compliance, Privacy, Web/Tech

May 30, 2013

Mandatory data breach notification provisions introduced

The Government has introduced the Privacy Amendment (Privacy Alerts) Bill 2013 into the House of Representatives.

If passed the Bill will introduce mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act.

The Bill will commence immediately after the amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence on 12 March 2014.

Notification would be provided to those whose privacy had been infringed when data breaches relating to their personal information causing ‘a real risk of serious harm’ occurred. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest.

There are specific provisions relating to serious data breaches by credit providers and credit reporting bodies of credit eligibility information and credit reporting information. There is also a requirement relating to tax file number information.

A data breach arises where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.

Data breaches can be the result of hacking, poor security and sometimes carelessness.

Serious harm, in this context, includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm. The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach.

It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation.

In the event of a serious data breach, the regulated entity is required to provide notification to the Commissioner and affected individuals as soon as practicable after the entity believes on reasonable grounds that there has been a serious data breach.

The notice must include:

  • the identity and contact details of the entity
  • a description of the serious data breach
  • the kinds of information concerned
  • recommendations about the steps that individuals should take in response to the serious data breach, and
  • any other information specified in the regulations.

The Privacy Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements.

Background

Print This Post Print This Post

Posted 30th May 2013 by David Jacobson in Compliance, Financial Services, Privacy, Web/Tech

May 13, 2013

Privacy law reforms: what you need to do

As the 12 March 2014 commencement date for the Privacy Act amendments approaches it is important for every business (unless they are a "small business") to put a privacy review project in place.

What do you need to do?

  • Review your policies, notices and consents
  • Adopt a timetable which allows for printing and IT changes

You will need to change your privacy policy to:

  • include details of how a person can seek access to their personal information and correction of the information;
  • explain how a person can complain about a breach of the APPs and how you will deal with privacy complaints;
  • specify if you are likely to disclose personal information to recipients overseas and, if so, the countries in which such recipients are likely to be located; and
  • Remove references to “NPPs”.

You will need to provide more information to individuals when you collect their personal information:

  • if you are likely to disclose their personal information to recipients overseas and, if so, the countries in which such recipients are likely to be located;
  • that your privacy policy includes details of how to seek access to their personal information and correction of the information; and
  • that your privacy policy includes details of how to complain about a breach of the APPs and how you will deal with privacy complaints.

You will also need to implement a privacy compliance program that:

  • ensures your organisation complies with the APPs;
  • enables your organisation to deal with inquiries or complaints about compliance with the APPs; and
  • establishes procedures to identify and manage privacy risks and compliance issues.

Change your direct marketing practices for materials sent in hard copy and social media mechanism allowing individuals to “opt out” of further direct marketing:

  • include a statement that a request to “opt out” can be made;
  • obtain an individual’s consent before using their sensitive information for direct marketing; and
  • maintain details of the source of the personal information you use for direct marketing.

Review your current arrangements for offshore data storage or processing:

  • Draft new standard offshore outsourcing terms
  • Review storage and security
  • Train your staff

Credit: review your commercial and consumer credit applications and credit check and default reporting procedures.

The OAIC has not yet authorised a Credit Reporting Code of Conduct.

The OAIC has published an APP Checklist.

Print This Post Print This Post

Posted 13th May 2013 by David Jacobson in Privacy, Risk Management

Data risk and privacy

The OAIC's comments on APRA's draft Draft Prudential Practice Guide (PPG 235) Managing Data Risk is a useful guide to analysing an organisation's data security procedures from a privacy perspective:

  • does the procedure concern the collection, disclosure, use and storage of "personal information" (as defined in the Privacy Act?)
  • does "confidentiality" include "privacy"?
  • are the obligations regarding the handling of personal information set out in the Privacy Act (including the Privacy Principles) considered?

NPP 1 (which will be replaced by APP 2 which deals with the collection of solicited personal information) requires that:

  • personal information may only be collected where necessary for a function or activity of the organisation
  • collection must not be by unfair or unlawful means, and
  • reasonable steps must be taken to provide the individual to which the information relates with notice of specified matters, including the identity of the organisation collecting the information, the purpose of the collection, and the contact details of the organisation.

NPP 2 (which will be replaced by APP 6) provides that personal information may only be used or disclosed for the purpose for which it was collected (the ‘primary purpose’), unless a specified exception applies. This requires an organisation to have a clearly defined purpose for the initial collection of personal information, which is also consistent with the requirements of NPP 1.

NPP 4 (which will be replaced by APP 11) relates to data security and requires organisations to take ‘reasonable steps’ to protect the personal information that they hold from misuse or loss and from unauthorised access, use, modification or disclosure.

The OAIC is currently developing guidance on the reasonable steps with respect to information security that organisations are required to take under the Privacy Act.

The OAIC has also published a voluntary Data Breach Notification Guide which outlines steps that organisations should consider in preparing for and responding to information security breaches, including notifying affected individuals. The Government is considering mandatory data breach notification provisions.

NPP 9, which relates to trans-border data flows, currently provides that organisations cannot avoid their Privacy Act obligations by sending personal information offshore.

NPP 9 generally prohibits an organisation from disclosing personal information to someone in a foreign country who is not subject to a comparable information privacy scheme, unless the individual has consented.

NPP 9 will be replaced by APP 8 which deals with cross-border disclosures of personal information: this principle will not prohibit cross-border disclosures of personal information but organisations will be accountable for any disclosure of personal information outside Australia, unless one of a number of exceptions applies. Before any actual cross border disclosure of personal information occurs, an organisation must have put into place appropriate arrangements in relation to the information.

The Tax File Number Guidelines 2011 (TFN Guidelines) issued under the Privacy Act regulate the collection, storage, use, disclosure, security and disposal of individuals’ TFN information.

Guideline 6 of the TFN Guidelines states that TFN recipients must take ‘reasonable steps’ to safeguard TFN information. This includes protecting TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure, and ensuring that access to records containing TFN information is restricted to individuals who need to handle that information for legal purposes.

Part IIIA of the Privacy Act governs the handling of credit information files, credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. CRAs and credit providers must also ensure that credit information files and credit reports are subject to security safeguards as are ‘reasonable in the circumstances’.

The OAIC suggests that the Draft APRA Practice Guide also refer to de-identification as a tool for managing data risks.

Print This Post Print This Post

Posted 13th May 2013 by David Jacobson in Financial Services, Privacy, Risk Management, Web/Tech

May 2, 2013

OAIC’s Guide to Information Security

The Office of the Australian Information Commissioner (OAIC) has published a final version of its Guide to Information Security: ‘Reasonable steps’ to protect personal information.

The Australian Privacy Commissioner, Timothy Pilgrim, said that 100% of the high profile investigations he completed in 2011–12 involved data security issues.

Information security obligations for businesses are contained in the National Privacy Principles, the credit reporting provisions in the Privacy Act and the Tax File Number Guidelines.

The guide provides guidance on information security, specifically the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold.

It provides examples of steps and strategies which may be reasonable for an entity to take.

This could include taking steps and implementing strategies to manage the following:
• governance
• ICT security
• data breaches
• physical security
• personnel security and training
• workplace policies
• the information life cycle
• standards
• regular monitoring and review.

The guide recommends businesses build privacy and information security measures into their processes, systems, products and initiatives at the design stage.

In the amendments that commence on 12 March 2014, the security of personal information is dealt with in APP 11. The obligations in APP 11 are similar to those in NPP/IPP 4. However, APP 11 will require an entity to take reasonable steps to protect personal information from ‘interference’ (eg hacking), as well as from misuse, loss, unauthorised access, modification or disclosure.

Langes can assist you to review your privacy policy to address information security issues.

Print This Post Print This Post

Posted 2nd May 2013 by David Jacobson in Consumer Law, National Credit Code, Privacy, Tax

April 17, 2013

Australian Privacy Principles comparison

From 12 March 2014 the Australian Privacy Principles will replace the National Privacy Principles (for the private sector) and the Information Privacy Principles (for the public sector).

The OAIC has released 2 comparison guides: one comparing the Australian Privacy Principles and Information Privacy Principles and another comparing the Australian Privacy Principles and the National Privacy Principles .

Each of the guides summarises the key differences between the two sets of principles and contains an analysis of the differences between the APPs and the existing principles.

The Australian Privacy Principles are in Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

You watch our videos on the privacy reforms at Langes CPD online.

Print This Post Print This Post

Posted 17th April 2013 by David Jacobson in Privacy

April 16, 2013

De-identification of personal information held by businesses

The Office of the Australian Information Commissioner (OAIC) is seeking comment on Privacy Business Resource 2 — De-identification of data and information which will provide guidance to businesses and researchers about why, when and how to de-identify personal data and information held by a business.

Organisations are required under National Privacy Principle (NPP) 4 to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. From 12 March 2014 the NPPs will be replaced by the Australian Privacy Principles (APPs), which include new de-identification obligations in APPs 4 and 11. New de-identification obligations for credit reporting bodies will also apply from this date.

As a general rule an information asset that does not need to include personal identifiers should be de-identified.

De-identifying information in an information asset may enable the business or researcher to share or publish it without compromising individual privacy.

Before releasing information or data, organisations and researchers should confirm whether de-identification has been successful by using two suggested tests:
•Apply the ‘motivated intruder’ test — this test considers whether a reasonably competent motivated person with no specialist skills would be able to identify the data or information (the specific motivation of the intruder is not relevant). It assumes that the motivated intruder would have access to resources such as the internet and all public documents, and would make reasonable enquiries to gain more information.
•Look at re-identification ‘in the round’ — that is, assess whether any agency, organisation or member of the public could identify any individual from the data or information being released — either in itself or in combination with other available information or data.

Print This Post Print This Post

Posted 16th April 2013 by David Jacobson in Privacy, Risk Management

April 8, 2013

Credit reporting code consultation

The Australasian Retail Credit Association (ARCA) has released for public consultation a draft of the new Credit Reporting Code of Conduct (CR Code).

If approved by the OAIC, the new CR Code will supplement the privacy protection regime set out in Part IIIA of the Privacy Act as amended in December 2012, and will replace the existing Credit Reporting Code of Conduct, that has operated since 1996. It will set out how the Privacy Act Part IIIA provisions are to be applied or complied with.

The CR Code has been designed to:

  • address expectations in Part IIIA or the Explanatory Memorandum;
  • replicate current Credit Reporting Code of Conduct obligations that continue to be relevant given that this Code will be replaced by the new CR Privacy Code;
  • make credit reporting work from a practical perspective;
  • provide some assistance to consumers to understand and interact with the new systems; and
  • address industry uncertainty as to how to interpret aspects of Part IIIA in the interests of consistency of approach within industry.

The CR Code does not encompass all aspects of Part IIIA and so compliance with the CR Code alone will not achieve full compliance with Part IIIA.

The CR Code is being released publicly so that submissions can be received from the public and stakeholder views taken into account as required by Section 26Q of the amended Privacy Act.

The public consultation process closes at 5.00pm on 5 May 2013.

It is expected the finalised draft Code will be lodged with OAIC by 1 July 2013.

Print This Post Print This Post

Posted 8th April 2013 by David Jacobson in Financial Services, National Credit Code, Privacy

Privacy issues for mobile app developers

The Office of the Australian Information Commissioner (OAIC) is seeking comment on a consultation draft of Mobile privacy: A better practice guide for mobile app developers.

The OAIC has developed this guide to help mobile device application (app) developers embed better privacy practices in their products and services.

The Commissioner comments that:

It is clear that the mobile environment, along with the new app economy it has generated, presents risks as well as potential. If you are a mobile app developer, whether you work on your own, or for a business or government agency, you should adopt a ‘privacy by design’ approach, where privacy-enhancing practices are applied throughout the life cycle of the personal information – that is, its collection, use (including data matching and analytics), disclosure, storage and destruction.

Given the growing popularity of apps, app developers can expect increased scrutiny of the privacy practices in the app industry in the years ahead – by both regulators and the market itself, driven by increasingly informed, discerning and influential consumers.

The draft guide contains a privacy checklist for app developers.

Print This Post Print This Post

Posted 8th April 2013 by David Jacobson in Privacy, Web/Tech
Older Posts »