Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre


Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

October 2, 2013

Mobile privacy

The Office of the Australian Information Commissioner (OAIC) has released Mobile privacy: A better practice guide for mobile app developers.

The OAIC has developed this guide to help mobile device application (app) developers embed better privacy practices in their products and services, and help developers that are operating in the Australian market to comply with Australian privacy law and best practice.

Many of the practices outlined in the guide may also assist advertising networks, advertisers, mobile platform providers, app developer trade associations and developers of other (non-mobile) applications.

The OAIC's recommendations include:

  • you should adopt a ‘privacy by design’ (PBD) approach. PBD aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles
  • app developers should select the right strategy to convey privacy rules in a way that is meaningful on the small screen, including ‘short form notices’, with important points up front and links to more detailed explanations, and a privacy dashboard that displays a user’s privacy settings and provides a convenient means of changing them
  • putting in place appropriate safeguards to protect the personal information you are handling.

Related article:OAIC's review of websites and mobile apps

Print This Post Print This Post

Posted 2nd October 2013 by David Jacobson in Privacy, Web/Tech

September 23, 2013

Draft APP Privacy Guidelines: second stage released

From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles and Information Privacy Principles.

The Office of the Australian Information Commissioner (OAIC) has released draft Australian Privacy Principles (APP) Guidelines for consultation. The Guidelines outline how the OAIC will interpret and apply the APPs.

Consultation on the draft Australian Privacy Principles (APP) Guidelines 6 to 11 (Parts 3 and 4) is now open. This forms the second stage of APP Guidelines to be released for consultation.

Consultation on Chapters A to D and 1 to 5 has closed.

The Guidelines for Chapters 6 to 11 cover:

  • APP 6 use or disclosure of personal information
  • APP 7 direct marketing
  • APP 8 cross-border disclosure of personal information
  • APP 9 adoption, use or disclosure of government related identifiers
  • APP 10 quality of personal information
  • APP 11 security of personal information

The third stage of draft guidelines (APPs 12 & 13) will be released in October.

Langes can advise you on the impact of the APPs on your business.

Print This Post Print This Post

Posted 23rd September 2013 by David Jacobson in Marketing, Privacy

September 18, 2013

New Financial Services Ministers

Mr Abbott has named his new Ministry and and Parliamentary Secretaries and they are expected to be sworn in by the Governor-General today.

UPDATE: printable Ministry list and new Departmental structure.
Amendments to Ministry list

Whilst there is no specific Financial Services Minister, decisions in respect of financial services are expected to be made by the Treasurer Joe Hockey, the Assistant Treasurer Arthur Sinadinos and the Parliamentary Secretary to the Treasurer Steven Ciobo.

The Attorney-General George Brandis will be responsible for privacy-related issues.

Print This Post Print This Post

Posted 18th September 2013 by David Jacobson in Financial Services, Privacy

September 6, 2013

APRA releases final guidance on managing data risk

The Australian Prudential Regulation Authority (APRA) has released Prudential Practice Guide CPG 235 Managing Data Risk (CPG 235) for ADIs, insurers and superannuation funds.

Subject to meeting APRA’s prudential requirements, a regulated entity has the flexibility to manage data risk in a manner that is best suited to achieving its business objectives.

The PPG targets areas where APRA continues to identify weaknesses as part of its ongoing supervisory activities.

Examples of data risk include:
(a) fraud due to theft of data;
(b) business disruption due to data corruption or unavailability;
(c) execution delivery failure due to inaccurate data; and
(d) breach of legal or compliance obligations resulting from disclosure of confidential data.

APRA envisages that data risk management principles could include:
(a) access to data is only granted where required to conduct business processes;
(b) data validation, correction and cleansing occur as close to the point of capture as possible;
(c) automation (where viable) is used as an alternative to manual processes;
(d) timely detection and reporting of data issues to minimise the time in which an issue can impact on the entity;
(e) assessment of data quality to ensure it is acceptable for the intended purpose; and
(f) design of the control environment is based on the assumption that staff do not know what the data risk management policies and procedures are.

In addition, a number of specific security management principles are also relevant.

Print This Post Print This Post

Posted 6th September 2013 by David Jacobson in Compliance, Financial Services, Privacy, Risk Management

September 2, 2013

How to make sure your direct mail is legal

We all get promotional mail in our letterbox and email inbox from businesses we have not previously dealt with.

From 12 March 2014 new rules will apply to direct marketing whether hard copy or electronic.

In all cases it must include a statement that a request to "opt out" can be made. A business will only be able to send direct marketing material if the recipient has not previously opted out.

If a business receives a person's contact details from a third party it must maintain details of the source of the personal information it uses for direct marketing. People will be able to ask an organisation to tell them where they got their personal information from. The organisation must comply with these requests within a reasonable period and free of charge.

New Australian Privacy Principle 7 does not change the operation of the Do Not Call Register Act 2006 and the Spam Act 2003.

Print This Post Print This Post

Posted 2nd September 2013 by David Jacobson in Marketing, Privacy

August 27, 2013

Draft APP Privacy Guidelines released

The Office of the Australian Information Commissioner (OAIC) has released 5 draft Australian Privacy Principles (APP) Guidelines for consultation.

The Guidelines outline how the OAIC will interpret and apply the APPs that will commence on 12 March 2014.

The following draft APP Guidelines have been released for public consultation:

APP 1 — Open and transparent management of personal information
APP 2 — Anonymity and pseudonymity
APP 3 — Collection of solicited personal information
APP 4 — Dealing with unsolicited personal information
APP 5 — Notification of the collection of personal information

Draft Guidelines have also been released on Introductory matters, Key concepts, Permitted general situations and Permitted health situations.

Print This Post Print This Post

Posted 27th August 2013 by David Jacobson in Privacy

August 16, 2013

Website and app privacy policies

The Office of the Australian Information Commissioner (OAIC) has released the results of a ‘privacy sweep’ of 47 websites and mobile apps most used by Australians.

Website privacy policies were assessed for accessibility, readability and content. The websites were also assessed against new transparency requirements in the Privacy Act that will come into effect on 12 March 2014.

Some key trends observed by the OAIC included:

  • 15% had a privacy policy that was hard to find on the website
  • 9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer
  • Almost 50% of policies raised 'readability' issues, ie they were considered to be too long and difficult to read. The average reading age of the policies was 16. None of the full privacy policies met the OAIC's preferred reading age level of 14.
  • More than 65% of privacy policies raised concerns with respect to the relevance of the information provided.

To comply with new Australian Privacy Principle 1 from 12 March 2014, organisations must have a clearly expressed and up to date privacy policy.

Langes can conduct a compliance review of your website.

Print This Post Print This Post

Posted 16th August 2013 by David Jacobson in Marketing, Privacy, Web/Tech

August 5, 2013

EDR for privacy complaints

The Privacy Act amendments commencing on 12 March 2014 include giving the Australian Information Commissioner the discretion to recognise External Dispute Resolution schemes to handle privacy-related complaints.

The OAIC is currently consulting on EDR schemes it will recognise.

UPDATE: EDR Guidelines finalised

The Privacy Act gives the Information Commissioner the discretion to decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made, or which the Information Commissioner has accepted, if the Information Commissioner is satisfied that the act or practice:

  • is being dealt with by a recognised EDR scheme, or
  • would be more effectively or appropriately dealt with by a recognised EDR scheme.

Additionally, a credit provider must be a member of a recognised EDR scheme to be able to participate in the credit reporting system.

Print This Post Print This Post

Posted 5th August 2013 by David Jacobson in Compliance, Privacy

Election called: bills lapse

The 2013 federal election will be held on 7 September.

As this Parliament will not sit again the Bills currently before Parliament will lapse.

These include the Corporations Amendment (Simple Corporate Bonds and Other Measures) Bill 2013, the Insurance Contracts Amendment (Unfair Terms) Bill 2013 and the Privacy Amendment (Privacy Alerts) Bill 2013.

The Local Government Referendum will also not proceed.

Print This Post Print This Post

Posted 5th August 2013 by David Jacobson in Business Planning, Insurance, Privacy

July 29, 2013

Protecting email communication

In the Privacy Act amendments that commence on 12 March 2014, Australian Privacy Principle 11 will require an entity to take reasonable steps to protect personal information from ‘interference’ (eg hacking), as well as from misuse, loss, unauthorised access, modification or disclosure.

As email communication becomes more commonplace and convenient than postal communication for businesses and their customers the question arises as to what are reasonable safeguards for the protection of personal information (whether financial, health or otherwise) contained in emails.

Many statutory notices and account statements can now be sent electronically but there is no prescription as to how this can be done securely.

If the email is sending an attachment then whether the attached document is in Word or the like or is in PDF, the attachment can be password protected with a password given separately to the receiver.

Alternately the email can send a password-protected link to a secure web portal with download access to the relevant information or document.

But what about the email itself?

The Office of the Australian Information Commissioner (OAIC)'s Guide to Information Security: ‘Reasonable steps’ to protect personal information refers to encryption.

While most businesses use a securely encrypted webpage for individuals who carry out transactions with the business’s website, such as making payments which also involve individuals providing their banking information, there is less consideration of whether they should encrypt email communications.

In case your systems are accessed, are your saved email folders encrypted?

Most email systems (including Outlook) offer encryption options.

Do you know how secure your emails are?

More about encryption from How Stuff Works: Encryption.

Print This Post Print This Post

Posted 29th July 2013 by David Jacobson in Business Planning, Compliance, Financial Services, Privacy, Web/Tech
« Newer PostsOlder Posts »