Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


2014 Privacy CLE

No description

Lucy White

on 28 April 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of 2014 Privacy CLE

Stay on the right track with Privacy Law
What I will be covering
Changes to the Privacy Act
"The most significant developments in privacy reform" since the introduction of the Privacy Act 1988

Key changes

Privacy policies and business practices

Dealing with people, and Personal Information;

Direct Marketing

Quality, security, access and corrections

Cross-border data flows

Enforcement powers
Handling personal information – What are the rules, and who has to comply?
Direct Marketing (APP 7)
An organisation cannot
disclose personal information
about an
for the purpose of
direct marketing

1. information is collected:
a.directly from the individual; or
b. by a third party and the individual would reasonably expect to receive direct marketing
and the individual consents, or would be reasonably likely to consent.

2. a means of opting out must be provided, and complied with.

Greater powers & penalties for Privacy Commissioner
Investigations by Privacy Commissioner

You can be compelled to give evidence

Fines of up to $340,000 (indiv) or $1.7M (Corps)

Potential imprisonment
Privacy Act 1988 (Cth)
Australian Privacy Principles

'Personal Information'

Collection, storage, use and dissemination
Use of CCTV
Prevent crime

Monitor in real time

Clear up crime

Mandatory privacy breach reporting - What happens when something goes wrong?
SF v Shoalhaven City Council
Cameras breached the Privacy and Personal Information Protection Act 1998 (NSW Act)

Deactivated CCTV cameras in the Nowra CBD
The cameras breached the Act because:

signage was insufficient to ensure individuals were aware of cameras

footage was not relevant to the purpose of crime prevention

use was excessive, inaccurate and incomplete

CCTV Footage & privacy
Personal Information:
What is it, and why does it matter?
The law of Privacy
Indirect descriptions
'Personal information': 'Information or an opinion...whether true or not, whether recorded in a material form, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.'

Information is pretty much anything
' (McKenzie v Secretary (1986) 65 ALR 645, 648)
John MacPhail - Paul Gordon
But... before we start

Sensitive information – When information is more than just personal.
Coming changes – the NPPs, the IPPs and the APPs.
A brief overview of Privacy in Australia
There is no 'right' of privacy in Australia
Privacy is regulated only in relation to certain people (Government and certain businesses) by the Privacy Act 1988 (Cth).
The Privacy Act regulates the collection,
storage, use and communication of 'personal information'
Personal Information:
What is it, and why does it matter?
Context and content will change whether or not information is 'Personal Information'.
Handling personal information – What are the rules, and who has to comply?
Who do they apply to?
Corporations and Incorporated Associations;
Unincorporated associations;
with an annual turnover > $3 million
(- and the commissioner intends to use them)
On 15 October 2013 the Commissioner found that AAPT had breached its obligations under the Act.

His media release stated:
Current privacy laws do not give the Commissioner the power to impose any penalties or seek enforceable undertakings from organisations investigated on his own initiative.

‘New privacy laws in force from 12 March 2014 will give me additional powers and remedies when conducting such investigations. From that date I will be able to obtain enforceable undertakings from organisations and, in the case of serious or repeated breaches seek civil penalties,’
Mandatory privacy breach reporting - What happens when something goes wrong?
The APPs
Australian Privacy Principle 1 — open and transparent management of personal information
Australian Privacy Principle 2 — anonymity and pseudonymity
Australian Privacy Principle 3 — collection of solicited personal information
Australian Privacy Principle 4 — dealing with unsolicited personal information
Australian Privacy Principle 5 — notification of the collection of personal information
Australian Privacy Principle 6 — use or disclosure of personal information
Australian Privacy Principle 7 — direct marketing
Australian Privacy Principle 8 — cross-border disclosure of personal information
Australian Privacy Principle 9 — adoption, use or disclosure of government related identifiers
Australian Privacy Principle 10 — quality of personal information
Australian Privacy Principle 11 — security of personal information
Australian Privacy Principle 12 — access to personal information
Australian Privacy Principle 13 — correction of personal information
The Privacy Amendment (Privacy Alerts) Bill 2013
introduces mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act
What is a breach?
Unauthorised access to, or disclosure of, personal information
Personal information lost in circumstances that could give rise to unauthorised loss or disclosure.
A data breach is a serious data breach where there is a real risk of serious harm to the individual to whom the information relates as a result of the breach.

The notification
Notification must be made to the
those affected
Notify as soon as practicable.
Notification must include various prescribed details.
Stuck in Limbo
Bill not passed when parliament was prorogued.
No information on a future revival.
Sensitive Information
Medical information
Religion, Ethnicity, Sexuality
Political opinions, memberships, unionism
Criminal records and sexual history
Need consent in order to collect; BUT
Consent is not enough.
Only collect if reasonably necessary for your organisation's functions.
Can only be used for a primary purpose.
No direct marketing without consent.
Naomi Campbell v Mirror Group Newspapers
ABC v Lenah Game Meats
General aspects of privacy
It’s not all about celebrities and paparazzi.
Take-away points
The NSW Act isn't identical to the Privacy Act, but they have parallels.
Make sure you have an appropriate notice that covers:
The identity of who is collecting the information;
Contact details
Rights of access;
Reasons for collection;
Who the information will be provided to.
The development of Privacy in Australia
• ALRC report (2008) – statutory action for serious invasion of privacy
• Only small part of report
• NSW Law Reform Commission (2009) – general cause of action needed (- ‘climate of dynamic societal and technological change’)
• Victorian LRC (2010) – 2 causes of action recommended
o Misuse of private information
o Intrusion upon seclusion/interference with spatial privacy
• Department of Prime Minister and Cabinet (9/2011) – Issues Paper, referred to ‘high profile privacy breaches’ (eg NewsCorp phone hackings)
• ALRC issues paper (October 2013) – Serious Invasions of Privacy in the Digital Era

• Regulation – more, not less
• Highly dynamic area
• Technology is both cause and potential solution


o Aerial surveillance (drones)
o Employer requests for access to social media account
o Aggregation of data and data matching
Some miscellaneous issues
An issues paper was released in SA in December 2013.
In South Australia, the Government agreed to be bound by elements of the Privacy Act via a Cabinet Circular.

It is unlikely that SA government will adopt the amendments before the Election.
Entities such as public universities are excluded, but have either committed to following the Privacy Act, or are contractually bound to do so.
Policies and practices
Policies must be freely available, in the form requested (if reasonable).
Every APP entity must put in place reasonable practices, procedures and systems to ensure compliance with the APPs.
People and PI
Direct relationship to functions
Notification of collection
Collecting data from third parties (Notice of the recipient)
Anonymity and Pseudonymity
Data integrity
Organisations must:
ensure data accuracy, completeness and quality.
the obligation to correct data and ensure its completeness is no longer only on request.
access must be provided and corrections allowed.
small access fees can be charged (but not for
to access the data, or for requesting a correction).
Sending data overseas
Inform at
the outset
of compliance
Responsibility for breach (unless an exception applies)
Takeaway points:

The Privacy Act applies to most organisations.
Penalties for non-compliance are significant.
Privacy policies must be revamped, and an audit of practices undertaken.
Big data, social media and marketing lists pose issues for the future!

Personal information must be deleted or de-identified after use.
How information is held and collected;
overseas disclosure
complaint and breach handling;
rights of access and correction;
the purpose of collection, storage, use and disclosure;
Policies must identify:
What kind of information is being collected;
Only applies to 'Serious data breaches'
The Elevator Pitch:
What you need to know in 30 seconds
1. You must have
a Privacy Policy
2. You must back up the policy with systems and processes.
4. In certain situations consent is either required (ie. Sensitive Information, or Direct Marketing), or will excuse non-compliance (eg. offshoring)
5. Enforcement now has teeth.
Provisions relating to Sensitive PI:
Secondary use is only permitted if:
1. the Individual would expect it; and
2. the purpose is directly related to the primary purpose.
Permitted General Situation:

Only collect, use, store or distribute if it is BOTH:
Reasonably necessary for one or more of your functions or activities; and
you have the individual's consent
UNLESS a 'permitted general situation' or
'permitted health situation' exists
Permitted general situations:
Serious threats to life, health or safety or to public health or safety:
Suspected unlawful activity (related to the business)
Missing persons
Legal or equitable claims
Diplomatic or consular functions, or certain armed forces activities.
Suspected unlawful activity or serious misconduct:
Do you have reason to suspect that unlawful activity, or misconduct of a serious nature,
that relates to the entity’s functions or activities
has been, is being, or may be engaged in?
The collection must be required or authorised by or under an Australian law (other than the Privacy Act), or
The information must be collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

Permitted Health Situations
the collection of health information to provide a health service
the collection of health information for certain research and other purposes
the use or disclosure of health information for certain research and other purposes
the use or disclosure of genetic information
the disclosure of health information for a secondary purpose to a responsible person for an individual
Provides an exception to several APPs (Direct Marketing, liability for offshoring data etc)
Levels of consent depend upon information sensitivity, and context.
So when is implied consent OK? - No strict guidance.
Who can consent depends upon:
1. the sensitivity of the information;
2. the circumstances of communication; and
3. capacity to consent
A case by case assessment is required (even within the same group!)
3. Generally consent is neither necessary nor relevant.

John MacPhail & Paul Gordon
Full transcript