Visit our CHQA News Hub to stay up-to-date with the latest in corporate governance and law.
MinterEllison’s privacy and data protection team advises clients across different industry sectors on local and international privacy and data protection issues.
We regularly assist with the development of privacy compliance tools and privacy policies and statements, conduct privacy audits of organisations to assist with compliance, advise financial institutions in relation to privacy implications associated with credit reporting and providing financial services, advise on marketing and promotional strategies (including email spam and other direct marketing), assist multinational organisations in relation to trans-border data flows and advise and assist organisations in the event of data and information security breaches.
In light of continuing proposals to change privacy laws in Australia, we keep abreast of developments and are able to advise clients on the possible future changes to the law.
Citing identity crime, the magnitude and impact of data breaches and community expectations, the Government has released an exposure draft Bill for industry consultation that would amend the Commonwealth Privacy Act 1988 to insert a scheme for mandatory notification of serious personal information security breaches. Reporting data security breaches to the OAIC and notifying affected individuals is currently voluntary under the Privacy Act. Entities must comply with their data security obligations in Australian Privacy Principle (APP) 11 or similar, which may include following the voluntary OAIC Guide. After 10 years of discussion papers, proposed Bills and ALRC recommendations, the Federal Government has again released another reform package for consultation. This includes an exposure draft Bill in the form of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, together with an Explanatory Memorandum (EM), Discussion Paper and a draft Regulatory Impact Statement.
The ALRC Report, among other things, considered the attitude of young people to privacy, social networking, the capacity of young people to exercise rights under the Privacy Act 1988 (Cth) (Privacy Act) and privacy of young people in their capacity as online consumers and as students at schools. The ALRC Report contained 12 recommendations directed towards the protection of the privacy of young people, very few of which have been adopted.This article, first published in the Privacy Law Bulletin (March 2015), considers some of the issues relating to privacy and young people; examines some practices, legislation applying in other countries, and some decisions of overseas courts; and attempts to provide some guidance as to how to approach the issues in Australia.
In this edition we look at:
The risks associated with social media misuse by employees are well publicised. Less known, however, are the risks faced by employers in accessing, using and disclosing the personal information of employees obtained by the employer via social media sites. So, where does the line begin and end? And when can an employer rely on the information to make decisions?
The new privacy regime is in full swing, with the pressure on organisations to demonstrate substantial compliance with the new laws. The handling of 'employee records' and information is now receiving considerable attention. OUr privacy team takes a look at the key issues to consider when managing employee information and how organisations and their employees can work together to minimise the risks.
The process of overhauling Australia's privacy laws, which began some 15 months ago, has come full circle with a new privacy regime to commence on 12 March 2014. Among the many amendments are a series of key changes that we think will have the greatest impact on our clients.
The Office of the Australian Information Commissioner (OAIC) has issued for public consultation the final tranche of draft Guidelines for the new Australian Privacy Principles (APPs), which are set to commence on 12 March 2014. The second tranche discusses APPs 12-13, or Part 5 of the personal information lifecycle - Access to and correction of personal information. This white paper analyses the final tranche in detail including key concepts, applications and exemptions for each of the APPs and outlines the Privacy Commissioner's intended approach to compliance with the new regime.
The Office of the Australian Information Commissioner (OAIC) has issued for public consultation the second of three tranches of draft Guidelines for the new Australian Privacy Principles (APPs), which are set to commence on 12 March 2014. The second tranche discusses APPs 6 to 11, or Parts 3 and 4 of the personal information lifecycle. This white paper analyses the second tranche in detail including key concepts, applications and exemptions for each of the APPs.
The Office of the Australian Information Commissioner (OAIC) has issued for consultation the second of three tranches of draft Guidelines for the new Australian Privacy Principles. This tranche provides guidance on APPs 6 to 11.
The Office of the Australian Information Commissioner has issued for public consultation the first of three tranches of draft Guidelines for the new Australian Privacy Principles (APPs). This white paper explains why the draft guidelines are important and analyses the first tranche in detail including key concepts within the APPs, APPs 1 to 5, and the exceptions to the APPs for permitted health situations and permitted general situations.
In this edition we look at:
The Office of the Australian Information Commissioner has issued for consultation the first of three tranches of draft Guidelines for the new Australian Privacy Principles (APPs). This tranche provides guidance on APPs 1 to 5, some key concepts in the APPs and permitted health situations and permitted general situations.
The Commonwealth Attorney General, Mark Dreyfus QC, yesterday issued Terms of Reference requiring the Australian Law Reform Commission to conduct an inquiry into the prevention of, and remedies for, serious invasions of privacy in the digital era. This latest development is part of the government's second stage response to the recommendations in the ALRC's 2008 Report into reforming the Privacy Act 1988 (Cth), together with the recent proposed compulsory data breach notification scheme and the removal of certain exceptions to the Privacy Act.
The Privacy Amendment (Privacy Alerts) Bill 2013 was introduced into parliament yesterday, making amendments to the Commonwealth Privacy Act 1988. The Bill follows the ALRC's recommendations in its 2008 report into the Privacy Act and a discussion paper released in October 2012 which sought comment on whether to make notification of data breaches mandatory and lessen the potential adverse impacts arising from a data breach. If passed, the laws will come into effect in March 2014 to coincide with the extensive amendments to the Privacy Act that the government has already passed in response to the ALRC report.
As the policy debate rages on the future direction of tertiary education and its institutions, Australian universities are grappling with a raft of regulatory changes that will materially affect their day to day operations.
Under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the Privacy Amendment Act), Australian Privacy Principle 8 (APP 8) will replace National Privacy Principle (NPP) 9 and cover the cross-borders disclosures of personal information by APP entities and agencies. The new APP 8 is much broader in its application, contains some significant differences to NPP 9, and as such Australian disclosing entities will need to carefully consider how they wish to meet the requirements of APP 8 in trans border transactions.
Cybercrime poses a significant challenge for law enforcement agencies and criminal justice systems across the globe. The borderless nature of the internet makes it easier for cyber attacks to be externally instigated. In response, Australia, together with a number of other nations, has taken steps to harmonise laws intended to combat cyber threats and facilitate greater international cooperation between law enforcement agencies.
In this edition of the Privacy Update we look at:
In advance of Privacy Awareness Week, the OAIC released a Guide summarising and analysing the key differences between the National Privacy Principles (NPPs) and the new Australian Privacy Principles (APPs) which will replace the NPPs for private sector (APP) entities from 12 March 2014. While it does not provide detailed guidelines on each of the new obligations in the APPs, it reinforces where the real differences exist between old and new privacy obligations for APP entities when they consider the impact of the new APPs and prepare for compliance.
When the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) commences in March 2014 there will be a new definition of 'personal information' in the Privacy Act 1988 (Cth) that includes information about an individual which, when combined with other information (which may not be controlled by the same entity), identifies an individual or renders the individual reasonably identifiable. This is a significant development as the current definition of 'personal information' requires that the identity of the individual concerned be apparent, or reasonably ascertainable, from the subject information or opinion. If multiple documents potentially controlled by different entities may be considered in determining whether an individual is reasonable identifiable under the Amending Act, a key issue that will face entities is how to determine whether the threshold of 'reasonably identifiable' has been reached.
Australia's new cybercrime law, which came into force on 1 March 2013, establishes the legislative framework for Australia's accession to the Council of Europe Convention on Cybercrime (Convention). The essence of the new cybercrime law is to empower Australia's law enforcement and intelligence agencies to compel carriers to preserve the communication records of persons suspected of cyber-based crimes. The new law also expands the Commonwealth cybercrime offences and facilitates international cooperation between State parties to the Convention through the cross-border sharing of communication records.
The Australasian Retail Credit Association has released for public consultation a draft of the new Credit Reporting Code of Conduct that it is developing at the Privacy Commissioner's request. The release of the draft Code follows the passing of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 last November, which made substantial changes to the Commonwealth Privacy Act 1988 including the replacement of the current credit reporting system by Part IIIA of the amended Act and the requirement for a new Code to be developed.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was passed by the Parliament today, making substantial amendments to the Commonwealth Privacy Act 1988. The Bill has changed somewhat as it has passed through Parliament as a result of the Government accepting a number of the Senate Committee recommendations. We examine the key elements of the reforms and outline what you need to do now to get your organisation ready for the new regime.
The Federal Attorney-General has released a Discussion Paper seeking comment on whether to introduce laws to make notification of data breaches by government agencies and large private sector entities mandatory in Australia. The Government is calling for submissions by 23 November 2012, asking what the triggers should be and what penalties should apply for failure to comply. The Federal Privacy Commissioner has given his support to the Discussion Paper and a mandatory notification scheme.
In this edition of Privacy Update, we look at:
In August, the Senate passed the Cybercrime Legislation Amendment Bill, which will enable Australia's accession to the Council of Europe Convention on – the first international treaty dealing with crimes either against or via computer networks. The Convention targets online fraud, child pornography and unauthorised access, use or modification of data, either through or on computers. It also facilitates access to evidence of cybercrime by enforcement and interception agencies, including by mutual assistance.
Two cases brought by the US Federal Trade Commission against Google dramatically demonstrate the importance of companies' adhering to their privacy policies and other representations made to customers about the treatment of their personal information. In settling the latest case Google has agreed to pay a record US$22.5million to settle a complaint in relation to its Safari internet browser.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 proposes 19 regulation-making powers in addition to those already in the Privacy Act 1988. Most of the new powers enable the prescription of matters that would further define the meanings of new terms in the proposed credit reporting system.
A recent case highlighted the challenges of establishing the identity of anonymous users of social networking sites media who impersonate others. Social networking sites can be an easy means for engaging in impersonation because it is easy to set up a false account but while Facebook and Twitter have mechanisms to deal with the consequences of hacking and impersonation it may not be enough for the victim whose personal reputation or their employer's has been damaged.
On Tuesday 25 September, the Senate Legal and Constitutional Affairs Legislation Committee released its Report on the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. The Senate report follows the release of the Advisory Report from the concurrent inquiry undertaken by the House of Representatives Standing Committee on Social Policy and Legal Affairs. The decisions of both committees to recommend the adoption of the Bill without major changes may cause alarm, particularly amongst credit providers. We summarise the key recommendations from each report.
On 27 June 2012, the Legislative Council of Hong Kong passed the most extensive set of amendments to the Personal Data (Privacy) Ordinance since the legislation was introduced in 1996.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) (the Bill) amends the Privacy Act 1988 (Cth) (the Act) to implement the first tranche of responses to the Australian Law Reform Commission's (ALRC) report called 'For Your Information: Australian Privacy Law and Practice' (the ALRC report).
We consider recent decisions issued by the Office of the Australian Information Commissioner involving organisations in the telecommunications, legal, insurance and financial sectors.
The Australian Communications and Media Authority has concluded that Vodafone Hutchison Australia's dealers who made unsolicited calls to numbers on the Do Not Call Register to promote its products contravened the Do Not Call Register Act 2006 (the Act). As a result, ACMA has accepted an enforceable undertaking from under the Telecommunications Act 1997 (Cth).
On 25 January 2012, the European Commission published drafts of the two key documents implementing reform proposals for the EU data protection regime. If implemented, the reforms will have a significant impact on any organisation located in the EU or doing business with EU companies or citizens. We examine the proposed reforms and their practical implications.
On 22 February 2012, there was a further key development in the proposed amendments to the Personal Data (Privacy) Ordinance when the Bills Committee for the Personal Data (Privacy) (Amendment) Bill 2011 published a paper revising proposed amendments to provisions on the use of personal data in direct marketing and the sale of personal data.
From July 2012, Australians will have the opportunity to access their health records in a single view, where and when needed, and irrespective of the location of the consumer, healthcare provider or record. This is the first time that this type of service has been made available in Australia and it is set to transform how healthcare is delivered nationally.
Under section 52 of the Privacy Act 1988 (Cth), the Privacy Commissioner has the power to make a determination after investigation and substantiation of a complaint, which directs how a privacy complaint should be resolved. This power includes declaring that the organisation take some remedial action or pay a specified amount of compensation for loss or damage suffered. Declarations can be enforced in the Federal Court.
In Public Interest Determination 12A, the Privacy Commissioner has applies powers granted in Section 73 of the Privacy Act to allow doctors to collect health information about a third party, without their consent, on teh grounds of being in the public interest.
On 28 November 2011, the European Commission announced that it would comprehensively reform European data protection laws. The proposed reforms, which are due in January 2012, aim to unify the existing legislation of member states and significantly reduce costs for businesses in complying with data protection laws.
The US Federal Trade Commission announced in late November that it had reached a proposed settlement with global social networking site Facebook. The case sounds a warning to companies that collect personal information that they should ensure they only deal with such information as promised or risk proceedings being brought against them for misleading and deceptive conduct.
On Thursday 6 October the Senate Finance and Public Administration Legislation Committee released its highly anticipated report on the credit reporting provisions of the Exposure Draft of the Australian Privacy Amendment Legislation. The report makes 30 recommendations, many of which are quite significant, in response to numerous submissions and particularly on five key matters: simplification and clarification of language and definitions, the treatments of serious credit infringements, identity theft, the use of hardship flags and complaints handling.