Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jayne Van Souwe, Principal, Wallis Consulting Group Andrew Maher, Partner, HR Legal.

Published byPrudence Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "Jayne Van Souwe, Principal, Wallis Consulting Group Andrew Maher, Partner, HR Legal."— Presentation transcript:

1

2

3 Jayne Van Souwe, Principal, Wallis Consulting Group
Andrew Maher, Partner, HR Legal

4 Agenda What do Australians think about Privacy? The APPs
The market and social research industry’s response Questions

5 What do Australians think about privacy?
Key findings from “Community Attitudes towards Privacy” – study completed by Wallis for the Office of the Australian Information Commissioner

6 Australian Privacy Principles
Definition and coverage The principles and their implications

7 The Australian Privacy Principles
Cover all Australian government agencies and most private businesses. Replace the Information Privacy Principles (previously applied to government) and the National Privacy Principles (applied to businesses) The market and social research industry had its own set of Privacy Principles (Market and Social Research Privacy Principles) and will have its own Code again. APPs are minimum standards that can only be exceeded in separate industry codes – previous codes allowed limited trade-offs. They are data protection laws and only apply to information about private individuals.

8 The Australian Privacy Principles
State government agencies excluding SA and WA remain bound by the relevant state data and privacy protection legislation usually administered by state privacy commissioners: ACT – Health records are administered by the Human Rights Commission, no territory specific privacy law NSW – Privacy and Personal Information Protection Act 1998 NT – Information Act 2002 QLD – Right to Information Act 2009, Information Privacy Act 2009 TAS – Personal Information and Protection Act 2004 VIC – Information Privacy Act 2000 (health information is covered by the Health Services Act administered by the Health Services Commissioner)

9 The Australian Privacy Principles
State governments with their own privacy legislation are taking a “wait and see” approach to the APPs. They are likely to bring their own legislation into line eventually. At present state legislation exceeds base requirements of federal law and/or clarifies state-specific situations, eg states have different systems for managing health records State and federal laws (and codes that have force of law) always take precedence over industry guidelines. Researchers should be aware of related guidelines, but recognise their place! ACT = CODE = LAW Guideline = good practice

10 The Australian Privacy Principles
For market researchers the situation is clear – if you abide by the Code of Professional Behaviour of AMSRS you will continue to exceed ANY privacy legislation currently in force. (Note the Code of Professional Behaviour is being re-written so that it complements the new Industry Privacy Code, which in turn references the Code of Professional Behaviour).

11 The Australian Privacy Principles
For other areas of business the situation is less clear Federal and state privacy commissioners work together to ensure that legislation complements rather than conflicts – it is more a matter for ensuring that any companies working for state government agencies are clear about which piece of legislation applies. If in doubt, comply with the most stringent piece of legislation.

12 The Australian Privacy Principles
What do we mean by Privacy? Personal information Information or an opinion that identifies or could reasonably identify a person, whether true or not Examples include, name, age, DOB, phone number, address, photograph, credit card details, salary, information collected from customer surveys etc Sensitive information information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices criminal record or health information. Under the APPs, the definition of sensitive information has been expanded to include biometric information used for biometric verification or identification (such as fingerprints, iris recognition, DNA etc).

13 The Australian Privacy Principles
13 new APPs replace IPPs and NPPs Single set of principles which apply to both public and private sectors (APP entities) Structured to reflect the information life cycle — collection, use and disclosure, quality and security, access and correction Mandatory minimums which must be equalled or exceeded in every case Provides a single set of rules (at least for the majority of agencies and businesses bound only by them). No longer allows trade-offs in specific industry codes – all agencies and businesses must meet minimum standards

14 App 1 – Open and Transparent Management of personal information
Agencies must have a clearly expressed and up to date privacy policy and complaints procedure Agencies must take reasonable steps to implement processes that will ensure that the agency complies with the APPs While most organisations have privacy policies they will need to update them and their complaints procedures regularly and ensure that they have processes in place to meet APP requirements

15 APP 2 – Anonymity and pseudonymity
Allows individuals to interact with agencies anonymously Permits the individual to use a pseudonym – unless it is impracticable to deal with an unidentified individual Organisations need to allow people to use pseudonyms or deal with them anonymously where possible

16 APP 3 – Collection of personal and sensitive information
Collection must be ‘reasonably necessary’ for, or ‘directly related’ to, one or more of an agency’s functions or activities Higher standards for collection of sensitive information (necessary and with consent). The definition of sensitive information hasn’t changed, but if it can be implied (eg some surnames are particular to specific races and ethnic groups) then information should be treated the same way.

17 APP 4 – Dealing with unsolicited personal information
Unsolicited personal information now has the same protections as solicited personal information New principle for handling unsolicited personal information mandates that such data should be destroyed or de-identified if it could have been collected overtly and is not part of a commonwealth record. Ensure that only necessary information is transferred to external companies. Companies receiving unsolicited information should destroy it.

18 APP 5 – Notification of collection
This principle outlines the information that must be given to an individual when the agency collects their personal information. It includes: Information about an agency’s APP policy Who the agency is and how to contact it The purpose(s) of the collection Any collections from third parties Consequences of non-collection Complaint handling process Potential overseas disclosure There is no substantial change in this APP compared with previous regulations on data collection

19 APP 6 – Use or disclosure Deals with use and disclosure of personal information Different (more stringent) obligations apply to the use or disclosure of sensitive information eg must gain permission New limited exceptions, to permit use or disclosure for secondary purpose to: Locate missing person Establish, exercise or defend a legal equitable claim Confidential alternative dispute resolution There is no substantial change in this APP compared with previous regulations on data collection

20 APP 7 – Direct marketing Prohibits organisations from using or disclosing personal information for direct marketing purposes, except in specified circumstances Provides a compulsory ‘opt out’ clause Includes personalised advertisements on websites which use information gathered from “cookies” and similar to target individuals This is a completely new Principle and differentiates Direct Marketing practices aimed at selling or marketing products. It includes electronic personalised DM

21 APP 8 – Cross border disclosure
Introduces an accountability approach for cross-border disclosure Agencies must take reasonable steps to ensure overseas recipients do not breach APPs Agencies may be accountable for a breach of APPs by overseas recipients While this is now a separate Principle the concepts contained within it were in the NPPs previously.

22 APP 9 – Adoption, use or disclosure of government related identifiers
Prohibits an organisation from adopting, or using a government related identifier as its own identifier Open data sets and the ability to conduct meta-analysis have led to the introduction of this additional measure to ensure data protection. It is recommended that an organisation uses its own identification system for records. It can hold a concordance, but must do so carefully.

23 APP 10 – Quality Requires agencies to take reasonable steps to ensure personal information it collects, uses or discloses is: Accurate Up-to-date Complete Agencies should ensure that personal information that it uses or discloses is also relevant for the purpose of the use or disclosure There is no substantial change in this APP compared with previous regulations

24 APP 11 – Security Inclusion of ‘interference’
an agency must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure (including hacking) There is no substantial change in this APP compared with previous regulations on data handling

25 APP 12 – Access Agencies required to respond to requests for access of personal information within 30 days Exceptions apply – Freedom of Information Act 1982 or other legislation Access should be provided in the requested manner (where reasonable and practicable) Individual not to be charged Written reasons for the refusal and complaint mechanism There is no substantial change in this APP compared with previous regulations

26 APP 13 – Correction Agencies required to take ‘reasonable steps’ to correct personal information to ensure it is accurate, up-to-date, complete, relevant and not misleading, if: agency satisfied it needs to be corrected, or individual requests correction Agency to respond to request within 30 days Individual not to be charged Statement required if agency refuses to correct and individual requests statement Written reasons for refusal and complaint mechanism There is no substantial change in this APP compared with previous regulations

27 Commissioner’s New Powers
Ability to investigate a potential privacy breach without receiving a complaint (own motion investigations - OMIs) as well as in response to complaint Wider range of action to be taken if a breach of the Act is substantiated whether as a result of OMI or complaint (as before) Written undertakings can now be enforced Seek civil penalties for serious or repeated breaches (up to $1.7 million for corporations) Commissioner can take unilateral action, fines are larger.

28 Market Research Industry Response
New Privacy Code Information/template pack for AMSRO companies

29 New Market and Social Research Industry Privacy Code
New codes must follow the format of the APPs and add to it To our knowledge the market research industry is the only one that has tendered its own Code for ratification. This will mean that the Code administrator is the industry body (AMSRO) rather than the OAIC.

30 New Market and Social Research Industry Privacy Code
The main areas of change are: Subscribers to Code (AMSRO members) will have access to an industry Dispute Resolution mechanism, but must ensure public access to Privacy Policies, Complaints Procedures and the industry Code, as well as reporting complaints systematically and regularly to AMSRO Allow respondents to use a pseudonym if a name is needed and it is practicable Definition of personally identified information – care in what happens with de-identified data sets in public arena. MR data falls into three areas irrespective of the collection method: Contact details of research participants/sample Research status Research data New Privacy Principle for Direct Marketing will allow the industry to differentiate practice further

31 New Market and Social Research Industry Privacy Code
Main changes are…..: Government identifiers must not be used as research identifiers, unless : Is reasonably necessary for verifying the person’s identity Is reasonably necessary for the organisation to fulfil its obligations to an agency or a state/territory authority It is authorised by or under an Australian law or a court order It is necessary for enforcement activities If a respondent requests that their personally identified data be amended or corrected and this would damage the original point in time data, keep a record of the amendment if practical

32 PRIVACY Do’s and Don’ts
Do ensure appropriate systems and processes are in place to comply with the APPs Don’t collect more personal information than is necessary or relevant Do tell individuals what you are going to do with the collected information Don’t use information for an unrelated secondary purpose without consent Don’t disclose personal information unnecessarily Do give people access to their personal information if they ask unless there are proper grounds not to Do keep information secure and free from interference Don’t keep personal information you no longer need or are no longer required to retain Do keep personal information accurate and up to date Don’t disclose information to overseas recipients in countries without equivalent privacy laws and the ability to enforce those rights unless consent is provided Do make someone in the organisation responsible for privacy complaint handling, processes and systems.

33 Information pack for AMSRO companies
AMSRO has produced information for members to help them comply with the requirements in particular: Templates for privacy policies Guidance on how to meet the requirements

34 The Trustmark The Trustmark guarantees business and government decision makers that they are buying research that is quality-assured and meets not only ethical standards, but also the new Privacy Code. AMSRO member organisations operate under the following stringent, mandatory criteria: Privacy: Adherence to the Market & Social Research Privacy Code Quality assurance: Companies must have the International Standard for Market, Opinion and Social Research qualifications (ISO 20252) Ethics: Adherence to the AMSRS Code of Professional Behaviour

35 Questions?

Download ppt "Jayne Van Souwe, Principal, Wallis Consulting Group Andrew Maher, Partner, HR Legal."

Similar presentations

Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
AMSRO Leaders Forum 2014 Presentation by Timothy Pilgrim to AMSRO Sydney, Thursday 20 March 2014.

AMSRO Leaders Forum 2014 Presentation by Timothy Pilgrim to AMSRO Sydney, Thursday 20 March 2014.
CHARTERED SECRETARIES AUSTRALIA New Privacy Laws 6 June 2013.

CHARTERED SECRETARIES AUSTRALIA New Privacy Laws 6 June 2013.
Privacy An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Privacy An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
The Australian Privacy Principles Protecting information rights –­ advancing information policy.

The Australian Privacy Principles Protecting information rights –­ advancing information policy.
CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)

CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Data Protection and Records Management

Data Protection and Records Management
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
ICAICT202A - Work and communicate effectively in an IT environment

ICAICT202A - Work and communicate effectively in an IT environment
Per Anders Eriksson

Per Anders Eriksson
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

Similar presentations

Ads by Google