Transcript
Copyright © 2013 by K&L Gates. All rights reserved.
Getting privacy compliance right
Vanessa Baic
Senior Associate
1
Good and not-so-good news!
2
Good news!
Aware of the importance of
proper handling of information
Strong compliance culture
Process driven
Not-so-good news…
Repeated “mistakes”
3
What is today about?
Privacy 101
The Golden Rules
Implementation
4
Privacy 101
The basics
5
Privacy 101 – The information lifecycle
6
COLLECT
USE/DISCLOSE
STORE
7
COLLECT
USE/DISCLOSE
STORE
COLLECTION
8
9
Personal information means information or an opinion about
an identifiable individual, or an individual who is reasonably
identifiable whether the information or opinion is:
• true or not; and
• recorded in a material form or not
Sensitive information includes race, ethnic origin, political
opinions, membership of professional/trade associations,
religious or philosophical beliefs, sexual preferences, criminal
history and health information
Health information includes:
• information or an opinion about the health or disability of an
individual or a health service provided to, or to be provided
to, an individual
• other PI collected to provide, or in providing, a health
service
10
COLLECT
USE/DISCLOSE
STORE
COLLECTION
11
COLLECT
USE/DISCLOSE
STORE
Hospitals CDMP providers IT service providers Mail houses Ancillary providers
D I S C L O S U R E
COLLECTION
12
COLLECT
USE/DISCLOSE
STORE
Hospitals CDMP providers IT service providers Mail houses Ancillary providers
D I S C L O S U R E
A C C E S S COLLECTION
13
COLLECT
USE/DISCLOSE
STORE
Hospitals CDMP providers IT service providers Mail houses Ancillary providers
D I S C L O S U R E
A C C E S S COLLECTION
14
Privacy 101 – New laws
10 National Privacy Principles replaced with 13 Australian Privacy Principles
The Commissioner’s powers have been increased
New laws commence on 12 March 2014
15
The Golden Rules
What you need to know to comply with the current and new laws
16
Collection Rules
17
18
Do not collect PI unless you need it
You must not collect PI unless the information is necessary for one or more of your functions or activities
eg. Membership application form
19
20
Obtain consent before collecting sensitive information
An organisation must not collect SI about an individual unless (amongst other things) the individual has consented
eg. Information from a CDMP provider
21
Provide a collection statement before or at the time of collection
22
Collection statements – current requirements: Your identity and how to contact you
The fact he/she can gain access to the information
The purposes for which the information is collected
The organisations (or types of organisations) to which you usually disclose information of that kind
Any law that requires or authorises the particular information to be collected
The main consequences (if any) for the individual if all or part of the information is not provided
Collection statements – additional requirements: Whether you collect PI about the individual from a third party and the
circumstances of that collection
The fact that your privacy policy contains information about how the individual may:
access and correct PI
complain about a breach of the APPs and how you will deal with such a complaint
Whether you are likely to disclose PI overseas and, if so, the countries where such recipients are likely to be located
23
Are you properly providing collection statements and obtaining necessary
consents?
Members?
Healthcare providers?
24
25
Collecting unsolicited information
Decide within a reasonable period whether you could have collected the PI if you had solicited it
If you could not have collected the PI, and it is not
contained in a “Commonwealth record”, destroy or de-
identify it
If you could have collected the PI, then the APPs apply
26
Use and Disclosure Rules
27
Use and disclosure
Do not use or disclose PI about an individual for a purpose (the secondary purpose) other than the primary purpose of collection without consent unless:
The secondary purpose is related to the primary
purpose of collection (directly related in the case
of SI)
The individual would reasonably expect you to use
or disclose the information for the secondary
purpose
eg. CDMP programs
28
Direct marketing
New “prohibition” on direct marketing – APP 7.1
• information collected
from individual
• reasonably expect use
or disclosure
• opt out options
• has not opted out
• information collected
from individual
• not reasonably expect
use or disclosure
• impracticable to obtain
consent
• opt out options
• prominent statement or
draw attention to opt out
• has not opted out
• information collected
from third party
• consent or impracticable
to obtain consent
• opt out options
• prominent statement or
draw attention to opt out
• has not opted out
Actions – review collection notices and information collection methods
unless
APP 7.3 APP 7.3 APP 7.2
29
Disclosure overseas
30
Disclosure overseas (cont.)
APP 8 –
New accountability
approach to cross
border disclosure of
personal information
Overseas recipient
subject to similar
principles as APPs
and enforcement
action available
Individual consents
to disclosure after
being expressly
informed that APP
8.1 will not apply
• Must take reasonable steps to ensure compliance of APPs by the overseas recipient –
contractual obligation, audit
• Sender is potentially liable for misuse by overseas recipient!
Implication
If:
disclosure of
personal
information to
overseas
recipient
31
Disclosure overseas (cont.)
Weak Medium Strong
• Singapore – draft bill
• China
• Bangladesh
• Pakistan
• Sri Lanka
• Nepal
• Hong Kong
• Macau
• India
• Philippines
• Thailand
• Vietnam
• Malaysia – legislation still to
come into force
• South Korea
• Taiwan
• Japan
Privacy in Asia – indicative examples
32
Storage and Disposal Rules
33
34
Storage and disposal
You must take reasonable steps to protect PI:
from misuse, interference and loss
unauthorised access, modification
or disclosure
You must take reasonable steps to destroy or permanently de-identify PI if you do not need it
Take care of other obligations to
retain information
35
Other Rules
36
Parent Co.
ABC Health Insurance
ABC Insurance
ABC Life Insurance
ABC General Insurance
XYZ Health Insurance
XYZ Healthcare
XYZ Allied Health
XYZ CDMP
37
You are not one big happy family!
Related bodies corporate exemption does not apply where:
SI is concerned
the related body corporate is
overseas
38
You need to have robust privacy processes and policies Standard operating procedures
Privacy policy
39
Privacy policy
The kinds of PI you collect and hold
How you collect and hold PI
The purposes for which you collect, hold, use and disclose PI
How an individual can access PI held by you and seek correction of such PI
How an individual can complain about a breach of the APPs and how you will deal with the complaint
Whether you are likely to disclose PI overseas and, if so, the countries in which such recipients are likely to be located
40
Implementation
What should you do to comply?
41
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
42
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
43
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
44
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
45
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
46
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
47
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
48
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
49
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
50
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
51
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
52
Why bother?
Because you cannot afford not to!
What will adverse publicity do for your business?
New powers afforded to the Commissioner
53
Commissioner’s new powers
Office of the
Australian
Information
Commissioner
Investigate complaints
about interference with
privacy Monitoring related
functions – security and
accuracy of credit
reports
Conduct on assessment
relating to APPs Apply to Federal Court
for civil penalty orders
Request copy of privacy
impact assessment
from an agency
Accept enforceable
undertakings
Undertake
investigations
and order actions
54
Questions
Further information
Vanessa Baic
Senior Associate
K&L Gates
Phone: +61 9205 2046
vanessa.baic@klgates.com
www.klgates.com
top related