A guide to the new privacy landscape for the Commonwealth Government

Size: px
Start display at page:

Download "A guide to the new privacy landscape for the Commonwealth Government"

Transcription

1 A guide to the new privacy landscape for the Commonwealth Government

2 Contents compliance: it s time to get ready compliance: it s time to get ready 3 Overview of the Australian Principles 4 The other requirements 8 developments: what s next? 9 Topics covered by the draft OAIC APP Guidance 12 Getting started 15 AAPT hacking case study 18 contacts for the Commonwealth Government 22 On 12 March 2014, the biggest change for Commonwealth Government agencies to the privacy landscape since the introduction of the Act takes effect. It is not too late to commence preparations for the changes but time is running out. Agencies need to start work now to ensure compliance by this deadline. This Guide provides agencies with: a summary of the main changes to the Act an overview of the likely developments in the area in the near future, and a plan of action, setting out what agencies need to do now. To help you, Sparke Helmore has also developed a Compliance Toolkit. This toolkit, which will be tailored for each agency s needs, covers the requirements of the new provisions and topics such as privacy audits, privacy policy and procedures, and privacy training. If you would like to know more about the privacy services Sparke Helmore offers please contact me or any member of our Government Team. Main changes of note the replacement of the IPPs with the APPs amendments to key provisions of the Act the strengthening of the Commissioner s powers, backed by pecuniary penalties of up to $1.7 million. Michael Palfrey I Partner t: I m: e: michael.palfrey@sparke.com.au Page 2 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 3

3 Overview of the Australia Principles Bottom line The amendments tighten up the rules around how agencies can collect, use and disclose personal. For the first time, new Australian Principles will apply to both the private and public sectors. There is a new requirement for agencies to develop detailed privacy policies and make them clear and easily accessible. The Principles require a higher standard of protection to be afforded to sensitive. The Commissioner will also be able to obtain enforceable undertakings from an organisation and apply to the court for a civil penalty order against agencies. The main changes to the Act result from the replacement of the current Information Principles (IPPs) with the Australian Principles (APPs). Importantly, the APPs align more closely with the current National Principles, which apply to the private sector, than the IPPs. This summary sets out the main requirements of the APPs. APP 1 open and transparent management of personal Agencies are required to manage personal in an open and transparent way. This includes: having procedures and systems in place that are reasonable in the circumstances to enable compliance with the new principles having an up-to-date privacy policy that is clearly expressed and readily available (usually on the agency s website), which contains about the kinds of collected how the is collected the purposes for collection whether it is likely that the agency will disclose personal to overseas recipients and, if so, the countries in which they are likely to be located. APP 2 anonymity and pseudonymity Where it is lawful and practicable, individuals must be given the option of not identifying themselves when dealing with an agency. Options for anonymity include using cloaking devices, such as pseudonyms. APP 3 collection of solicited personal This principle sets out the standard for collection of personal by agencies. These standards may differ between agencies. An agency must only collect personal that is reasonably necessary for or directly related to one or more of its functions or activities. An agency must only collect sensitive if the individual consents to the collection, and the is reasonably necessary or directly related to one or more of its functions or activities. There are exceptions to this general rule. These include: where it is required or authorised by Australian law or a court order in permitted general situations in permitted health situations, and in cases where an enforcement body reasonably believes that the collection of the is reasonably necessary. Further, an agency must collect the : by lawful and fair means, and directly from the individual concerned unless certain circumstances apply (for example, where it is unreasonable and impractical to do so). APP 4 dealing with unsolicited personal When an agency receives unsolicited personal it must determine whether or not it could have collected the in line with APP 3. If: it could the other APPs apply to that personal, or it couldn t then steps must be taken to either destroy the or de-identify it so that it no longer contains personal. This requirement doesn t apply if the is contained in a Commonwealth record. APP 5 notification of the collection of personal When an agency collects an individual s personal it must take reasonable steps to provide notification of collection. This includes providing: contact details of the APP entity whether has been collected from a third party or under an Australian law or court/tribunal order (and details about that collection) the purpose of the collection complaint-handling and access/correction in the APP entity s privacy policy disclosure, including to overseas recipients, and the consequences of not collecting the. APP 6 use or disclosure of personal If an agency holds personal about an individual collected for a particular purpose, the entity must not use or disclose it for another purpose unless: the individual has consented to the use or disclosure, or the use or disclosure of the falls within the listed exceptions. Exceptions include: where the secondary purpose is related to the primary purpose and the individual would reasonably expect it to be used for that secondary purpose. Where sensitive is involved the secondary purpose must be directly related to the primary purpose where required or authorised by an Australian law or a court order in permitted general situations in permitted health situations, and where an agency reasonably believes that the use or disclosure of the is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body. Page 4 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 5

4 An agency can disclose biometric or templates to an enforcement body if it is disclosed in line with the Commissioner s guidelines. APP 7 direct marketing This principle doesn t apply to agencies unless they are engaging in commercial activities. APP 8 cross-border disclosure of personal Before an agency discloses personal to an overseas recipient, it must take reasonable steps to ensure the recipient doesn t breach the APPs (other than APP 1). This will generally require the agency to enter into a contractual relationship with the recipient. Exceptions include: the agency reasonably believes the recipient of the is subject to a law or scheme substantially similar to the APPs there is express informed consent to the disclosure of the the disclosure is required or authorised by Australian law in permitted general situations the disclosure is required or authorised by an international agreement relating to sharing (to which Australia is a party), and where the entity reasonably believes the disclosure of the is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body, and the overseas recipient is an equivalent type of body. APP 9 adoption, use or disclosure of government-related identifiers In general this principle doesn t apply to agencies. APP 10 quality of personal An agency is required to protect the quality of the personal it collects, uses and discloses, and take reasonable steps to ensure that: personal collected is accurate, up-to-date and complete, and personal it uses or discloses is accurate, up-to-date, complete and relevant. APP 11 security of personal An agency must protect and in some cases destroy personal. This obligation includes taking reasonable steps to: protect personal from misuse, interference and loss, and from unauthorised access, modification or disclosure, and destroy or de-identify personal that is no longer needed for a purpose for which it may be used or disclosed under the APPs, unless the is in a Commonwealth record. APP 12 access to personal An agency must provide access to an individual to their personal subject to specific exceptions. This principle does not apply where an agency is required or authorised to refuse to give access under the Freedom of Information Act 1982 or other legislation. The principle sets out the procedural details for requests for access, such as: time-frames means of access access charges, and procedures for refusal to grant access. APP 13 correction of personal An agency must take reasonable steps to correct personal it holds on an individual if: it believes the is inaccurate, outof-date, incomplete, irrelevant or misleading, or the individual requests that it be corrected. An agency is not obliged to maintain the correctness of personal it holds at all times. However, when personal is used or disclosed, an agency may need to correct it before use or disclosure if it is satisfied the is inaccurate, out-of-date, incomplete, irrelevant or misleading. Page 6 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 7

5 The other requirements developments: what s next? The main changes to the Act are contained in the APPs; however, there are other changes that agencies need to understand. This summary sets out some of the key provisions that are not contained in the APPs. Exceptions to the APPs The general rule is that an agency covered by the APPs must not act in a way that breaches them; however, there are exceptions. The main exceptions are in permitted general situations and permitted health situations. Exception 1 permitted general situations Personal may be collected, used or disclosed without breaching the APPs where: it is unreasonable or impracticable to obtain the individual s consent and the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or is necessary for public health and safety, or there is reason to suspect there is unlawful activity or serious misconduct relating to the agency and the agency reasonably believes that the collection, use or disclosure is necessary to take appropriate action in relation to the matter, or the agency reasonably believes it is necessary to help locate a missing person, (providing this is in keeping with any rules made by the Commissioner), or the agency reasonably believes it is necessary for its diplomatic or consular functions or activities. The Defence Force may also collect, use or disclose personal where it reasonably believes it is necessary for its overseas operations. Exception 2 permitted health situations Health may be collected, used and disclosed in certain situations without breaching the APPs. This exception is essentially the same as under the 2000 reform to the Act, which permits the collection, use or disclosure where the is necessary to provide a health service to the individual and it is: required by or authorised under Australian law, or in line with rules established by competent health or medical bodies. Other obligations not contained in the APPs Agencies will also need to be aware of obligations and key concepts contained in other provisions of the Act, including: the definitions of key concepts, including some of those referred to in the APPs expansion of the extra-territorial operation of the Act responsibilities of agencies where they disclose personal to an overseas recipient external dispute resolution schemes APP Codes, and obligations on agencies if they engage contracted service providers. Information Commissioner s guidance, monitoring and advice-related functions The amendments enhance the Office of the Australian Information Commissioner s (Information Commissioner) powers of guidance, monitoring and advice functions, and auditing compliance. In particular, the Information Commissioner may: accept enforceable undertakings from an entity apply to the Federal Court or Federal Circuit Court for an order that an entity pay a civil penalty, and conduct own-motion assessments of compliance with the APPs. The privacy landscape in Australia is rapidly changing as the Government tries to respond to changes in technology and developments in the privacy policies and practices of other countries in the developed world. While most of the attention has been devoted to reviewing the changes contained in the Amendment (Enhancing Protection) Act 2012, which takes effect on 12 March 2014, there are a number of other areas that are likely to see changes in the near future. This article discusses some of the areas in which development is already underway and where we are most likely to see changes in the near future. OAIC Guidelines At the time of writing, the OAIC has released two tranches of draft APP Guidelines for consultation. A table of the issues covered by the draft guidance is set out at the end of this article. As there is less than six months to go before the APPs take effect, we expect the OAIC will soon release the remainder of its draft guidance and move very quickly to finalise it in time for the commencement of the new provisions. In the meantime, the OAIC continues to release guidance on other aspects of privacy that may have implications for entities. For example, the OAIC recently released guidelines for Code Development and External Dispute Resolution Scheme Recognition, which are concepts relevant under the Act after March This means entities will need to continually monitor and adapt their privacy policies and procedures in line with the guidance as it is released. Mandatory Breach Notification Bill On 29 May 2013, the Amendment ( Alerts) Bill 2013 (the Bill) to create a mandatory notification scheme for serious data breaches was introduced into Parliament. The Bill followed on from the Australian Government s discussion paper, Australian Breach Notification, released on 17 October 2012 (see our article breaches: mandatory notification a step closer ). The discussion paper followed the Office of the Australian Information Commissioner s (OAIC) publication, Data Breach Notifications: A Guide to Handling Personal Information Security Breaches (see our article, : the sands continue shifting ). The Bill sets out: the requirement on agencies to notify individuals when there has been a serious data breach the notification requirements, and deemed it a failure to comply with the mandatory notification obligations as an interference with the privacy of an individual for the purposes of the Act, enlivening the enhanced powers of the Commissioner to investigate and pursue remedies including civil penalties. The new Commonwealth Government may restart the process to introduce the mandatory scheme, particularly as the Senate Committee report recommended the Bill be passed. However, comments by the Coalition Senators on the Committee about the timeframe of the Bill, and regulatory overload concern in the industry, suggest that more time may be granted for consultation and implementation of the reforms. Statutory cause of action for serious invasion of privacy Following a number of high profile privacy breaches, in particular the September 2011 News International phone hacking scandal, the Government released an issues paper A Commonwealth Statutory Cause of Action for Serious Invasion of. The paper explored some of the key issues raised by the Australian Law Reform Commission s 2008 recommendation that there be a statutory cause of action for serious invasions of privacy. Page 8 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 9

6 Some of the key issues that need to be considered in deciding whether a statutory cause of action should be introduced are also explored in the issues paper. These include: whether there is a need for it; what is the appropriate test; what defences should be available; should there be exemptions; and how should damages be calculated? For a detailed summary of the main recommendations of the committee report see our article Suing for invasion of privacy: the Government releases its Issues Paper. On 12 June 2013, the former Attorney-General referred the issue to the Australian Law Reform Commission for inquiry and report by June The ALRC released an issues paper on 8 October 2013, beginning its consultation process for the inquiry. This issue is complex and divisive. While we expect that the Government will move carefully in this area, if there is a high-profile scandal involving breach by an Australian entity (such as evidence of widespread phone hacking), then there is likely to be public pressure for the Government to act quickly to introduce a statutory cause of action. Fortunately, to date, there is no evidence that this has occurred in Australia. Next stage response to the ALRC Report The March 2014 amendments to the Act reflect the first stage of the Government s response to the 2008 Australian Law Reform Commission s (ALRC) report, For Your Information: Australian Law and Practice, (which made 295 recommendations for change). The previous Government stated that the remaining 98 recommendations of the ALRC report would be considered after the progression of the first stage reforms. Assuming the new Government continues to implement the recommendations of the report, we expect to see further consultation undertaken for the remaining recommendations. The mandatory breach notification and statutory cause of action for serious breach of privacy are two of the key issues set out in the remaining recommendations. Conclusion While it is acknowledged that keeping pace with technological and privacy developments means that the privacy landscape is likely to continue changing, it is hoped that the new Government will balance the need for changes with the need to provide all stakeholders with the opportunity for appropriate consultation and consideration of any proposed amendments. In the meantime, agencies will need to keep on top of developments in the area, particularly the OAIC s final APP guidance, which is expected in the coming months, and ensure that the guidance is reflected in their practices and procedures under the APPs by 12 March Page 10 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 11

7 Topics covered by the draft OAIC APP Guidance APP 1-3 Key areas covered by draft guidance APP 4-7 Key areas covered by draft guidance General matters APP 1 open and transparent management of personal who is covered what happens if an entity breaches the APPs clarification of some of the key concepts contained in the APPs, such as their extraterritorial application, collection, Commonwealth records, consent, disclosure, health, necessary and reasonably necessary, personal and purpose what the permitted general situation exception includes, and what the permitted health situation exception includes. what constitutes reasonable steps examples of practices, procedures and systems that entities should consider implementing that must be included in an entity s privacy policy, and availability of the privacy policy to the public. APP 4 dealing with unsolicited personal APP 5 notification of the collection of personal examples of unsolicited issues in dealing with unsolicited, such as: Commonwealth records when is destruction or de-identification lawful factors to consider in deciding whether destruction or de-identification is reasonable, and dealing with that is not destroyed or de-identified. factors that are relevant to assessing whether reasonable steps to notify or ensure awareness have been taken examples of reasonable steps that could be taken examples of when not taking any steps is reasonable the matters that must be notified, and when the notification must occur. APP 2 anonymity and pseudonymity APP 3 collection of solicited personal anonymous and pseudonymous options when identification is required or authorised by law, and when it is impracticable for an entity to deal with an individual who has not identified themselves. examples of solicited process for determining whether the collection of personal is: reasonably necessary (for organisations), or directly related to (for agencies) the entity s functions collection of sensitive where: it is required or authorised by law a permitted general situation exists a permitted health situation exists, and it is for an enforcement activity what constitutes lawful and fair means the exceptions to the requirement to collect directly from the individual, where: it is unreasonable or impractical the individual consents to the collection from someone else (for agencies), and it is required or authorised by law. APP 6 use or disclosure of personal APP 7 direct marketing the meaning of hold, use, disclose and purpose use or disclosure for a secondary purpose use or disclosure of sensitive with the individual s consent where reasonably expected by the individual as required or authorised by law where a permitted general situation exists where a permitted health situation exists for an enforcement related activity disclosure of biometric to an enforcement body de-identification of certain health before disclosure, and use or disclosure between related bodies corporate. the principles only apply to some agencies engaged in commercial activities examples of direct marketing when agencies are covered use and disclosure of personal for the purpose of direct marketing where reasonably expected by the individual, and where there is no reasonable expectation of the individual, or the is collected from a third party use and disclosure of sensitive for the purpose of direct marketing with the individual s consent, and by contracted service providers requests to stop direct marketing communications requests to stop facilitating direct marketing, and interaction with other legislation. Page 12 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 13

8 Topics covered by the draft OAIC APP Guidance (cont d) Getting started APP 8-11 APP 8 cross-border disclosure of personal APP 9 adoption, use or disclosure of governmentrelated identifiers APP 10 quality of personal APP 11 security of personal Key areas covered by draft guidance what constitutes an overseas recipient when does an entity disclose personal to an overseas recipient when will an entity have taken reasonable steps when is an overseas recipient subject to a similar law or binding scheme disclosure to an overseas recipient: with consent after the individual is expressly informed as required or authorised by law where a permitted general situation exists as required or authorised under an international agreement relating to sharing (for agencies) for an enforcement-related activity, and when is an entity accountable for personal that it discloses to an overseas recipient. the principles only apply to some agencies engaged in commercial activities what is a government-related identifier when are agencies covered by APP 9 what does adoption mean adoptions as required or authorised by or under law use and disclosure of government-related identifiers use or disclosure where it is reasonably necessary to verify the identity of the individual, and to fulfil obligations to an agency or a state or territory authority use or disclosure as required or authorised under law use or disclosure where a permitted general situation exists, and use or disclosure to an enforcement body for enforcement-related activities. what are reasonable steps examples of reasonable steps what are the quality considerations, and interaction with other APPs. when does an entity hold personal what are reasonable steps what are the security considerations, and destruction or de-identification of personal. The Act amendments make numerous changes to the way agencies collect, hold, use and disclose personal. Agencies already have systems and procedures to comply with current privacy obligations. What needs to happen now is to identify what the new obligations are and how to adapt existing practices and procedures to achieve compliance. A high level approach to becoming compliant has these phases: PLAN AUDIT ANALYSE AMEND IMPLEMENT To assist your privacy compliance project team, we have developed a Toolkit that addresses the requirements of the new provisions and covers topics such as: privacy audits, privacy policy and procedures, and privacy training. The toolkit will be tailored for each agency. Call Michael Palfrey on (02) for more about the toolkit and pricing. One of the key steps in the toolkit involves designing and conducting the privacy audit. AUDIT Design and conduct a privacy audit An important step in the compliance process is to conduct a privacy audit to identify the current privacy practices and procedures to then compare them against the new obligations to determine areas of non-compliance. A privacy audit is designed to identify: types of personal you currently collect, hold, use and disclose types of personal you may collect, hold, use and disclose in the future how you collect, hold, use and disclose that what legislation, policies and procedures currently govern your agency s collection, holding, use and disclosure of personal where these activities take place, and what may be reasonable steps in the context of your agency and in relation to individual collection processes. Assign team The audit project team should involve senior management from the legal, FOI, IT, media relations and HR areas in your agency. Assess current privacy compliance To collect privacy compliance, each area within the agency will need to be investigated. As an initial step, a questionnaire is useful to identify current practices and get the managers thinking about how their current practices may need to change. Page 14 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 15

9 The best questionnaires contain appropriate guidance to assist line areas to understand relevant concepts, for example, the collection, use and disclosure of sensitive. At a minimum, the questionnaire should ask each area to identify their current practices around the key stages of the lifecycle. To help you we have included a list of items your questionnaire should cover below. Validation and clarification After the questionnaires have been completed and analysed, the audit team should meet with line areas to ensure they understood the question and validate the responses; identify any areas of risk and non-compliance and discuss appropriate compliance strategies. Prepare audit report The audit report will present the audit team s findings and identify: key privacy issues and risks facing the agency the level of privacy compliance within the agency, and recommendations to ensure compliance with privacy obligations. compliance survey topic suggestions 1. General The systems, policies and procedures in place to ensure compliance with the area s privacy obligations The privacy training and guidance material used by the area in carrying out their functions The results of any privacy compliance audits that have been undertaken Any complaints handling process in place regarding the collection, holding, use and disclosure of personal Any complaints or enquiries received in the past Any specific legislation that governs their current privacy practices 2. Collection The types of personal that it collects Any personal that it collects that is sensitive Any government identifiers to the personal Whether it s lawful/practical for people to remain anonymous when dealing with the area Why that personal is required for its functions Any legal requirement or authorisation to collect the personal How the personal is collected How the area informs the person of its policies and procedures for collection of the personal What the area informs the person about the collection of the The terms of any consent that a person gives to the collection Any unsolicited personal that is received 3. Use How the area uses the collected Why the is required to be used for the area to exercise its function Any legal requirement or authorisation to use the How the individual is informed of that use The terms of any consent to that use The policies and procedures the area follows that govern use of personal 4. Disclosure Any personal disclosed Any personal disclosed overseas and, if so, where and under what conditions How the individual is made aware of the disclosures Terms governing any disclosure to third parties and terms of any consent to disclosure Any legal requirement or authorisation to disclose the Policies and procedures the area follows that govern disclosure of personal 5. Storage and security How is the personal stored What security measures are in place to ensure protection against loss, unauthorised access, use, modification or disclosure What security policies/procedures are governing the handling and storage of personal apply to the area What protocols/procedures govern adding, amending or deleting personal What legal requirements/authorisations apply to storing/destroying personal 6. Information integrity How can an individual access their personal How are they made aware of the area having their personal How are they made aware of their ability to access their personal Any legal requirement or authorisation governing refusal or access to the The policies and procedures the area follows that govern a person s access to personal How does the area ensure that the personal is accurate, relevant, up-to-date, complete and not misleading Page 16 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 17

10 AAPT hacking case study: what would happen if it was an agency under the new law? Recently, AAPT customer data was hacked and published on the internet. Following an own motion investigation, on 15 October, Australian Commissioner, Timothy Pilgrim, found AAPT had breached the Act in respect of the incident. The case provides a useful scenario to examine what would the result be if the same issues arose for an agency under the new law. In particular, the case provides useful guidance around the Commissioner s thinking on: what constitutes disclosure and what constitutes use what your obligations are when you use a third party server, and what your training obligations are. Background This case involved AAPT s company data (including customers personal ) being accessed and stolen by Anonymous, an international network of hacktivists, between 17 and 19 July Anonymous subsequently published the data on the internet. The data was held on a server managed by WebCentral Pty Ltd, a web-hosting business unit of Melbourne IT. Under the contract between AAPT and WebCentral, WebCentral was required to fully manage and maintain the server, except for the custom application content and data, which was the responsibility of AAPT. Anonymous accessed the data though the Cold Fusion application installed on the server, which was a customer-managed application and was AAPT s responsibility under the contract. AAPT was using an old version of Cold Fusion, which was known to have vulnerabilities. When Melbourne IT became aware of the attack it notified AAPT, which immediately disconnected from the network and took steps to ensure the data could not be further compromised. Own motion investigations It is worth noting that this matter involved an own motion investigation in response to media reports of the hacking by Anonymous. Accordingly, agencies cannot rely on the fact that they have not received a complaint as an indication that any privacy breaches will not be pursued. Under the new provisions, the Commissioner s powers will be enhanced, including through clarifying and strengthening the Commissioner s own motion investigations of any act or practice that may interfere with an individual s privacy or a possible breach of APP1. Further, agencies may also have notification requirements if the mandatory notification legislation is introduced. Who held the data? Under NPP4.1, an organisation is required to take reasonable steps to protect personal it held from misuse and loss and from unauthorised access or disclosure. The question in this case was whether AAPT or WebCentral held the data. The Commissioner took the view that AAPT held the data despite it being stored on WebCentral s server. Accordingly, AAPT had the obligation under NPP4.1. APP11.1 is the equivalent of NPP4.1 so, in circumstances where an agency outsources the data storage, it will still be likely to be regarded as holding the under the new provisions and have obligations to protect the. Was the publishing of the data a disclosure by AAPT? An organisation may only use or disclose personal for the primary purpose of collection under NPP2.1. As the publication of the data was not for the primary purpose of the collection, the Commissioner examined whether the publication amounted to disclosure by AAPT. As the data was made public through the malicious actions of Anonymous, the Commissioner found that the publication was not a disclosure by AAPT. APP 6.1 sets out similar requirements about the use and disclosure of personal as NPP2.1, so this test will remain relevant for the new provisions. Reasonable steps to protect personal The Commissioner found AAPT failed to take reasonable steps to secure the personal as required by NPP4.1. In assessing whether reasonable steps had been taken, the Commissioner examined the Cold Fusion application to determine whether it was suitable in the circumstances, the contract between AAPT and WebCentral and AAPT s awareness and management of the privacy protection measures under the arrangements. The Commissioner noted that AAPT used a seven year-old version of Cold Fusion, which was known to have vulnerabilities. While the security patches on the version used by AAPT were upto-date, the failure to use newer versions of the application that did not have the vulnerabilities of the older version, meant that AAPT had not taken reasonable steps to protect the. The Commissioner identified several deficiencies in the security of data provisions in the contract between AAPT and WebCentral including: data was not assessed to determine whether it included personal and its sensitivity existing or emerging security risks were not required to be identified and addressed, and vulnerability scanning and the effectiveness of the Cold Fusion application was not required to be undertaken. This led to the conclusion that AAPT did not have adequate contractual measures in place to protect the data held on the compromised server. The Commissioner noted that it was unclear whether AAPT was aware of what personal was on the server, what Cold Fusion applications were installed and the parts of the server they related to or who was responsible for the maintenance and management of the application. Based on the known deficiencies in the version of the application used, the inadequate contractual arrangements in place and the lack of knowledge and management of the security measures in place, the Commissioner found that AAPT had failed to take reasonable steps to secure the personal. To address these issues, the Commissioner recommended AAPT: conduct regular reviews of all IT applications held internally or with external providers to ensure AAPT is aware of applications held take steps to ensure all IT applications held internally or externally, which hold or use personal, are subject to vulnerability assessment and testing and regular vulnerability scanning clearly allocate responsibility for management of applications conduct regular audits of AAPT s IT security framework to ensure security measures are working effectively, and that policies and procedures relating to data security are being complied with undertake steps to ensure appropriate classification of data it holds either internally or externally, including whether it includes personal and the sensitivity of that, and review the terms of the contracts it has with IT suppliers that hold or manage AAPT data to ensure clarity around which party has responsibility for identifying and addressing data security issues (such as vulnerabilities associated with old versions of IT applications). As APP11.1 imposes the same requirements on agencies as NPP4.1 did on AAPT, agencies in AAPT s position would also be in breach of the new provision (along with existing IPP4). The recommendations made by the Commissioner provide some useful guidance on what he regards Page 18 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 19

11 as reasonable steps in the circumstances to discharge your obligations under the new provisions. Reasonable steps to destroy or permanently de-identify personal that was no longer in use The Commissioner found AAPT had breached its obligation to destroy or permanently de-identify personal that was no longer in use. To comply with this obligation an organisation is required to develop systems or procedures to identify it no longer needs and a process for how the destruction or deidentification of the will occur. In AAPT s case, the Commissioner noted that these policies were available on the company s internet; however, they were not followed in this case and that there was a low awareness among staff of them. As a result, AAPT had not taken the reasonable steps required by NPP4.2. Importantly, this finding highlights that having a policy that complies with the requirements is not enough. Organisations also have an obligation to train their staff to comply with the policy and take reasonable steps to ensure that the policy is implemented. This area of destruction and de-identification is one of the key areas where the obligations of organisations and agencies differ. Under APP6.2, the obligation to destroy or de-identify the personal does not apply to contained in a Commonwealth record, to ensure that the agency s obligations under the Archives Act can be complied with. Penalties for breach As the case involved breaches of NPPs, the Commissioner was unable to impose a penalty on AAPT. Under the new APPs, which impose the same requirements on agencies as the NPPs in question (with the exception of record destruction), the Commissioner has enhanced enforcement powers included in the ability to accept and compel compliance with enforceable undertakings and, in the case of serious or repeated breaches, seek civil penalties of up to $1.7 million. Key lessons The AAPT case highlights the following key points: agencies continue to have privacy obligations for personal, even when it is stored on third party servers and is not physically held by the agency, such as a cloud application a malicious act by a third party may result in the Commissioner commencing an own motion investigation into whether the agency is in breach of its privacy obligation, it does not require a complaint by a third party or for something to be done by the agency or its service provider where personal is held by a third party, contractual arrangements for data protection and security need to be clear and adequate, and it is not sufficient for an agency to simply have privacy policies and procedures. It must also ensure staff are trained and regularly made aware of and implement those policies and procedures. the case provides useful guidance around the Commissioner s thinking on: what constitutes disclosure and what constitutes use what your obligations are when you use a third party server, and what your training obligations are. The Commissioner s recommendations also provide a timely reminder of the sort of steps agencies are required to take to fulfil their privacy obligations. Page 20 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 21

12 contacts for the Commonwealth Government Our privacy services Our team works closely with many departments and agencies to: tailor privacy audits to ensure they address the particular policy and legislative requirements of the agency review privacy audit results and identify compliance gaps remedy any compliance gaps in a practical and pragmatic way tailor privacy policies and procedures to ensure full compliance implement privacy training specific to agency requirements and work with other stakeholders to devise training and evaluation processes, and ensure contractual arrangements adequately protect against privacy liability. If you would like to know more about our privacy services, please contact any member of our privacy team., FOI & Administrative Law Michael Palfrey Partner t: m: e: michael.palfrey@sparke.com.au & Commercial Law Ashley Cahif Special Counsel t: m: e: ashley.cahif@sparke.com.au, FOI & Administrative Law Will Sharpe Special Counsel t: m: e: will.sharpe@sparke.com.au, FOI & Administrative Law Daniel Stewart Consultant t: m: e: daniel.stewart@sparke.com.au, FOI & Administrative Law David McLaren Lawyer t: m: e: david.mclaren@sparke.com.au, FOI & Administrative Law Stephanie Wende Lawyer t: m: e: stephanie.wende@sparke.com.au Page 22 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 23

13 adelaide brisbane canberra melbourne newcastle perth sydney upper hunter

Privacy in relation to VET Student Loans

Privacy in relation to VET Student Loans Privacy in relation to VET Student Loans Purpose South Regional TAFE (SRT) recognises the importance that individuals place on the manner in which their personal information is managed and handled. Scope

More information

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way. Page 1 of 10 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way. MEGT will fulfil its obligations under the Privacy Amendment (Enhancing

More information

Policies and Procedures

Policies and Procedures Policies and Procedures QMS3: POL5 Privacy Policy Policy Details Responsible area General Endorsed by CEO Date 22 November 2017 Review date 22 November 2018 Policy Statement At Linx Institute, we are committed

More information

PRIVACY Policy. 1. Policy Statement. 2. Purpose. 3. Policy

PRIVACY Policy. 1. Policy Statement. 2. Purpose. 3. Policy 1. Statement Irabina Autism Services (hereafter referred to as Irabina) is required to comply with the Australian Privacy Principles (APP) in the Privacy Act 1988 (Cth) and the Health Privacy Principles

More information

AIA Australia Limited

AIA Australia Limited AIA Australia Limited Privacy policies & procedures May 2010 The Power of We AIA.COM.AU AIA Australia Limited Privacy policies & procedures Contents Purpose 3 Policy 3 National Privacy Principles Policy

More information

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business. Privacy Policy Cabcharge Australia Limited ( Cabcharge ) is subject to the Australian Privacy Principles pursuant to the Privacy Act 1988 as amended by the Privacy Amendment (Enhancing Privacy Protection)

More information

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information. Privacy Policy Law Society of South Australia Privacy Policy The Law Society of South Australia (Law Society or we, us or our) deals with information privacy in accordance with the Privacy Act 1988 (Cth)

More information

QRME Australian Privacy Principles (APP) Policy

QRME Australian Privacy Principles (APP) Policy QRME Australian Privacy Principles (APP) Policy Contact Officer Approval Date 07/04/2014 Approval Authority Privacy Officer/Chief Executive Officer QRME CEO Date of Next Review 07/04/2015 Definitions Australian

More information

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54 Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act Privacy Law Bulletin (newsletter) Daniel Kovacs and Alex Garfinkel KCL LAW Editor s Note: This article

More information

Implications of changes to the Privacy Act 1988 for the market and social research industry

Implications of changes to the Privacy Act 1988 for the market and social research industry Implications of changes to the Privacy Act 1988 for the market and social research industry This paper explains the implications for AMSRO members of the 2012 amendments to the Privacy Act 1988, due to

More information

Lex Mundi Data Privacy Guide: Focus on the Asia/Pacific Region

Lex Mundi Data Privacy Guide: Focus on the Asia/Pacific Region Lex Mundi Data Privacy Guide: Focus on the Asia/Pacific Region Prepared by Lex Mundi member firms in the Asia/Pacific Region This guide is part of the Lex Mundi Global Practice Guide Series which features

More information

CCTV, videos and photos in health, aged care and retirement living and disability facilities your rights and obligations

CCTV, videos and photos in health, aged care and retirement living and disability facilities your rights and obligations CCTV, videos and photos in health, aged care and retirement living and disability facilities your rights and obligations Presented by: Alison Choy Flannigan Partner (02) 9390 8338 alison.choyflannigan@holmanwebb.com.au

More information

Analysis of the Workplace Surveillance Bill 2005

Analysis of the Workplace Surveillance Bill 2005 Analysis of the Workplace Surveillance Bill 2005 16 May 2005 Introduction This paper sets out the Australian Privacy Foundation s analysis of the Workplace Surveillance Bill 2005 (NSW). The Workplace Surveillance

More information

Policy: Notifiable Data Breach

Policy: Notifiable Data Breach DomaCom Limited Policy: Notifiable Data Breach Version 1.1 June 7, 2018 Author: Sean Crisp Contents 1. Version Control 2 2. Summary 3 3. What is a Data Breach 3 4. Process and Procedure 4 5. Updates to

More information

The Privacy Policy links to the following Objective contained within the City Plan

The Privacy Policy links to the following Objective contained within the City Plan Privacy Policy Privacy Policy City Plan Reference The Privacy Policy links to the following Objective contained within the City Plan 2013-2017. Performance is about managing our resources wisely, providing

More information

the general policy intent of the Privacy Bill and other background policy material;

the general policy intent of the Privacy Bill and other background policy material; Departmental Disclosure Statement Privacy Bill This departmental disclosure statement for the Privacy Bill seeks to bring together in one place a range of information to support and enhance the Parliamentary

More information

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

University of Wollongong

University of Wollongong University of Wollongong Privacy Management Plan September 2004 EXTERNAL USE Management_Plan September 2004 TABLE OF CONTENTS 1. INTRODUCTION...1 1.1 Definitions...1 1.2 Our Commitment to Privacy...1 2.

More information

PRIVACY MANAGEMENT PLAN

PRIVACY MANAGEMENT PLAN PRIVACY MANAGEMENT PLAN September 2015 Contents 1. Introduction... 3 1.2 Purpose... 3 1.3 Scope... 3 1.3 Section 41 Directions... 3 1.4 Complaints... 4 2. Definitions... 4 2.1 Personal Information... 4

More information

Privacy. Purpose. Scope. Policy. Appendix A

Privacy. Purpose. Scope. Policy. Appendix A Privacy NZQA Quality Management System Policy Appendix A Purpose To ensure NZQA and personnel meet the legal obligations under the Privacy Act 1993 and in relation to its functions under section 246A of

More information

House Standing Committee on Social Policy and Legal Affairs

House Standing Committee on Social Policy and Legal Affairs Australian Broadcasting Corporation submission to the House Standing Committee on Social Policy and Legal Affairs and to the Senate Legal and Constitutional Affairs Committee on their respective inquiries

More information

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm) PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm) Modified: 08 May 2018 V1.2 1. 1.1 OBJECTIVES: The objectives of this Privacy Policy are: (1) To disclose to the Registrant, and in

More information

POLICY_POL04_Data Breach DATA BREACH RESPONSE RATIONALE SCOPE RESPONSIBILITY DEFINITIONS POLICY. 1 TLC_policy_POL04_Data Breach_CBA_1.

POLICY_POL04_Data Breach DATA BREACH RESPONSE RATIONALE SCOPE RESPONSIBILITY DEFINITIONS POLICY. 1 TLC_policy_POL04_Data Breach_CBA_1. POL04 RATIONALE SCOPE RESPONSIBILITY DEFINITIONS DATA BREACH RESPONSE A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other

More information

PRIVACY BILL 2018 APPROVAL FOR INTRODUCTION AND ADDITIONAL POLICY DECISIONS

PRIVACY BILL 2018 APPROVAL FOR INTRODUCTION AND ADDITIONAL POLICY DECISIONS In Confidence Office of the Minister of Justice Chair Cabinet Business Committee PRIVACY BILL 2018 APPROVAL FOR INTRODUCTION AND ADDITIONAL POLICY DECISIONS Proposal 1. This paper seeks approval for the

More information

The Enforcement Guide

The Enforcement Guide Contents list The Enforcement Guide 1. Introduction Overview 2. The 's approach to enforcement 3. Use of information gathering and investigation powers 4. Conduct of investigations 5. Settlement 6. Publicity

More information

Access to Information

Access to Information Have Your Say Access to Information Last updated: July 2013 These Fact Sheets are a guide only and are no substitute for legal advice. To request free initial legal advice on an environmental or planning

More information

Telecommunications Information Privacy Code 2003

Telecommunications Information Privacy Code 2003 Telecommunications Information Privacy Code 2003 Incorporating Amendments No 3, No 4, No 5 and No 6 Privacy Commissioner Te Mana Matapono Matatapu NEW ZEALAND This version of the code applies from 2 8

More information

DATA SHARING AND PROCESSING

DATA SHARING AND PROCESSING DATA SHARING AND PROCESSING Capita Business Services Limited March 2016 Version 1.3 TABLE OF CONTENTS: Item Heading Page 1 Data Processing Agreement 2 2 Data Protection Act 1998 2 3 Data Protection Act

More information

OTrack Data Processing Terms

OTrack Data Processing Terms BACKGROUND These Personal Data Processing Terms (the Agreement ) are entered into between Optimum Records Limited ( Optimum ) and the school using the services provided by Optimum (the School ) whose details

More information

Data Protection Bill [HL]

Data Protection Bill [HL] [AS AMENDED IN PUBLIC BILL COMMITTEE] CONTENTS PART 1 PRELIMINARY 1 Overview 2 Protection of personal data 3 Terms relating to the processing of personal data PART 2 GENERAL PROCESSING CHAPTER 1 SCOPE

More information

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002 Official Gazette 2002 No. 55 issued on 8 May 2002 Data Protection Act of 14 March 2002 I hereby grant my consent to the following resolution adopted by the Diet: I. General provisions Article 1 Objective

More information

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... DATA PROTECTION REGULATIONS 2015 DATA PROTECTION REGULATIONS 2015 General Rules on the Processing of Personal Data... 1 Rights of Data Subjects... 6 Notifications to the Registrar... 7 The Registrar...

More information

Data Protection Act 1998 Policy

Data Protection Act 1998 Policy Data Protection Act 1998 Policy Responsibility for Policy: Relevant to: University Secretary All Staff, Students and Academic Partnerships Approved by: SMT in September 2016 Responsibility for Document

More information

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013 PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013 [ASSENTED TO 19 NOVEMBER, 2013] [DATE OF COMMENCEMENT TO BE PROCLAIMED] (Unless otherwise indicated) (The English text signed by the President) This

More information

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy Mannofield Parish Church Registered Scottish Charity No: SC 001680 (the Congregation ) Data Protection Policy December 2018 CONTENTS 1. Overview 2. Data Protection Principles 3. Personal Data 4. Special

More information

Data Protection. Policy & Procedure. Greater Manchester Police

Data Protection. Policy & Procedure. Greater Manchester Police Data Protection Policy & Procedure Greater Manchester Police October 2014 Table of Contents 1. Policy Statement... 1 1.1 Aims... 1 2. Scope... 1 3. Roles & Responsibilities... 2 4. Terms and Definitions...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Perth: Craigie and Moncreiffe CHARITY NO. SC001330 CONTENTS 1. Overview 2. Data Protection Principles 3. Personal Data 4. Special Category Data 5. Processing 6. How personal data

More information

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016 1.0 Summary of Changes 1.1 This procedure/sop has had an additional paragraph added at 3.8.6 relating to data processing of information by direct access to Athena. 2.0 What this Procedure/SOP is About

More information

Data Protection Bill [HL]

Data Protection Bill [HL] [AS AMENDED IN COMMITTEE] CONTENTS PART 1 PRELIMINARY 1 Overview 2 Terms relating to the processing of personal data PART 2 GENERAL PROCESSING CHAPTER 1 SCOPE AND DEFINITIONS 3 Processing to which this

More information

- and - OPINION. Reasons

- and - OPINION. Reasons IN THE MATTER OF THE DATA PROTECTION ACT 1998 AND IN THE MATTER OF A PROPOSED CONTRACT B E T W E E N: Cambridge Analytica Inc - and - Claimant United Kingdom Independence Party Defendant OPINION 1. We

More information

End User Licence Agreement

End User Licence Agreement End User Licence Agreement TMMR Pty Ltd ACN ACN 616 198 755 Articles to assist you with the implementation of this agreement: Bespoke end user licence agreements for the istore by Dundas Lawyers Legal

More information

Data protected. A report on global data protection laws in 2015.

Data protected. A report on global data protection laws in 2015. Data protected. A report on global data protection laws in 2015. The last Data Protected report? Welcome to the 2015 edition of Data Protected. The report was launched in 2004 to help businesses operating

More information

Our ref: FOI June Phillip Sweeney via Dear Mr Sweeney

Our ref: FOI June Phillip Sweeney via   Dear Mr Sweeney Our ref: FOI-2018-50082 21 June 2018 Phillip Sweeney via email: foi+request-4616-999a8e08@righttoknow.org.au Dear Mr Sweeney Your Freedom of Information (FOI) request dated 31 May 2018 I refer to your

More information

LME App Terms of Use [Google/ Android specific]

LME App Terms of Use [Google/ Android specific] LME App Terms of Use [Google/ Android specific] Please read these terms carefully because they set out the terms of a legally binding agreement (the Terms of Use ) between you and the London Metal Exchange

More information

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY July 30, 2018 THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY The report issued by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (Report) 1 and the draft of the Personal

More information

SUPPLIER DATA PROCESSING AGREEMENT

SUPPLIER DATA PROCESSING AGREEMENT SUPPLIER DATA PROCESSING AGREEMENT This Data Protection Agreement ("Agreement"), dated ("Agreement Effective Date") forms part of the ("Principal Agreement") between: [Company name] (hereinafter referred

More information

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy Condominium Management Regulatory Authority of Ontario Access and Privacy Policy 1.0 Purpose and Scope The purpose of this Policy is to set out how the Condominium Management Regulatory Authority of Ontario

More information

Port Glasgow St Andrew s Data Protection Policy

Port Glasgow St Andrew s Data Protection Policy Port Glasgow St Andrew s Data Protection Policy CONTENTS 1. Overview 2. Data Protection Principles 3. Personal Data 4. Special Category Data 5. Processing 6. How personal data should be processed 7. Privacy

More information

closer look at Rights & remedies

closer look at Rights & remedies A closer look at Rights & remedies November 2017 V1 www.inforights.im Important This document is part of a series, produced purely for guidance, and does not constitute legal advice or legal analysis.

More information

Aircraft Noise Ombudsman Charter. Approved 11 April 2012

Aircraft Noise Ombudsman Charter. Approved 11 April 2012 Aircraft Noise Ombudsman Charter Approved 11 Contents Section A: Preliminary Matters... 3 Part 1 Introduction... 3 Purpose of the Service... 3 Handling of Complaints... 3 Scope of the Charter... 3 Part

More information

T he European Union s Article 29 Data Protection

T he European Union s Article 29 Data Protection A BNA, INC. PRIVACY & SECURITY LAW! REPORT Reproduced with permission from Privacy & Security Law Report, 8 PVLR 10, 03/09/2009. Copyright 2009 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) [S.L.440.05 1 SUBSIDIARY LEGISLATION 440.05 DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS 30th September,

More information

Aviation Security Identification Card (ASIC) Application Form S002

Aviation Security Identification Card (ASIC) Application Form S002 OFFICE USE ONLY NAME ASP AUS APP ID# RED GREY ASIC# EXPIRY Aviation Security Identification Card (ASIC) Application Form S002 This form is to be used when applying for a new ASIC or when renewing you current

More information

Investigatory Powers Bill

Investigatory Powers Bill Investigatory Powers Bill [AS AMENDED ON REPORT] CONTENTS PART 1 GENERAL PRIVACY PROTECTIONS Overview and general privacy duties 1 Overview of Act 2 General duties in relation to privacy Prohibitions against

More information

Data Protection Policy. Malta Gaming Authority

Data Protection Policy. Malta Gaming Authority Data Protection Policy Malta Gaming Authority Contents 1 Purpose and Scope... 3 2 Data Protection Officer... 3 3 Principles for Processing Personal Data... 3 3.1 Lawfulness, Fairness and Transparency...

More information

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner A Legal Overview of the Data Protection Act 2017 By: Mrs D. Madhub Data Protection Commissioner 06.02.2018 Overview The Data Protection Act 2017 Aim of the Act Major changes brought in the new Act Key

More information

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16 DATA PROTECTION REGULATIONS 2015 DATA PROTECTION REGULATIONS 2015 Part 1 General Rules on the Processing of Personal Data... 1 Part 2 Rights of Data Subjects... 7 Part 3 Notifications to the Registrar...

More information

In Google Spain SL v Agencia Española de Protección de Datos,1 the European

In Google Spain SL v Agencia Española de Protección de Datos,1 the European Jerome Squires* GOOGLE SPAIN SL v AGENCIA ESPAÑOLA DE PROTECCIÓN DE DATOS (EUROPEAN COURT OF JUSTICE, C-131/12, 13 MAY 2014) I Introduction In Google Spain SL v Agencia Española de Protección de Datos,1

More information

Charities & Not-for-Profits Overview of Data Protection Law

Charities & Not-for-Profits Overview of Data Protection Law Charities & Not-for-Profits Overview of Data Protection Law The Data Protection Law provides a framework for the processing of data relating to individuals that serves to balance the needs of organisations

More information

European College of Business and Management Data Protection Policy

European College of Business and Management Data Protection Policy European College of Business and Management Data Protection Policy 1. INTRODUCTION 1.1 The European College of Business and Management (ECBM) is committed to full compliance with the Data Protection Act

More information

Releasing personal information to Police and law enforcement agencies: Guidance on health and safety and Maintenance of the law exceptions

Releasing personal information to Police and law enforcement agencies: Guidance on health and safety and Maintenance of the law exceptions Releasing personal information to Police and law enforcement agencies: Guidance on health and safety and Maintenance of the law exceptions October 2017 CONTENTS Purpose of this Guide... 3 Voluntary requests

More information

Individual Rights (Data Privacy) Policy

Individual Rights (Data Privacy) Policy October 2017 Please see the cover sheet to the Information Policies on the Staff Intranet and Board Intelligence. Individual Rights (Data Privacy) Policy 1. Introduction 1.1 UK data protection law gives

More information

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT The purpose of this Statoil Binding Corporate Rules Public Document is to explain the content of the Binding Corporate Rules (BCR) and help ensure that

More information

Complaint Handling Process

Complaint Handling Process Complaint Handling Process 1 Contents 1 Introduction 3 2 Accessing this Complaint Handling Process 3 3 Who this CHP applies to 3 4 Some special terms 3 5 Representatives 4 6 What s a complaint? 4 7 When

More information

Health Records and Information Privacy Act 2002 No 71

Health Records and Information Privacy Act 2002 No 71 New South Wales Health Records and Information Privacy Act 2002 No 71 Contents Page Part 1 Part 2 Preliminary 1 Name of Act 2 2 Commencement 2 3 Purpose and objects of Act 2 4 Definitions 2 5 Definition

More information

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY PROJET DE LOI ENTITLED The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY 1. Object of this Law. 2. Application. 3. Extent. 4. Exception for personal, family

More information

Privacy Guidelines. 1. Introduction

Privacy Guidelines. 1. Introduction Privacy Guidelines These guidelines are designed to help you understand the Privacy Act and what your church will need to do to ensure that it complies with this Act of Parliament. 1. Introduction Our

More information

HAVE RECENT CHANGES TO FOI CAUSED A SHIFT IN AGENCIES PRACTICES?

HAVE RECENT CHANGES TO FOI CAUSED A SHIFT IN AGENCIES PRACTICES? HAVE RECENT CHANGES TO FOI CAUSED A SHIFT IN AGENCIES PRACTICES? Jane Lye* Background to the reforms In June 2008, the FOI Independent Review Panel chaired by Dr David Solomon AM published its report on

More information

EXECUTIVE SUMMARY. 3 P a g e

EXECUTIVE SUMMARY. 3 P a g e Opinion 1/2016 Preliminary Opinion on the agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection

More information

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC CODE OF PRACTICE Preliminary draft code: This document is circulated by the Home Office in advance of enactment of the RIP Bill as an indication

More information

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2 Document Information Summary Partners ISA Ref: As Part 1 An agreement to formalise the information sharing arrangements for the purpose of specific Information sharing pursuant to Crime and Disorder reduction

More information

Health Information Privacy Code 1994

Health Information Privacy Code 1994 Health Information Privacy Code 1994 Incorporating amendments Privacy Commissioner Te Mana Matapono Matatapu New Zealand The Code of Practice comprises clauses 1-7 and rules 1-12. To assist with the use

More information

Telekom Austria Group Standard Data Processing Agreement

Telekom Austria Group Standard Data Processing Agreement Telekom Austria Group Standard Data Processing Agreement This Agreement is entered into by and between: I. [TAG Company NAME], a company duly established and existing under the laws of [COUNTRY] with its

More information

DATA PROTECTION POLICY STATUTORY

DATA PROTECTION POLICY STATUTORY DATA PROTECTION POLICY MAIDEN ERLEGH TRUST STATUTORY INITIAL APPROVAL July 2017 REVIEW FREQUENCY At least every two years REVIEWED CONTENTS PART ONE: POLICY STATEMENT & OBJECTIVES PART TWO: STATUS OF THE

More information

Information Privacy Act 2000

Information Privacy Act 2000 Section Version No. 031 Information Privacy Act 2000 Version incorporating amendments as at 1 July 2014 TABLE OF PROVISIONS Page PART 1 PRELIMINARY 1 1 Purposes 1 2 Commencement 1 3 Definitions 2 4 Interpretative

More information

Queensland FREEDOM OF INFORMATION ACT 1992

Queensland FREEDOM OF INFORMATION ACT 1992 Queensland FREEDOM OF INFORMATION ACT 1992 Act No. 42 of 1992 Queensland FREEDOM OF INFORMATION ACT 1992 Section TABLE OF PROVISIONS PART 1 PRELIMINARY Division 1 Introductory Page 1 Short title.....................................................

More information

Client Service Agreement

Client Service Agreement Payleadr Pty. Ltd. ACN 615 881 162 Client Service Agreement Date: 01/05/2018 This Agreement is an agreement between Payleadr Pty Ltd ACN 615 881 162 (we, us) and you (being the entity requesting our Services

More information

ARTICLE 29 Data Protection Working Party

ARTICLE 29 Data Protection Working Party ARTICLE 29 Data Protection Working Party 11580/03/EN WP 82 Opinion 6/2003 on the level of protection of personal data in the Isle of Man Adopted on 21 November 2003 This Working Party was set up under

More information

Pursuant to Article 95 item 3 of the Constitution of Montenegro, I hereby issue the DECREE

Pursuant to Article 95 item 3 of the Constitution of Montenegro, I hereby issue the DECREE Pursuant to Article 95 item 3 of the Constitution of Montenegro, I hereby issue the DECREE PROMULGATING THE LAW ON OFFICIAL STATISTICS AND OFFICIAL STATISTICAL SYSTEM (Official Gazette of Montenegro 18/12

More information

The OIA for Ministers and agencies

The OIA for Ministers and agencies The OIA for Ministers and agencies A guide to processing official information requests The purpose of this guide is to assist Ministers and government agencies in recognising and responding to requests

More information

Enforcement guidelines for regulatory investigations. Guidelines

Enforcement guidelines for regulatory investigations. Guidelines Enforcement guidelines for regulatory investigations Guidelines Guidelines Publication date: 28 June 2017 About this document Ofcom is the independent regulator, competition authority and designated enforcer

More information

PRACTICE DIRECTION [ ] DISCLOSURE PILOT FOR THE BUSINESS AND PROPERTY COURTS

PRACTICE DIRECTION [ ] DISCLOSURE PILOT FOR THE BUSINESS AND PROPERTY COURTS Draft at 2.11.17 PRACTICE DIRECTION [ ] DISCLOSURE PILOT FOR THE BUSINESS AND PROPERTY COURTS 1. General 1.1 This Practice Direction is made under Part 51 and provides a pilot scheme for disclosure in

More information

SAINT CHRISTOPHER AND NEVIS STATUTORY RULES AND ORDERS. No. 47 of 2011

SAINT CHRISTOPHER AND NEVIS STATUTORY RULES AND ORDERS. No. 47 of 2011 SAINT CHRISTOPHER AND NEVIS STATUTORY RULES AND ORDERS No. 47 of 2011 ANTI-TERRORISM (PREVENTION OF TERRORIST FINANCING) REGULATIONS, 2011 Regulation ARRANGEMENT OF REGULATIONS 1. Citation. 2. Interpretation.

More information

Law Enforcement processing (Part 3 of the DPA 2018)

Law Enforcement processing (Part 3 of the DPA 2018) Law Enforcement processing (Part 3 of the DPA 2018) Introduction This part of the Act transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive

More information

The whistleblowing procedure is based on the following principles:

The whistleblowing procedure is based on the following principles: The HeINeKeN code of Whistle Blowing INTroduCTIoN HeINeKeN has introduced the HeINeKeN Business principles (as defined hereafter) setting out the guiding business ethics principles for HeINeKeN s business

More information

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST Version 4.0 1 of 14 CONTENTS SUMMARY SHEET 1. INTRODUCTION 2. PURPOSE 3. PARTNER(S) 4. POWER(S) 5.

More information

COUNCIL OF AUSTRALIAN GOVERNMENTS COMMUNIQUÉ SPECIAL MEETING ON COUNTER-TERRORISM 27 SEPTEMBER 2005

COUNCIL OF AUSTRALIAN GOVERNMENTS COMMUNIQUÉ SPECIAL MEETING ON COUNTER-TERRORISM 27 SEPTEMBER 2005 COUNCIL OF AUSTRALIAN GOVERNMENTS COMMUNIQUÉ SPECIAL MEETING ON COUNTER-TERRORISM 27 SEPTEMBER 2005 The Council of Australian Governments (COAG), comprising the Prime Minister, Premiers, the Chief Ministers

More information

The LGOIMA for local government agencies

The LGOIMA for local government agencies The LGOIMA for local government agencies A guide to processing requests and conducting meetings The purpose of this guide is to assist local government agencies in recognising and responding to requests

More information

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN. Identity Cards Bill EXPLANATORY NOTES Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN. EUROPEAN CONVENTION ON HUMAN RIGHTS Mr Secretary Clarke has made

More information

NATIONAL POLICE HISTORY CHECK INFORMATION. Western Australian Education and Training Sectors

NATIONAL POLICE HISTORY CHECK INFORMATION. Western Australian Education and Training Sectors NATIONAL POLICE HISTORY CHECK INFORMATION Western Australian Education and Training Sectors HOW TO COMPLETE THIS FORM Please read all information in Sections A to I and complete the details required on

More information

Surveillance Laws and Balancing Privacy Obligations South Australian Freight Council Inc (SAFC) October 2018

Surveillance Laws and Balancing Privacy Obligations South Australian Freight Council Inc (SAFC) October 2018 South Australian Freight Council Inc (SAFC) October 2018 Presentation Name August 2012 Shane Sankey, Partner Wallmans Lawyers 2 State Legislation > Surveillance Devices Act 2007 (NSW) > Invasion of Privacy

More information

Tertiary Education Quality and Standards Agency Act 2011

Tertiary Education Quality and Standards Agency Act 2011 Tertiary Education Quality and Standards Agency Act 2011 Act No. 73 of 2011 as amended This compilation was prepared on 3 October 2012 taking into account amendments up to Act No. 136 of 2012 The text

More information

NIGERIAN COMMUNICATIONS ACT (2003 No. 19)

NIGERIAN COMMUNICATIONS ACT (2003 No. 19) NIGERIAN COMMUNICATIONS ACT (2003 No. 19) CONSUMER CODE OF PRACTICE REGULATIONS 2007 ARRANGEMENT OF REGULATIONS Regulation PART I - SCOPE AND OBJECTIVES 1. Scope of Regulations. 2. Objectives. 3. Application.

More information

Appointment of a migration agent or exempt agent or other authorised recipient

Appointment of a migration agent or exempt agent or other authorised recipient Appointment of a migration agent or exempt agent or other authorised recipient Form 956 Who should use this form? You should use this form to advise the Department of Immigration and Citizenship (the department)

More information

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017 The Ministry of Technology, Communication and Innovation and The Data Protection Office Workshop On DATA PROTECTION ACT 2017 Tuesday 06 March 2018 from 08.30 hrs 15.30 hrs InterContinental Mauritius Resort,

More information

Results report Missing Persons Act What was this engagement about? The Yukon Government was looking to develop legislation as a mechanism to assist

Results report Missing Persons Act What was this engagement about? The Yukon Government was looking to develop legislation as a mechanism to assist Results report Missing Persons Act What was this engagement about? The Yukon Government was looking to develop legislation as a mechanism to assist the RCMP with missing persons investigations and sought

More information

CITY OF VANCOUVER DUTY TO ASSIST

CITY OF VANCOUVER DUTY TO ASSIST AUDIT & COMPLIANCE REPORT F16-01 CITY OF VANCOUVER DUTY TO ASSIST Elizabeth Denham Information and Privacy Commissioner for British Columbia June 23, 2016 CanLII Cite: 2016 BCIPC 32 Quicklaw Cite: [2016]

More information

March 2016 INVESTOR TERMS OF SERVICE

March 2016 INVESTOR TERMS OF SERVICE March 2016 INVESTOR TERMS OF SERVICE This Agreement is between you and Financial Pulse Limited and sets out the terms on which Financial Pulse offers you access to and use of certain services via the online

More information

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection Commission Decision C(2010)593 Standard Contractual Clauses (processors)

More information

CONSULTANCY SERVICES AGREEMENT

CONSULTANCY SERVICES AGREEMENT DATED 2010 [INSERT NAME OF CUSTOMER] (Customer) CAVALLINO HOLDINGS PTY LIMITED ACN 136 816 656 ATF THE DAYTONA DISCRETIONARY TRUST T/A INSIGHT ACUMEN (Consultant) CONSULTANCY SERVICES AGREEMENT Suite 5,

More information