A guide to the new privacy landscape for the Commonwealth Government

Similar documents
Privacy in relation to VET Student Loans

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Policies and Procedures

PRIVACY Policy. 1. Policy Statement. 2. Purpose. 3. Policy

AIA Australia Limited

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

QRME Australian Privacy Principles (APP) Policy

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

Implications of changes to the Privacy Act 1988 for the market and social research industry

Lex Mundi Data Privacy Guide: Focus on the Asia/Pacific Region

CCTV, videos and photos in health, aged care and retirement living and disability facilities your rights and obligations

Analysis of the Workplace Surveillance Bill 2005

Policy: Notifiable Data Breach

The Privacy Policy links to the following Objective contained within the City Plan

the general policy intent of the Privacy Bill and other background policy material;

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

University of Wollongong

PRIVACY MANAGEMENT PLAN

Privacy. Purpose. Scope. Policy. Appendix A

House Standing Committee on Social Policy and Legal Affairs

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

POLICY_POL04_Data Breach DATA BREACH RESPONSE RATIONALE SCOPE RESPONSIBILITY DEFINITIONS POLICY. 1 TLC_policy_POL04_Data Breach_CBA_1.

PRIVACY BILL 2018 APPROVAL FOR INTRODUCTION AND ADDITIONAL POLICY DECISIONS

The Enforcement Guide

Access to Information

Telecommunications Information Privacy Code 2003

DATA SHARING AND PROCESSING

OTrack Data Processing Terms

Data Protection Bill [HL]

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Data Protection Act 1998 Policy

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Data Protection. Policy & Procedure. Greater Manchester Police

Data Protection Policy

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Data Protection Bill [HL]

- and - OPINION. Reasons

End User Licence Agreement

Data protected. A report on global data protection laws in 2015.

Our ref: FOI June Phillip Sweeney via Dear Mr Sweeney

LME App Terms of Use [Google/ Android specific]

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

SUPPLIER DATA PROCESSING AGREEMENT

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

Port Glasgow St Andrew s Data Protection Policy

closer look at Rights & remedies

Aircraft Noise Ombudsman Charter. Approved 11 April 2012

T he European Union s Article 29 Data Protection

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Aviation Security Identification Card (ASIC) Application Form S002

Investigatory Powers Bill

Data Protection Policy. Malta Gaming Authority

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

In Google Spain SL v Agencia Española de Protección de Datos,1 the European

Charities & Not-for-Profits Overview of Data Protection Law

European College of Business and Management Data Protection Policy

Releasing personal information to Police and law enforcement agencies: Guidance on health and safety and Maintenance of the law exceptions

Individual Rights (Data Privacy) Policy

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Complaint Handling Process

Health Records and Information Privacy Act 2002 No 71

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Privacy Guidelines. 1. Introduction

HAVE RECENT CHANGES TO FOI CAUSED A SHIFT IN AGENCIES PRACTICES?

EXECUTIVE SUMMARY. 3 P a g e

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

Health Information Privacy Code 1994

Telekom Austria Group Standard Data Processing Agreement

DATA PROTECTION POLICY STATUTORY

Information Privacy Act 2000

Queensland FREEDOM OF INFORMATION ACT 1992

Client Service Agreement

ARTICLE 29 Data Protection Working Party

Pursuant to Article 95 item 3 of the Constitution of Montenegro, I hereby issue the DECREE

The OIA for Ministers and agencies

Enforcement guidelines for regulatory investigations. Guidelines

PRACTICE DIRECTION [ ] DISCLOSURE PILOT FOR THE BUSINESS AND PROPERTY COURTS

SAINT CHRISTOPHER AND NEVIS STATUTORY RULES AND ORDERS. No. 47 of 2011

Law Enforcement processing (Part 3 of the DPA 2018)

The whistleblowing procedure is based on the following principles:

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST

COUNCIL OF AUSTRALIAN GOVERNMENTS COMMUNIQUÉ SPECIAL MEETING ON COUNTER-TERRORISM 27 SEPTEMBER 2005

The LGOIMA for local government agencies

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

NATIONAL POLICE HISTORY CHECK INFORMATION. Western Australian Education and Training Sectors

Surveillance Laws and Balancing Privacy Obligations South Australian Freight Council Inc (SAFC) October 2018

Tertiary Education Quality and Standards Agency Act 2011

NIGERIAN COMMUNICATIONS ACT (2003 No. 19)

Appointment of a migration agent or exempt agent or other authorised recipient

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Results report Missing Persons Act What was this engagement about? The Yukon Government was looking to develop legislation as a mechanism to assist

CITY OF VANCOUVER DUTY TO ASSIST

March 2016 INVESTOR TERMS OF SERVICE

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

CONSULTANCY SERVICES AGREEMENT

Transcription:

A guide to the new privacy landscape for the Commonwealth Government

Contents compliance: it s time to get ready compliance: it s time to get ready 3 Overview of the Australian Principles 4 The other requirements 8 developments: what s next? 9 Topics covered by the draft OAIC APP Guidance 12 Getting started 15 AAPT hacking case study 18 contacts for the Commonwealth Government 22 On 12 March 2014, the biggest change for Commonwealth Government agencies to the privacy landscape since the introduction of the Act takes effect. It is not too late to commence preparations for the changes but time is running out. Agencies need to start work now to ensure compliance by this deadline. This Guide provides agencies with: a summary of the main changes to the Act an overview of the likely developments in the area in the near future, and a plan of action, setting out what agencies need to do now. To help you, Sparke Helmore has also developed a Compliance Toolkit. This toolkit, which will be tailored for each agency s needs, covers the requirements of the new provisions and topics such as privacy audits, privacy policy and procedures, and privacy training. If you would like to know more about the privacy services Sparke Helmore offers please contact me or any member of our Government Team. Main changes of note the replacement of the IPPs with the APPs amendments to key provisions of the Act the strengthening of the Commissioner s powers, backed by pecuniary penalties of up to $1.7 million. Michael Palfrey I Partner t: +61 2 6263 6367 I m: +61 424 756 294 e: michael.palfrey@sparke.com.au Page 2 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 3

Overview of the Australia Principles Bottom line The amendments tighten up the rules around how agencies can collect, use and disclose personal. For the first time, new Australian Principles will apply to both the private and public sectors. There is a new requirement for agencies to develop detailed privacy policies and make them clear and easily accessible. The Principles require a higher standard of protection to be afforded to sensitive. The Commissioner will also be able to obtain enforceable undertakings from an organisation and apply to the court for a civil penalty order against agencies. The main changes to the Act result from the replacement of the current Information Principles (IPPs) with the Australian Principles (APPs). Importantly, the APPs align more closely with the current National Principles, which apply to the private sector, than the IPPs. This summary sets out the main requirements of the APPs. APP 1 open and transparent management of personal Agencies are required to manage personal in an open and transparent way. This includes: having procedures and systems in place that are reasonable in the circumstances to enable compliance with the new principles having an up-to-date privacy policy that is clearly expressed and readily available (usually on the agency s website), which contains about the kinds of collected how the is collected the purposes for collection whether it is likely that the agency will disclose personal to overseas recipients and, if so, the countries in which they are likely to be located. APP 2 anonymity and pseudonymity Where it is lawful and practicable, individuals must be given the option of not identifying themselves when dealing with an agency. Options for anonymity include using cloaking devices, such as pseudonyms. APP 3 collection of solicited personal This principle sets out the standard for collection of personal by agencies. These standards may differ between agencies. An agency must only collect personal that is reasonably necessary for or directly related to one or more of its functions or activities. An agency must only collect sensitive if the individual consents to the collection, and the is reasonably necessary or directly related to one or more of its functions or activities. There are exceptions to this general rule. These include: where it is required or authorised by Australian law or a court order in permitted general situations in permitted health situations, and in cases where an enforcement body reasonably believes that the collection of the is reasonably necessary. Further, an agency must collect the : by lawful and fair means, and directly from the individual concerned unless certain circumstances apply (for example, where it is unreasonable and impractical to do so). APP 4 dealing with unsolicited personal When an agency receives unsolicited personal it must determine whether or not it could have collected the in line with APP 3. If: it could the other APPs apply to that personal, or it couldn t then steps must be taken to either destroy the or de-identify it so that it no longer contains personal. This requirement doesn t apply if the is contained in a Commonwealth record. APP 5 notification of the collection of personal When an agency collects an individual s personal it must take reasonable steps to provide notification of collection. This includes providing: contact details of the APP entity whether has been collected from a third party or under an Australian law or court/tribunal order (and details about that collection) the purpose of the collection complaint-handling and access/correction in the APP entity s privacy policy disclosure, including to overseas recipients, and the consequences of not collecting the. APP 6 use or disclosure of personal If an agency holds personal about an individual collected for a particular purpose, the entity must not use or disclose it for another purpose unless: the individual has consented to the use or disclosure, or the use or disclosure of the falls within the listed exceptions. Exceptions include: where the secondary purpose is related to the primary purpose and the individual would reasonably expect it to be used for that secondary purpose. Where sensitive is involved the secondary purpose must be directly related to the primary purpose where required or authorised by an Australian law or a court order in permitted general situations in permitted health situations, and where an agency reasonably believes that the use or disclosure of the is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body. Page 4 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 5

An agency can disclose biometric or templates to an enforcement body if it is disclosed in line with the Commissioner s guidelines. APP 7 direct marketing This principle doesn t apply to agencies unless they are engaging in commercial activities. APP 8 cross-border disclosure of personal Before an agency discloses personal to an overseas recipient, it must take reasonable steps to ensure the recipient doesn t breach the APPs (other than APP 1). This will generally require the agency to enter into a contractual relationship with the recipient. Exceptions include: the agency reasonably believes the recipient of the is subject to a law or scheme substantially similar to the APPs there is express informed consent to the disclosure of the the disclosure is required or authorised by Australian law in permitted general situations the disclosure is required or authorised by an international agreement relating to sharing (to which Australia is a party), and where the entity reasonably believes the disclosure of the is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body, and the overseas recipient is an equivalent type of body. APP 9 adoption, use or disclosure of government-related identifiers In general this principle doesn t apply to agencies. APP 10 quality of personal An agency is required to protect the quality of the personal it collects, uses and discloses, and take reasonable steps to ensure that: personal collected is accurate, up-to-date and complete, and personal it uses or discloses is accurate, up-to-date, complete and relevant. APP 11 security of personal An agency must protect and in some cases destroy personal. This obligation includes taking reasonable steps to: protect personal from misuse, interference and loss, and from unauthorised access, modification or disclosure, and destroy or de-identify personal that is no longer needed for a purpose for which it may be used or disclosed under the APPs, unless the is in a Commonwealth record. APP 12 access to personal An agency must provide access to an individual to their personal subject to specific exceptions. This principle does not apply where an agency is required or authorised to refuse to give access under the Freedom of Information Act 1982 or other legislation. The principle sets out the procedural details for requests for access, such as: time-frames means of access access charges, and procedures for refusal to grant access. APP 13 correction of personal An agency must take reasonable steps to correct personal it holds on an individual if: it believes the is inaccurate, outof-date, incomplete, irrelevant or misleading, or the individual requests that it be corrected. An agency is not obliged to maintain the correctness of personal it holds at all times. However, when personal is used or disclosed, an agency may need to correct it before use or disclosure if it is satisfied the is inaccurate, out-of-date, incomplete, irrelevant or misleading. Page 6 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 7

The other requirements developments: what s next? The main changes to the Act are contained in the APPs; however, there are other changes that agencies need to understand. This summary sets out some of the key provisions that are not contained in the APPs. Exceptions to the APPs The general rule is that an agency covered by the APPs must not act in a way that breaches them; however, there are exceptions. The main exceptions are in permitted general situations and permitted health situations. Exception 1 permitted general situations Personal may be collected, used or disclosed without breaching the APPs where: it is unreasonable or impracticable to obtain the individual s consent and the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or is necessary for public health and safety, or there is reason to suspect there is unlawful activity or serious misconduct relating to the agency and the agency reasonably believes that the collection, use or disclosure is necessary to take appropriate action in relation to the matter, or the agency reasonably believes it is necessary to help locate a missing person, (providing this is in keeping with any rules made by the Commissioner), or the agency reasonably believes it is necessary for its diplomatic or consular functions or activities. The Defence Force may also collect, use or disclose personal where it reasonably believes it is necessary for its overseas operations. Exception 2 permitted health situations Health may be collected, used and disclosed in certain situations without breaching the APPs. This exception is essentially the same as under the 2000 reform to the Act, which permits the collection, use or disclosure where the is necessary to provide a health service to the individual and it is: required by or authorised under Australian law, or in line with rules established by competent health or medical bodies. Other obligations not contained in the APPs Agencies will also need to be aware of obligations and key concepts contained in other provisions of the Act, including: the definitions of key concepts, including some of those referred to in the APPs expansion of the extra-territorial operation of the Act responsibilities of agencies where they disclose personal to an overseas recipient external dispute resolution schemes APP Codes, and obligations on agencies if they engage contracted service providers. Information Commissioner s guidance, monitoring and advice-related functions The amendments enhance the Office of the Australian Information Commissioner s (Information Commissioner) powers of guidance, monitoring and advice functions, and auditing compliance. In particular, the Information Commissioner may: accept enforceable undertakings from an entity apply to the Federal Court or Federal Circuit Court for an order that an entity pay a civil penalty, and conduct own-motion assessments of compliance with the APPs. The privacy landscape in Australia is rapidly changing as the Government tries to respond to changes in technology and developments in the privacy policies and practices of other countries in the developed world. While most of the attention has been devoted to reviewing the changes contained in the Amendment (Enhancing Protection) Act 2012, which takes effect on 12 March 2014, there are a number of other areas that are likely to see changes in the near future. This article discusses some of the areas in which development is already underway and where we are most likely to see changes in the near future. OAIC Guidelines At the time of writing, the OAIC has released two tranches of draft APP Guidelines for consultation. A table of the issues covered by the draft guidance is set out at the end of this article. As there is less than six months to go before the APPs take effect, we expect the OAIC will soon release the remainder of its draft guidance and move very quickly to finalise it in time for the commencement of the new provisions. In the meantime, the OAIC continues to release guidance on other aspects of privacy that may have implications for entities. For example, the OAIC recently released guidelines for Code Development and External Dispute Resolution Scheme Recognition, which are concepts relevant under the Act after March 2014. This means entities will need to continually monitor and adapt their privacy policies and procedures in line with the guidance as it is released. Mandatory Breach Notification Bill On 29 May 2013, the Amendment ( Alerts) Bill 2013 (the Bill) to create a mandatory notification scheme for serious data breaches was introduced into Parliament. The Bill followed on from the Australian Government s discussion paper, Australian Breach Notification, released on 17 October 2012 (see our article breaches: mandatory notification a step closer ). The discussion paper followed the Office of the Australian Information Commissioner s (OAIC) publication, Data Breach Notifications: A Guide to Handling Personal Information Security Breaches (see our article, : the sands continue shifting ). The Bill sets out: the requirement on agencies to notify individuals when there has been a serious data breach the notification requirements, and deemed it a failure to comply with the mandatory notification obligations as an interference with the privacy of an individual for the purposes of the Act, enlivening the enhanced powers of the Commissioner to investigate and pursue remedies including civil penalties. The new Commonwealth Government may restart the process to introduce the mandatory scheme, particularly as the Senate Committee report recommended the Bill be passed. However, comments by the Coalition Senators on the Committee about the timeframe of the Bill, and regulatory overload concern in the industry, suggest that more time may be granted for consultation and implementation of the reforms. Statutory cause of action for serious invasion of privacy Following a number of high profile privacy breaches, in particular the September 2011 News International phone hacking scandal, the Government released an issues paper A Commonwealth Statutory Cause of Action for Serious Invasion of. The paper explored some of the key issues raised by the Australian Law Reform Commission s 2008 recommendation that there be a statutory cause of action for serious invasions of privacy. Page 8 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 9

Some of the key issues that need to be considered in deciding whether a statutory cause of action should be introduced are also explored in the issues paper. These include: whether there is a need for it; what is the appropriate test; what defences should be available; should there be exemptions; and how should damages be calculated? For a detailed summary of the main recommendations of the committee report see our article Suing for invasion of privacy: the Government releases its Issues Paper. On 12 June 2013, the former Attorney-General referred the issue to the Australian Law Reform Commission for inquiry and report by June 2014. The ALRC released an issues paper on 8 October 2013, beginning its consultation process for the inquiry. This issue is complex and divisive. While we expect that the Government will move carefully in this area, if there is a high-profile scandal involving breach by an Australian entity (such as evidence of widespread phone hacking), then there is likely to be public pressure for the Government to act quickly to introduce a statutory cause of action. Fortunately, to date, there is no evidence that this has occurred in Australia. Next stage response to the ALRC Report The March 2014 amendments to the Act reflect the first stage of the Government s response to the 2008 Australian Law Reform Commission s (ALRC) report, For Your Information: Australian Law and Practice, (which made 295 recommendations for change). The previous Government stated that the remaining 98 recommendations of the ALRC report would be considered after the progression of the first stage reforms. Assuming the new Government continues to implement the recommendations of the report, we expect to see further consultation undertaken for the remaining recommendations. The mandatory breach notification and statutory cause of action for serious breach of privacy are two of the key issues set out in the remaining recommendations. Conclusion While it is acknowledged that keeping pace with technological and privacy developments means that the privacy landscape is likely to continue changing, it is hoped that the new Government will balance the need for changes with the need to provide all stakeholders with the opportunity for appropriate consultation and consideration of any proposed amendments. In the meantime, agencies will need to keep on top of developments in the area, particularly the OAIC s final APP guidance, which is expected in the coming months, and ensure that the guidance is reflected in their practices and procedures under the APPs by 12 March 2014. Page 10 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 11

Topics covered by the draft OAIC APP Guidance APP 1-3 Key areas covered by draft guidance APP 4-7 Key areas covered by draft guidance General matters APP 1 open and transparent management of personal who is covered what happens if an entity breaches the APPs clarification of some of the key concepts contained in the APPs, such as their extraterritorial application, collection, Commonwealth records, consent, disclosure, health, necessary and reasonably necessary, personal and purpose what the permitted general situation exception includes, and what the permitted health situation exception includes. what constitutes reasonable steps examples of practices, procedures and systems that entities should consider implementing that must be included in an entity s privacy policy, and availability of the privacy policy to the public. APP 4 dealing with unsolicited personal APP 5 notification of the collection of personal examples of unsolicited issues in dealing with unsolicited, such as: Commonwealth records when is destruction or de-identification lawful factors to consider in deciding whether destruction or de-identification is reasonable, and dealing with that is not destroyed or de-identified. factors that are relevant to assessing whether reasonable steps to notify or ensure awareness have been taken examples of reasonable steps that could be taken examples of when not taking any steps is reasonable the matters that must be notified, and when the notification must occur. APP 2 anonymity and pseudonymity APP 3 collection of solicited personal anonymous and pseudonymous options when identification is required or authorised by law, and when it is impracticable for an entity to deal with an individual who has not identified themselves. examples of solicited process for determining whether the collection of personal is: reasonably necessary (for organisations), or directly related to (for agencies) the entity s functions collection of sensitive where: it is required or authorised by law a permitted general situation exists a permitted health situation exists, and it is for an enforcement activity what constitutes lawful and fair means the exceptions to the requirement to collect directly from the individual, where: it is unreasonable or impractical the individual consents to the collection from someone else (for agencies), and it is required or authorised by law. APP 6 use or disclosure of personal APP 7 direct marketing the meaning of hold, use, disclose and purpose use or disclosure for a secondary purpose use or disclosure of sensitive with the individual s consent where reasonably expected by the individual as required or authorised by law where a permitted general situation exists where a permitted health situation exists for an enforcement related activity disclosure of biometric to an enforcement body de-identification of certain health before disclosure, and use or disclosure between related bodies corporate. the principles only apply to some agencies engaged in commercial activities examples of direct marketing when agencies are covered use and disclosure of personal for the purpose of direct marketing where reasonably expected by the individual, and where there is no reasonable expectation of the individual, or the is collected from a third party use and disclosure of sensitive for the purpose of direct marketing with the individual s consent, and by contracted service providers requests to stop direct marketing communications requests to stop facilitating direct marketing, and interaction with other legislation. Page 12 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 13

Topics covered by the draft OAIC APP Guidance (cont d) Getting started APP 8-11 APP 8 cross-border disclosure of personal APP 9 adoption, use or disclosure of governmentrelated identifiers APP 10 quality of personal APP 11 security of personal Key areas covered by draft guidance what constitutes an overseas recipient when does an entity disclose personal to an overseas recipient when will an entity have taken reasonable steps when is an overseas recipient subject to a similar law or binding scheme disclosure to an overseas recipient: with consent after the individual is expressly informed as required or authorised by law where a permitted general situation exists as required or authorised under an international agreement relating to sharing (for agencies) for an enforcement-related activity, and when is an entity accountable for personal that it discloses to an overseas recipient. the principles only apply to some agencies engaged in commercial activities what is a government-related identifier when are agencies covered by APP 9 what does adoption mean adoptions as required or authorised by or under law use and disclosure of government-related identifiers use or disclosure where it is reasonably necessary to verify the identity of the individual, and to fulfil obligations to an agency or a state or territory authority use or disclosure as required or authorised under law use or disclosure where a permitted general situation exists, and use or disclosure to an enforcement body for enforcement-related activities. what are reasonable steps examples of reasonable steps what are the quality considerations, and interaction with other APPs. when does an entity hold personal what are reasonable steps what are the security considerations, and destruction or de-identification of personal. The Act amendments make numerous changes to the way agencies collect, hold, use and disclose personal. Agencies already have systems and procedures to comply with current privacy obligations. What needs to happen now is to identify what the new obligations are and how to adapt existing practices and procedures to achieve compliance. A high level approach to becoming compliant has these phases: PLAN AUDIT ANALYSE AMEND IMPLEMENT To assist your privacy compliance project team, we have developed a Toolkit that addresses the requirements of the new provisions and covers topics such as: privacy audits, privacy policy and procedures, and privacy training. The toolkit will be tailored for each agency. Call Michael Palfrey on (02) 6263 6367 for more about the toolkit and pricing. One of the key steps in the toolkit involves designing and conducting the privacy audit. AUDIT Design and conduct a privacy audit An important step in the compliance process is to conduct a privacy audit to identify the current privacy practices and procedures to then compare them against the new obligations to determine areas of non-compliance. A privacy audit is designed to identify: types of personal you currently collect, hold, use and disclose types of personal you may collect, hold, use and disclose in the future how you collect, hold, use and disclose that what legislation, policies and procedures currently govern your agency s collection, holding, use and disclosure of personal where these activities take place, and what may be reasonable steps in the context of your agency and in relation to individual collection processes. Assign team The audit project team should involve senior management from the legal, FOI, IT, media relations and HR areas in your agency. Assess current privacy compliance To collect privacy compliance, each area within the agency will need to be investigated. As an initial step, a questionnaire is useful to identify current practices and get the managers thinking about how their current practices may need to change. Page 14 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 15

The best questionnaires contain appropriate guidance to assist line areas to understand relevant concepts, for example, the collection, use and disclosure of sensitive. At a minimum, the questionnaire should ask each area to identify their current practices around the key stages of the lifecycle. To help you we have included a list of items your questionnaire should cover below. Validation and clarification After the questionnaires have been completed and analysed, the audit team should meet with line areas to ensure they understood the question and validate the responses; identify any areas of risk and non-compliance and discuss appropriate compliance strategies. Prepare audit report The audit report will present the audit team s findings and identify: key privacy issues and risks facing the agency the level of privacy compliance within the agency, and recommendations to ensure compliance with privacy obligations. compliance survey topic suggestions 1. General The systems, policies and procedures in place to ensure compliance with the area s privacy obligations The privacy training and guidance material used by the area in carrying out their functions The results of any privacy compliance audits that have been undertaken Any complaints handling process in place regarding the collection, holding, use and disclosure of personal Any complaints or enquiries received in the past Any specific legislation that governs their current privacy practices 2. Collection The types of personal that it collects Any personal that it collects that is sensitive Any government identifiers to the personal Whether it s lawful/practical for people to remain anonymous when dealing with the area Why that personal is required for its functions Any legal requirement or authorisation to collect the personal How the personal is collected How the area informs the person of its policies and procedures for collection of the personal What the area informs the person about the collection of the The terms of any consent that a person gives to the collection Any unsolicited personal that is received 3. Use How the area uses the collected Why the is required to be used for the area to exercise its function Any legal requirement or authorisation to use the How the individual is informed of that use The terms of any consent to that use The policies and procedures the area follows that govern use of personal 4. Disclosure Any personal disclosed Any personal disclosed overseas and, if so, where and under what conditions How the individual is made aware of the disclosures Terms governing any disclosure to third parties and terms of any consent to disclosure Any legal requirement or authorisation to disclose the Policies and procedures the area follows that govern disclosure of personal 5. Storage and security How is the personal stored What security measures are in place to ensure protection against loss, unauthorised access, use, modification or disclosure What security policies/procedures are governing the handling and storage of personal apply to the area What protocols/procedures govern adding, amending or deleting personal What legal requirements/authorisations apply to storing/destroying personal 6. Information integrity How can an individual access their personal How are they made aware of the area having their personal How are they made aware of their ability to access their personal Any legal requirement or authorisation governing refusal or access to the The policies and procedures the area follows that govern a person s access to personal How does the area ensure that the personal is accurate, relevant, up-to-date, complete and not misleading Page 16 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 17

AAPT hacking case study: what would happen if it was an agency under the new law? Recently, AAPT customer data was hacked and published on the internet. Following an own motion investigation, on 15 October, Australian Commissioner, Timothy Pilgrim, found AAPT had breached the Act in respect of the incident. The case provides a useful scenario to examine what would the result be if the same issues arose for an agency under the new law. In particular, the case provides useful guidance around the Commissioner s thinking on: what constitutes disclosure and what constitutes use what your obligations are when you use a third party server, and what your training obligations are. Background This case involved AAPT s company data (including customers personal ) being accessed and stolen by Anonymous, an international network of hacktivists, between 17 and 19 July 2012. Anonymous subsequently published the data on the internet. The data was held on a server managed by WebCentral Pty Ltd, a web-hosting business unit of Melbourne IT. Under the contract between AAPT and WebCentral, WebCentral was required to fully manage and maintain the server, except for the custom application content and data, which was the responsibility of AAPT. Anonymous accessed the data though the Cold Fusion application installed on the server, which was a customer-managed application and was AAPT s responsibility under the contract. AAPT was using an old version of Cold Fusion, which was known to have vulnerabilities. When Melbourne IT became aware of the attack it notified AAPT, which immediately disconnected from the network and took steps to ensure the data could not be further compromised. Own motion investigations It is worth noting that this matter involved an own motion investigation in response to media reports of the hacking by Anonymous. Accordingly, agencies cannot rely on the fact that they have not received a complaint as an indication that any privacy breaches will not be pursued. Under the new provisions, the Commissioner s powers will be enhanced, including through clarifying and strengthening the Commissioner s own motion investigations of any act or practice that may interfere with an individual s privacy or a possible breach of APP1. Further, agencies may also have notification requirements if the mandatory notification legislation is introduced. Who held the data? Under NPP4.1, an organisation is required to take reasonable steps to protect personal it held from misuse and loss and from unauthorised access or disclosure. The question in this case was whether AAPT or WebCentral held the data. The Commissioner took the view that AAPT held the data despite it being stored on WebCentral s server. Accordingly, AAPT had the obligation under NPP4.1. APP11.1 is the equivalent of NPP4.1 so, in circumstances where an agency outsources the data storage, it will still be likely to be regarded as holding the under the new provisions and have obligations to protect the. Was the publishing of the data a disclosure by AAPT? An organisation may only use or disclose personal for the primary purpose of collection under NPP2.1. As the publication of the data was not for the primary purpose of the collection, the Commissioner examined whether the publication amounted to disclosure by AAPT. As the data was made public through the malicious actions of Anonymous, the Commissioner found that the publication was not a disclosure by AAPT. APP 6.1 sets out similar requirements about the use and disclosure of personal as NPP2.1, so this test will remain relevant for the new provisions. Reasonable steps to protect personal The Commissioner found AAPT failed to take reasonable steps to secure the personal as required by NPP4.1. In assessing whether reasonable steps had been taken, the Commissioner examined the Cold Fusion application to determine whether it was suitable in the circumstances, the contract between AAPT and WebCentral and AAPT s awareness and management of the privacy protection measures under the arrangements. The Commissioner noted that AAPT used a seven year-old version of Cold Fusion, which was known to have vulnerabilities. While the security patches on the version used by AAPT were upto-date, the failure to use newer versions of the application that did not have the vulnerabilities of the older version, meant that AAPT had not taken reasonable steps to protect the. The Commissioner identified several deficiencies in the security of data provisions in the contract between AAPT and WebCentral including: data was not assessed to determine whether it included personal and its sensitivity existing or emerging security risks were not required to be identified and addressed, and vulnerability scanning and the effectiveness of the Cold Fusion application was not required to be undertaken. This led to the conclusion that AAPT did not have adequate contractual measures in place to protect the data held on the compromised server. The Commissioner noted that it was unclear whether AAPT was aware of what personal was on the server, what Cold Fusion applications were installed and the parts of the server they related to or who was responsible for the maintenance and management of the application. Based on the known deficiencies in the version of the application used, the inadequate contractual arrangements in place and the lack of knowledge and management of the security measures in place, the Commissioner found that AAPT had failed to take reasonable steps to secure the personal. To address these issues, the Commissioner recommended AAPT: conduct regular reviews of all IT applications held internally or with external providers to ensure AAPT is aware of applications held take steps to ensure all IT applications held internally or externally, which hold or use personal, are subject to vulnerability assessment and testing and regular vulnerability scanning clearly allocate responsibility for management of applications conduct regular audits of AAPT s IT security framework to ensure security measures are working effectively, and that policies and procedures relating to data security are being complied with undertake steps to ensure appropriate classification of data it holds either internally or externally, including whether it includes personal and the sensitivity of that, and review the terms of the contracts it has with IT suppliers that hold or manage AAPT data to ensure clarity around which party has responsibility for identifying and addressing data security issues (such as vulnerabilities associated with old versions of IT applications). As APP11.1 imposes the same requirements on agencies as NPP4.1 did on AAPT, agencies in AAPT s position would also be in breach of the new provision (along with existing IPP4). The recommendations made by the Commissioner provide some useful guidance on what he regards Page 18 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 19

as reasonable steps in the circumstances to discharge your obligations under the new provisions. Reasonable steps to destroy or permanently de-identify personal that was no longer in use The Commissioner found AAPT had breached its obligation to destroy or permanently de-identify personal that was no longer in use. To comply with this obligation an organisation is required to develop systems or procedures to identify it no longer needs and a process for how the destruction or deidentification of the will occur. In AAPT s case, the Commissioner noted that these policies were available on the company s internet; however, they were not followed in this case and that there was a low awareness among staff of them. As a result, AAPT had not taken the reasonable steps required by NPP4.2. Importantly, this finding highlights that having a policy that complies with the requirements is not enough. Organisations also have an obligation to train their staff to comply with the policy and take reasonable steps to ensure that the policy is implemented. This area of destruction and de-identification is one of the key areas where the obligations of organisations and agencies differ. Under APP6.2, the obligation to destroy or de-identify the personal does not apply to contained in a Commonwealth record, to ensure that the agency s obligations under the Archives Act can be complied with. Penalties for breach As the case involved breaches of NPPs, the Commissioner was unable to impose a penalty on AAPT. Under the new APPs, which impose the same requirements on agencies as the NPPs in question (with the exception of record destruction), the Commissioner has enhanced enforcement powers included in the ability to accept and compel compliance with enforceable undertakings and, in the case of serious or repeated breaches, seek civil penalties of up to $1.7 million. Key lessons The AAPT case highlights the following key points: agencies continue to have privacy obligations for personal, even when it is stored on third party servers and is not physically held by the agency, such as a cloud application a malicious act by a third party may result in the Commissioner commencing an own motion investigation into whether the agency is in breach of its privacy obligation, it does not require a complaint by a third party or for something to be done by the agency or its service provider where personal is held by a third party, contractual arrangements for data protection and security need to be clear and adequate, and it is not sufficient for an agency to simply have privacy policies and procedures. It must also ensure staff are trained and regularly made aware of and implement those policies and procedures. the case provides useful guidance around the Commissioner s thinking on: what constitutes disclosure and what constitutes use what your obligations are when you use a third party server, and what your training obligations are. The Commissioner s recommendations also provide a timely reminder of the sort of steps agencies are required to take to fulfil their privacy obligations. Page 20 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 21

contacts for the Commonwealth Government Our privacy services Our team works closely with many departments and agencies to: tailor privacy audits to ensure they address the particular policy and legislative requirements of the agency review privacy audit results and identify compliance gaps remedy any compliance gaps in a practical and pragmatic way tailor privacy policies and procedures to ensure full compliance implement privacy training specific to agency requirements and work with other stakeholders to devise training and evaluation processes, and ensure contractual arrangements adequately protect against privacy liability. If you would like to know more about our privacy services, please contact any member of our privacy team., FOI & Administrative Law Michael Palfrey Partner t: +61 2 6263 6367 m: +61 424 756 294 e: michael.palfrey@sparke.com.au & Commercial Law Ashley Cahif Special Counsel t: +61 2 6263 6361 m: +61 404 519 346 e: ashley.cahif@sparke.com.au, FOI & Administrative Law Will Sharpe Special Counsel t: +61 2 6263 6356 m: +61 406 473 967 e: will.sharpe@sparke.com.au, FOI & Administrative Law Daniel Stewart Consultant t: +61 6263 6380 m: +61 405 535 073 e: daniel.stewart@sparke.com.au, FOI & Administrative Law David McLaren Lawyer t: +61 2 6263 6332 m: +61 406 361 024 e: david.mclaren@sparke.com.au, FOI & Administrative Law Stephanie Wende Lawyer t: +61 2 6263 6366 m: +61 405 823 038 e: stephanie.wende@sparke.com.au Page 22 Sparke Helmore Lawyers November 2013 Sparke Helmore Lawyers November 2013 Page 23

www.sparke.com.au adelaide brisbane canberra melbourne newcastle perth sydney upper hunter

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback