Implications of changes to the Privacy Act 1988 for the market and social research industry

Implications of changes to the Privacy Act 1988 for the market and social research industry This paper explains the implications for AMSRO members of the 2012 amendments to the Privacy Act 1988, due to commence 12 March 2014. Overview The Privacy Act 1988 was amended in November 2012, after more than 7 years of law reform inquiry, consultation on draft bills and Parliamentary Committee reports. The changes, which come into effect on 12 March 2014, are major, comprising mainly: New Australian Privacy Principles (APPs) replacing the separate National Privacy Principles (NPPs) for the private sector and Information Privacy Principles (IPPs) for Commonwealth agencies Major changes to the Credit Reporting Provisions (Part 3A) to allow for more comprehensive reporting Significant new enforcement powers for the Commissioner, sanctions and penalties The 2012 amendments follow 2010 changes which transferred most of the powers and functions of the Privacy Commissioner to a new Information Commissioner (who also has other functions in relation to federal government information). The Office of the Australian Information Commissioner (OAIC) is the entity that regulated entities now deal with, although there is still a Privacy Commissioner who has some specific functions. Implications for AMSRO members AMSRO members who are currently organisations subject to the Privacy Act will become regulated APP entities from March 2014. The AMSRO Market and Social Research Privacy Code (M&SRPC) (recently reviewed, but unchanged since 2003) currently substitute the M&SR Privacy Principles (M&SRPPs) for the NPPs, in relation to research activities 1. The amended Act still provides for Codes, but if AMSRO decides an industry specific Code is still appropriate, it will have to apply for approval to the OAIC for approval of a new Code otherwise members would by default be subject to the APPs from March 2014. It is expected that if a new Code is developed, and approval sought, timing would seek to achieve a seamless transition for AMSRO members from the existing to the new Code, with only such changes as are necessary to reflect the new APPs and other amendments. See the section below on the new Code provisions. 1 See important note about Other personal information later in this paper AMSRO members which are not small business organisations will be subject to the APPs for non-research data, just as they are currently subject to the NPPs. 1

Implications of the APPs In this section, any significant differences between the new APPs and the existing M&SR Privacy Principles (M&SRPPs) are identified and explained. Revision of the M&SRPPs to reflect these differences would be a separate task as part of the development of replacement M&SRPC. The structure and sequence of the APPs is somewhat different from the NPPs and M&SRPPs (which themselves combine elements of the NPPs in a unique way). The table below takes each M&SRPP in turn and relates the relevant APP to it. It also covers some changes to key terms. A summary of the main implications for AMSRO members follows the table. M&SRPP or key terms Identified information De-identification Relevant APP and differences New definition of personal information and sensitive information The Code term identified information differs from the term personal information in the current Actin that it uses identity is apparent, or can reasonably be ascertained omitting the qualification from the information or opinion thereby capturing more information that could only be identified with the use of extraneous knowledge. This was deliberate and is highly significant in the context of the practice of deidentification in market and social research. The new definition of personal information uses the words about an identified individual, or an individual who is reasonably identifiable without any reference to how identification can be achieved. It brings the coverage of the new APPs more closely into line with the coverage of the AMSRO Privacy Code. Consideration should be given to using the new definition of personal information in the Code in place of identified information to avoid any ambiguity (now that the coverage is effectively the same). This term is defined in the AMSRO Privacy Code even though it is not defined in the current Privacy Act. A new definition has been introduced into the Act de-identified: personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable. This change re-enforces the emphasis which the current Code places on de-identification being a permanent and irreversible process. The definition of de-identification in the Code 2

could usefully be retained as it goes further in prescribing removal of details, but it may be helpful to cross reference the new definition of de-identified in the Act. 2 Note that the amended Act contains definitions of identifier and identification information but these terms are only used in the narrow contexts, respectively, of the Government related Identifier principle (APP9) and of the credit reporting provisions (Part IIIA). They are not used in the more general context of what is identified and de-identified for the purposes of the coverage of the Act. M&SRPP 1 Collection 1.1-1.3 Collection must be necessary APP 3.2-3.3 no significant difference now includes consent for collection of sensitive information, previously in a separate Principle (NPP10) but always indirectly included in M&SRPP 1 as a right to withhold, as well as expressly in 1.9. 1.4 means of collection Lawful and fair means in APP 3.5; not unreasonably intrusive now removed. 1.5 ensuring individuals are aware APP 5.1 & 5.2 Slight changes in wording of detailed content M&SRPP 1.5 is customised and adds some extra requirements, including client identity, and the source of samples (which under the APPs is only required in relation to direct marketing and on request (7.6(e))). 1.6 preference for direct collection APP 3.6 1.7 1.8 collection from third parties research and other data APP 5 applies to both direct and indirect collection. No longer an exception for serious threat to life or health applying to ensuring awareness. 1.9 - collection from third parties (sensitive info) APP 3.3(a) 1.10 - collection from third parties (sensitive info) conditional research exception M&SRPP 2 Use, Disclosure and Transfer APP 3.4 + permitted health situations in s.16 no significant difference. This covers both NPP 2 and NPP 9 re transborder data. Needs now to cover APP 6 and APP 8 2.1 - primary purpose APP 6.1 2.2 exceptions, in general APP 6.2, including (c) & (d) which invoke general permitted general situations (s.16a) and permitted health situations (s.16b). 2 The OAIC is in the process of issuing guidance on de-identification, which it might be useful to cross reference 3

2.3 record of some uses/disclosures/transfers APP 6.5 Several significant differences in the exceptions, including: - A threat to life, safety etc no longer has to be imminent, but must still be serious and it has to be impracticable to obtain consent. - unlawful activity or serious misconduct must now relate to an organisation s functions - A new exception in relation to legal proceedings - A new exception for ADR processes The changes are nearly all to the exceptions which will only be relevant in exceptional circumstances there is no change to the more general exception for secondary purposes related to the primary purpose (directly related for sensitive information) and within the individual s reasonable expectation, which will be more commonly relied on by organisations in the course of normal business. 2.4 & 2.5 exceptions applied to M&SR This M&SRPP chooses to apply a customised version of the higher standard of the conditional exception for health information (from NPP 2) to all research information. It is assumed that AMSRO will wish to continue to apply this higher standard which continues to apply only to health information in the amended Act (s.16b(3)). 2.6 additional obligations when disclosing This M&SRPP takes one of the bases for overseas data transfer from NPP 9 and makes it a condition for all disclosures. It also requires members to pass on security, retention and destruction obligations which apply to the member under NPP 4. In a revised Code, APPs 8 & 11 are relevant APP 8 has some significant differences from NPP 9 but these need not affect the obligation. APP11 is very similar to NPP 4 see below. 2.7 caution about patterns of answers identifying individuals Direct marketing? This is an extra obligation with no direct equivalent in the NPPs or APPs, but it supports several other principles The way the Privacy Act deals with direct marketing is critical to the market research industry given the public confusion about the distinction between bona fide MR and sugging. The NPPs address direct marketing as a 4

conditional exception to NPP2 (use and disclosure). In the amended Act, there is a selfcontained direct marketing principle APP7. The Code is silent on direct marketing on the basis that it is not a purpose that is ever compatible with market and social research. Consideration could be given to the revised Code expressly explaining why there is no equivalent in the Code to APP7. M&SRPP 3 Data Quality 3.1-3.3 quality obligation APP 10 no significant difference 3.4 - correction APP 13 substantially similar but M&SRPP 3.4 gives individuals more choice than APP 13 (inc express choice of deletion). M&SRPP 4 Data Security APP 11 New requirements - to notify past recipients on request, if practicable (APP 13.2) + must correct within reasonable time and free of charge (13.5) 4.1 - disposal Customised version of APP 11.2 4.2 and 4.4 Additional detail not required by APP (or NPP) 4.3 Basic security obligation from APP 11.1, which now adds interference. M&SRPP 5 - Openness APP 1 5.1 privacy policy APP 1.3-1.6 5.2 content of policy APP 1.4 prescribes detailed content of policy some new requirements inc any overseas transfers 5.1-5.3 availability of policy APP 1.5-1.6 no longer just on request M&SRPP 6 Access and destruction etc APP 12 6.1 Explanation only 6.2 - primary access obligation APP 12.1 - M&SRPP 6.2(b) introduces a right to have research data destroyed, deleted or deidentified (subject to 6.5) 6.3 - exceptions APP 12.3 only minor differences. M&SRPP 6.2 applies the same exceptions to the right to destruction etc APP is silent on this, although obligation is implicit in 4.1 (APP 11.2) 6.4 use of intermediaries APP 12.6 substantially similar 6.5 exception to exception No APP equivalent 5

6.6 - charges APP 12.8 no difference but new within reasonable time and in form requested obligations (12.4) 6.7 reasons for refusal APP 12.9(a) no difference M&SRPP 7 Identifiers APP 9 7.1-7.3 APP 9.1-9.3 Now apply to identifiers issued by any level of government. Otherwise the same effect as NPP 7 subject to the differences in the wording of the exceptions which are taken from APP 6 and s16c (see under M&SRPP 2 above) M&SRPP 8 - Anonymity APP 2 no significant difference (but this is one principle where the M&SRPC could provide some useful guidance?) M&SRPP 9 Trans-border data flow APP 8 some significant changes. M&SRPC deals with this within M&SRPP 2 (use and disclosure and transfer). May need separate treatment in a revised Code M&SRPP 10 Sensitive information The M&SRPC pre-empted the amendments by addressing the requirements of NPP 10 within other principles where relevant specifically M&SRPP 1.3 and 1.9 (also 1.10). This approach is more consistent with the way the APPs deal with sensitive information, so only minor revision should be required. Summary of main APP changes Most of the research activity of AMSRO members will not be significantly affected compliance with the existing M&SRPPs (which are at least equivalent to the NPPs and in many cases more privacy protective) will also ensure compliance with the APPs (or revised M&SRPPs). This is the case for the principles that deal with collection, use and disclosure. Many of the differences between the APPs and the M&SRPPs in this respect relate to exceptions which will apply only rarely if ever, and will not therefore have a significant practical impact. The principles that deal with data quality and security are little changed and should require no significant adjustment. The retention and disposal provisions in the M&SRPPs go beyond the requirements of the Act in giving research respondents more control. Differences to the principles that deal with openness and transparency, including notice to individuals and access and correction will however require all AMSRO members to at least review their privacy policies and practices, and in some cases make substantial changes. These include: Privacy notices will need re-wording to ensure compliance with APP 3 (or an M&SRPC equivalent) Privacy policies will need to be more detailed, and more readily available, to comply with APP1 (or an M&SRPC equivalent) 6

Processes for responding to any access or correction requests will need reviewing to ensure new timelines are met. Procedures will be needed for notifying previous recipients of personal information of any subsequent corrections Other personal information Any personal information handled by AMSRO members outside the context of actual research (such as marketing lists and contact details for clients and service providers) was and is currently subject to the default NPPs in the Act rather than the M&SRPPs, and will after March 2014 be subject to the APPs (whether or not a revised M&SRP Code applies to research activities). Members will need to apply a similar review process to ensure compliance with these principles for any non-research personal information. Enforcement changes The Commissioner will have enhanced powers, including the ability to: accept enforceable undertakings (ss.33e-33f) seek civil penalties in the case of serious or repeated breaches of privacy (up to $1.7 million for corporations, on application by the Commissioner to the Federal Court or Magistrates Court Part VIB) conduct assessments of privacy performance for both Australian government agencies and businesses (s.33c - replaces the audit power which under the current Act can only be exercised in relation to compliance with the IPPs by Commonwealth agencies, and it the private sector only to organisations handling of credit reporting information and tax file number information.) While there is the potential for more, and more assertive, compliance monitoring and enforcement by the OAIC, the actual level of activity, and extent of any change from the current light touch approach, will depend on many factors, including the resources available to the Commissioner, which are both modest and shrinking. Given the experience of the market and social research industry, with no formal Privacy Act complaints about breaches of the Code since its inception in 2003, it is unlikely to be a priority sector for attention from the OAIC. AMSRO members should however be mindful of the possibility of significant sanctions and penalties, particularly in the event of serious or repeated breaches of the Act, or of the Code. Revised Code provisions A new Part IIIB replaces the current Part IIIAA providing for Codes. Either the Commissioner, or any other party (a Code developer), may develop an APP Code. Codes must set out how one or more of the Australian Privacy Principles are to be applied or complied with; may impose additional requirements to those imposed by the Australian Privacy Principles; and may deal with other specified matters. If the Commissioner includes an APP code on the Codes Register, an APP entity bound by the code must not breach it. A breach of a registered APP code is an interference with the privacy of an individual. Unless AMSRO wishes the existing Market and Social Research Privacy Code to lapse in March 2014, it will clearly be necessary for the existing Code to be revised to acknowledge the changes to the Act in particular the new definitions and APPs and submitted for registration under the new Part IIIB. 7

The OAIC has recently consulted on draft Code Development Guidelines and AMSRO made a submission. The processes and requirements for developing Codes and submitting them for registration, and for periodic Code Reviews, as explained in the draft Guidelines, are similar to the current processes and requirements under Part IIIA which AMSRO has followed for its Code (first registered in 2003). The AMSRO submission argued for special consideration of the position of existing Part IIIAA Codes (there are only two, with AMSRO s being the most comprehensive and detailed 3 ), with the objective of lessening the compliance burden. For instance, having just carried out a second comprehensive review of the Code with public consultation, it would seem reasonable for AMSRO not to have to follow all the steps that will be required by new Code Developers. It remains to be seen if the Commissioner will accept AMSRO s arguments, and if so considers that the Act allows him to relax some of the requirements set out in the draft Guidelines. Pending a response from the Commissioner, AMSRO intends to commission a revision of the Code in preparation for submission for registration on a timescale that will hopefully allow for a seamless transition from the existing Code in terms of compliance obligations on AMSRO members. 3 See http://www.privacy.gov.au/business/codes - the other current Code is the Queensland Club Industry Privacy Code. 8