Privacy Laws

Privacy laws are changing (forecast, 5 years) and will come into effect March the 12th, 2014. These changes have been driven by consumer concern around use of their data and the rise of social media. This is a global shift, and Australia is falling in line with other OECD countries rules.

Personal information

“Information or an opinion that specified the individual or is used in such a way that identifies that individual is considered private and is covered by the act.” So, aggregate data that does not identify, nor will ever be used to identify is non-personal, but data that is used in isolation or as part of a matching process to explicitly identify or MAY be used by you in the future to identify is considered private – this includes third-party matching and cookie data.

Sensitive information

Examples includes: sexuality, race, religion etc. You must have explicit opt in rites to collect this info.

What do you need to do?

  1. Have a documented privacy policy, including how data will be used and stored
  2. Provide the ability for individuals to interact with us anonymously or via a pseudonym

Excludes some instances where this would be impractical (eg. payment, work requirement, or perhaps if you are collecting for personalised email. But the latter needs to be approved [this is a grey area!])

Data collection rules

1. Rules of collection

a. Don’t collect data unless you have a clear purpose and can show how it will be used
b. Collect by fair and lawful means
c. For sensitive info, you must have opt in
d. Data accidentally collected but not needed should be destroyed
e. Data collected must only be used for the purpose you disclosed

2. Rules of notification

a. If collecting personal info, then you must specify that you are and how it will be used
b. Must notify if you have collected at the time of collection or as soon as practical (ie. next outbound comms) and if sourced from a third party or by means of aggregation
c. Notify who you are, how you sourced (if third party, it does not require you to name the party), who you are disclosing their details to (ie. type of organisation)
d. Must provide “how to complain” directions
e. Must notify if their information will be exposed to overseas and if so which specific countries. NB. In the case of cloud computing, you must disclose where the data is stored

3. Rules of opt out

Use of personal data is acceptable:

- Where there is explicit consent
- Where it is part of delivery of a service
- Where there is aresearch topic aligned to the purpose for which the data was originally collected
- For direct marketing purposes

But for direct marketing (undefined so can include electronic and written) it must comply to these guidelines:

- If collected directly, the individual would reasonably expect his / her data be used for direct marketing
- If third party collection, then the third party has obtained consent OR can show it is impractical to do so
- If impractical to do so, then must past the reasonableness test that information collected would be expected to be used for direct marketing purposes
- Opt out capability is provided in each and every instance, clearly and prominently

Use of data overseas

- You can transfer Australian data overseas if the transferring country has similar levels of protection and the individual can enforce their rights
- If the individual has given explicit consent to data transfer
- If company to company, then the overseas company explicitly agrees that they will adopt and comply to the Australian privacy laws
- But in all instances, the Australia company still remains liable for breaches!

General rules

  • Integrity of data
- You must take reasonable steps to ensure up to date and accurate information is tracked
  • Security
- You take reasonable steps to protect data
  • Access
- You must provide access to personal information upon request
  • Correction
- You must take action to correct information when asked to do so. Or be able to justify why this was not practical if this were the case

Power of the Commissioner

  • Proactive assessments to take place
  • Ability to seek and enforce undertakings. Public document and can include requirement to demonstrate changed work practices
  • Fines of up to $1.7 million on the table

More info