3. 2
Good news!
Aware of the importance of
proper handling of information
Strong compliance culture
Process driven
Not-so-good news…
Repeated “mistakes”
4. 3
What is today about?
Privacy 101
The Golden Rules
Implementation
10. 9
Personal information means information or an opinion about
an identifiable individual, or an individual who is reasonably
identifiable whether the information or opinion is:
• true or not; and
• recorded in a material form or not
Sensitive information includes race, ethnic origin, political
opinions, membership of professional/trade associations,
religious or philosophical beliefs, sexual preferences, criminal
history and health information
Health information includes:
• information or an opinion about the health or disability of an
individual or a health service provided to, or to be provided
to, an individual
• other PI collected to provide, or in providing, a health
service
15. 14
Privacy 101 – New laws
10 National Privacy Principles replaced with 13
Australian Privacy Principles
The Commissioner’s powers have been
increased
New laws commence on 12 March 2014
19. 18
Do not collect PI unless
you need it
You must not collect PI unless
the information is necessary for
one or more of your functions or
activities
eg. Membership application form
21. 20
Obtain consent before
collecting sensitive
information
An organisation must not collect
SI about an individual unless
(amongst other things) the
individual has consented
eg. Information from a CDMP
provider
23. 22
Collection statements – current requirements:
Your identity and how to contact you
The fact he/she can gain access to the information
The purposes for which the information is collected
The organisations (or types of organisations) to which you usually disclose
information of that kind
Any law that requires or authorises the particular information to be collected
The main consequences (if any) for the individual if all or part of the
information is not provided
Collection statements – additional requirements:
Whether you collect PI about the individual from a third party and the
circumstances of that collection
The fact that your privacy policy contains information about how the
individual may:
access and correct PI
complain about a breach of the APPs and how you will deal with such a
complaint
Whether you are likely to disclose PI overseas and, if so, the countries
where such recipients are likely to be located
24. 23
Are you properly providing collection
statements and obtaining necessary
consents?
Members?
Healthcare providers?
26. 25
Collecting unsolicited information
Decide within a
reasonable period
whether you could
have collected the
PI if you had
solicited it
If you could not have collected the PI, and it is not
contained in a “Commonwealth record”, destroy or de-
identify it
If you could have collected the PI, then the APPs apply
28. 27
Use and disclosure
Do not use or disclose PI about an individual for
a purpose (the secondary purpose) other than
the primary purpose of collection without consent
unless:
The secondary purpose is related to the primary
purpose of collection (directly related in the case
of SI)
The individual would reasonably expect you to use
or disclose the information for the secondary
purpose
eg. CDMP programs
29. 28
Direct marketing
New “prohibition” on direct marketing – APP 7.1
• information collected
from individual
• reasonably expect use
or disclosure
• opt out options
• has not opted out
• information collected
from individual
• not reasonably expect
use or disclosure
• impracticable to obtain
consent
• opt out options
• prominent statement or
draw attention to opt out
• has not opted out
• information collected
from third party
• consent or impracticable
to obtain consent
• opt out options
• prominent statement or
draw attention to opt out
• has not opted out
Actions – review collection notices and information collection methods
unless
APP 7.3 APP 7.3APP 7.2
31. 30
Disclosure overseas (cont.)
APP 8 –
New accountability
approach to cross
border disclosure of
personal information
Overseas recipient
subject to similar
principles as APPs
and enforcement
action available
Individual consents
to disclosure after
being expressly
informed that APP
8.1 will not apply
• Must take reasonable steps to ensure compliance of APPs by the overseas recipient –
contractual obligation, audit
• Sender is potentially liable for misuse by overseas recipient!
Implication
If:
disclosure of
personal
information to
overseas
recipient
32. 31
Disclosure overseas (cont.)
Weak Medium Strong
• Singapore – draft bill
• China
• Bangladesh
• Pakistan
• Sri Lanka
• Nepal
• Hong Kong
• Macau
• India
• Philippines
• Thailand
• Vietnam
• Malaysia – legislation still to
come into force
• South Korea
• Taiwan
• Japan
Privacy in Asia – indicative examples
35. 34
Storage and disposal
You must take reasonable steps
to protect PI:
from misuse, interference and loss
unauthorised access, modification
or disclosure
You must take reasonable steps
to destroy or permanently de-
identify PI if you do not need it
Take care of other obligations to
retain information
38. 37
You are not one big happy
family!
Related bodies corporate
exemption does not apply where:
SI is concerned
the related body corporate is
overseas
39. 38
You need to have robust privacy processes
and policies
Standard operating procedures
Privacy policy
40. 39
Privacy policy
The kinds of PI you collect and hold
How you collect and hold PI
The purposes for which you collect, hold, use and
disclose PI
How an individual can access PI held by you and seek
correction of such PI
How an individual can complain about a breach of the
APPs and how you will deal with the complaint
Whether you are likely to disclose PI overseas and, if
so, the countries in which such recipients are likely to
be located
42. 41
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
43. 42
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
44. 43
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
45. 44
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
46. 45
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
47. 46
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
48. 47
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
49. 48
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
50. 49
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
51. 50
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
52. 51
Implementation: What should you do?
1. Identify all relevant PI/SI flows now and after 12 March 2014
2. Prepare and confirm “information flows” document based on the
above
3. Assess and report on privacy compliance
4. Prepare (or update) privacy policy and collection statements
(incorporating consents)
5. How will you notify individuals of changes to your privacy policy
and collection statements?
6. Implement transborder transfer agreements
7. Prepare a standard operating procedure
8. Train the privacy officer(s) and delegates
9. Train relevant staff
10. Refresher and induction training programs
11. Regular review and updating of privacy policy and collection
statements (and consents)
53. 52
Why bother?
Because you cannot afford not to!
What will adverse publicity do for your business?
New powers afforded to the Commissioner
54. 53
Commissioner’s new powers
Office of the
Australian
Information
Commissioner
Investigate complaints
about interference with
privacy
Monitoring related
functions – security and
accuracy of credit
reports
Conduct on assessment
relating to APPs
Apply to Federal Court
for civil penalty orders
Request copy of privacy
impact assessment
from an agency
Accept enforceable
undertakings
Undertake
investigations
and order actions