35
Jayne Van Souwe, Principal, Wallis Consulting Group
Andrew Maher, Partner, HR Legal
Agenda
• What do Australians think about Privacy?
• The APPs
• The market and social research industry’s response
• Questions
What do Australians think about privacy?
Key findings from “Community Attitudes towards Privacy” – study completed by Wallis for the Office of the Australian Information Commissioner
Australian Privacy Principles
• Definition and coverage
• The principles and their implications
The Australian Privacy Principles
Cover all Australian government agencies and most private businesses.
Replace the Information Privacy Principles (previously applied to government) and the National Privacy Principles (applied to businesses)
The market and social research industry had its own set of Privacy Principles (Market and Social Research Privacy Principles) and will have its own Code again.
APPs are minimum standards that can only be exceeded in separate industry codes – previous codes allowed limited trade-offs.
They are data protection laws and only apply to information about private individuals.
The Australian Privacy Principles
State government agencies excluding SA and WA remain bound by the relevant state data and privacy protection legislation usually administered by state privacy commissioners: ACT – Health records are administered by the Human Rights
Commission, no territory specific privacy law NSW – Privacy and Personal Information Protection Act 1998 NT – Information Act 2002 QLD – Right to Information Act 2009, Information Privacy Act 2009 TAS – Personal Information and Protection Act 2004 VIC – Information Privacy Act 2000 (health information is covered
by the Health Services Act administered by the Health Services Commissioner)
The Australian Privacy Principles
State governments with their own privacy legislation are taking a “wait and see” approach to the APPs. They are likely to bring their own legislation into line eventually.
At present state legislation exceeds base requirements of federal law and/or clarifies state-specific situations, eg states have different systems for managing health records
State and federal laws (and codes that have force of law) always take precedence over industry guidelines.
Researchers should be aware of related guidelines, but recognise their place!
ACT = CODE = LAWGuideline = good practice
The Australian Privacy Principles
For market researchers the situation is clear – if you abide by the Code of Professional Behaviour of AMSRS you will continue to exceed ANY privacy legislation currently in force. (Note the Code of Professional Behaviour is being re-written so that it complements the new Industry Privacy Code, which in turn references the Code of Professional Behaviour).
The Australian Privacy Principles
For other areas of business the situation is less clear Federal and state privacy commissioners work together to
ensure that legislation complements rather than conflicts – it is more a matter for ensuring that any companies working for state government agencies are clear about which piece of legislation applies.
If in doubt, comply with the most stringent piece of legislation.
The Australian Privacy Principles What do we mean by Privacy? Personal information
Information or an opinion that identifies or could reasonably identify a person, whether true or not
Examples include, name, age, DOB, phone number, email address, photograph, credit card details, salary, information collected from customer surveys etc
Sensitive information information about an individual’s racial or ethnic origin, political opinions,
membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices criminal record or health information.
Under the APPs, the definition of sensitive information has been expanded to include biometric information used for biometric verification or identification (such as fingerprints, iris recognition, DNA etc).
The Australian Privacy Principles 13 new APPs replace IPPs and NPPs
Single set of principles which apply to both public and private sectors (APP entities)
Structured to reflect the information life cycle — collection, use and disclosure, quality and security, access and correction
Mandatory minimums which must be equalled or exceeded in every case
Provides a single set of rules (at least for the majority of agencies and businesses bound only by them). No longer allows trade-offs in specific industry codes – all agencies and businesses must meet minimum standards
App 1 – Open and Transparent Management of personal information Agencies must have a clearly expressed
and up to date privacy policy and complaints procedure Agencies must take reasonable steps to implement
processes that will ensure that the agency complies with the APPs
While most organisations have privacy policies they will need to update them and their complaints procedures regularly and ensure that they have processes in place to meet APP requirements
APP 2 – Anonymity and pseudonymity
Allows individuals to interact with agencies anonymously Permits the individual to use a pseudonym – unless it is
impracticable to deal with an unidentified individual
Organisations need to allow people to use pseudonyms or deal with them anonymously where possible
APP 3 – Collection of personal and sensitive information Collection must be ‘reasonably necessary’ for, or ‘directly
related’ to, one or more of an agency’s functions or activities
Higher standards for collection of sensitive information (necessary and with consent).
The definition of sensitive information hasn’t changed, but if it can be implied (eg some surnames are particular to specific races and ethnic groups) then information should be treated the same way.
APP 4 – Dealing with unsolicited personal information Unsolicited personal information now has the same
protections as solicited personal information New principle for handling unsolicited personal
information mandates that such data should be destroyed or de-identified if it could have been collected overtly and is not part of a commonwealth record.
Ensure that only necessary information is transferred to external companies. Companies receiving unsolicited information should destroy it.
APP 5 – Notification of collection This principle outlines the information that must be given to an
individual when the agency collects their personal information. It includes: Information about an agency’s APP policy Who the agency is and how to contact it The purpose(s) of the collection Any collections from third parties Consequences of non-collection Complaint handling process Potential overseas disclosure
There is no substantial change in this APP compared with previous regulations on data collection
APP 6 – Use or disclosure
Deals with use and disclosure of personal information
Different (more stringent) obligations apply to the use or disclosure of sensitive information eg must gain permission
New limited exceptions, to permit use or disclosure for secondary purpose to: Locate missing person Establish, exercise or defend a legal equitable claim Confidential alternative dispute resolution
There is no substantial change in this APP compared with previous regulations on data collection
APP 7 – Direct marketing
Prohibits organisations from using or disclosing personal information for direct marketing purposes, except in specified circumstances
Provides a compulsory ‘opt out’ clause Includes personalised advertisements on websites which
use information gathered from “cookies” and similar to target individuals
This is a completely new Principle and differentiates Direct Marketing practices aimed at selling or marketing products. It includes electronic personalised DM
APP 8 – Cross border disclosure
Introduces an accountability approach for cross-border disclosure
Agencies must take reasonable steps to ensure overseas recipients do not breach APPs
Agencies may be accountable for a breach of APPs by overseas recipients
While this is now a separate Principle the concepts contained within it were in the NPPs previously.
APP 9 – Adoption, use or disclosure of government related identifiers Prohibits an organisation from adopting, or using a
government related identifier as its own identifier
Open data sets and the ability to conduct meta-analysis have led to the introduction of this additional measure to ensure data protection. It is recommended that an organisation uses its own identification system for records. It can hold a concordance, but must do so carefully.
APP 10 – Quality
Requires agencies to take reasonable steps to ensure personal information it collects, uses or discloses is: Accurate Up-to-date Complete
Agencies should ensure that personal information that it uses or discloses is also relevant for the purpose of the use or disclosure
There is no substantial change in this APP compared with previous regulations
APP 11 – Security
Inclusion of ‘interference’ an agency must take reasonable steps to protect
personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure (including hacking)
There is no substantial change in this APP compared with previous regulations on data handling
APP 12 – Access Agencies required to respond to requests for access of personal
information within 30 days
Exceptions apply – Freedom of Information Act 1982 or other legislation
Access should be provided in the requested manner (where reasonable and practicable)
Individual not to be charged
Written reasons for the refusal and complaint mechanism
There is no substantial change in this APP compared with previous regulations
APP 13 – Correction Agencies required to take ‘reasonable steps’ to correct personal information
to ensure it is accurate, up-to-date, complete, relevant and not misleading, if: agency satisfied it needs to be corrected, or individual requests correction
Agency to respond to request within 30 days Individual not to be charged Statement required if agency refuses to correct and individual requests
statement Written reasons for refusal and complaint mechanism
There is no substantial change in this APP compared with previous regulations
Commissioner’s New Powers
Ability to investigate a potential privacy breach without receiving a complaint (own motion investigations - OMIs) as well as in response to complaint
Wider range of action to be taken if a breach of the Act is substantiated whether as a result of OMI or complaint (as before)
Written undertakings can now be enforced
Seek civil penalties for serious or repeated breaches (up to $1.7 million for corporations)
Commissioner can take unilateral action, fines are larger.
Market Research Industry Response
• New Privacy Code
• Information/template pack for AMSRO companies
New Market and Social Research Industry Privacy Code New codes must follow the format of the APPs and add to it To our knowledge the market research industry is the only one
that has tendered its own Code for ratification. This will mean that the Code administrator is the industry body (AMSRO) rather than the OAIC.
New Market and Social Research Industry Privacy Code The main areas of change are:
Subscribers to Code (AMSRO members) will have access to an industry Dispute Resolution mechanism, but must ensure public access to Privacy Policies, Complaints Procedures and the industry Code, as well as reporting complaints systematically and regularly to AMSRO
Allow respondents to use a pseudonym if a name is needed and it is practicable Definition of personally identified information – care in what happens with de-
identified data sets in public arena. MR data falls into three areas irrespective of the collection method: Contact details of research participants/sample Research status Research data
New Privacy Principle for Direct Marketing will allow the industry to differentiate practice further
New Market and Social Research Industry Privacy Code Main changes are…..:
Government identifiers must not be used as research identifiers, unless : Is reasonably necessary for verifying the person’s identity Is reasonably necessary for the organisation to fulfil its
obligations to an agency or a state/territory authority It is authorised by or under an Australian law or a court order It is necessary for enforcement activities
If a respondent requests that their personally identified data be amended or corrected and this would damage the original point in time data, keep a record of the amendment if practical
PRIVACY Do’s and Don’ts1. Do ensure appropriate systems and processes are in place to comply with the
APPs2. Don’t collect more personal information than is necessary or relevant3. Do tell individuals what you are going to do with the collected information4. Don’t use information for an unrelated secondary purpose without consent5. Don’t disclose personal information unnecessarily6. Do give people access to their personal information if they ask unless there are
proper grounds not to7. Do keep information secure and free from interference8. Don’t keep personal information you no longer need or are no longer required
to retain9. Do keep personal information accurate and up to date10. Don’t disclose information to overseas recipients in countries without
equivalent privacy laws and the ability to enforce those rights unless consent is provided
11. Do make someone in the organisation responsible for privacy complaint handling, processes and systems.
Information pack for AMSRO companies
AMSRO has produced information for members to help them comply with the requirements in particular: Templates for privacy policies Guidance on how to meet the requirements
The Trustmark The Trustmark guarantees business and government decision
makers that they are buying research that is quality-assured and meets not only ethical standards, but also the new Privacy Code.
AMSRO member organisations operate under the following stringent, mandatory criteria: Privacy: Adherence to the Market & Social Research Privacy Code Quality assurance: Companies must have the International
Standard for Market, Opinion and Social Research qualifications (ISO 20252)
Ethics: Adherence to the AMSRS Code of Professional Behaviour
Questions?
