Peter A Clarke

As part of Privacy Awareness Week the Privacy Commissioner has released a guide to developing an APP privacy policy.  The Privacy Policy, if drafted properly, should be the cornerstone to a compliance structure under the Privacy Act.  To prepare a privacy policy which actually fulfills the requirements of APP 1 an APP entity will need to understand the nature of the data it collects, uses and discloses, the data flows and how it properly manages that data, including the programs, protocols and training in place.  A privacy policy is not a pro forma where an organisation fills in a gap here and completes a sentence there.  Organisations handle information in different ways, depending on the type of business/activity and the way it has developed over time.  That said some organisations have had professionals offer them a package involving a privacy policy which could only be done in the most general terms.  That misses the point, doesn’t comply with the guide, doesn’t come close to comply with the APPs and has no relationship to the privacy by design concept. The guide makes it clear that more is expected of privacy policies than is commonly the case.  The real impact of the guide is the proactive steps the Privacy Commissioner takes to have organisations meet the minimum standards.  With greater enforcement powers as of March 2014 he will Read the rest of this entry »

On 31 March 2014 the Australian Retail Credit Association (the “ARCA”) has applied to vary the Credit Reporting Code to extend from 5 days to 14 day grace period for repayment history to be classified as a missed payment.

The Privacy Commissioner is considering the application. It is unlikely that he will reject it.  It is a pro consumer amendment being sought by the ARCA.

The CR Code is found here

The amendments to the Privacy Act are one day old but the changes are already becoming apparent.  At least in terms of disclosure of where data sent offshore is going.  That is an obligation under the Australian Privacy Principles (the APPs), in particulars APP 1 and 8.

Itnews in Aussie blue-chips reveal extent of data offshoring has done a quick review based on disclosures to date.  It is an excellent article.  The United States leads the pack in terms of destination of data followed by United Kingdom, India and Phillipines (no doubt call centre and support service oriented). New Zealan , Singapore and Chine.  The piece also shows how companies are interpreting the requirements set out in the APPs regarding disclosure with Coles being on the open side while Westfield and Holden being more opaque.  Clearly this is a matter requiring consideration by the Privacy Commissioner in the short to medium term.  If organisations and agencies feel Read the rest of this entry »

For those following this site the existence of amendments to the Privacy Act 1988 is trite and the fact that they will take effect tomorrow is obvious and well known.  The Privacy Commissioner has put out a media release to that effect with Privacy laws change tomorrow.  Not Byronesque but clear and to the point as headings go. What more can you expect from a heading.

It relevantly provides:

Today the Privacy Commissioner found that Telstra breached the National Privacy Principles 4.1, 4.2 and 2.1 arising out of the leak of personal information of 15,775 customers.  The Privacy Commissioner’s finding is found here.  The ACMI also found Telstra breached the Telecommunications Consumer Protections Code. It’s finding is found here.

The reportage has been long and loud.  The Age report is found here at Telstra breaches privacy of thousands of customers, the ABC with Telstra fined after breaching privacy of 15,775 customers and itnews with Telstra breached Privacy Act by exposing user data with the Australian’s Telstra leak breached privacy law: reports.

The Privacy Commissioner’s decision, absent footnotes, provides:

Overview

On 24 May 2013, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into Telstra Corporation Limited (Telstra). This was in response to media allegations that personal information of Telstra customers was accessible online, which Telstra confirmed.

The Commissioner’s investigation focused Read the rest of this entry »

This Wednesday the amendments to the Privacy Act 1988 take effect.  They should require a significant change to the manner in which privacy is regulated in Australia by the Privacy Commissioner.  He has been given significant and varied enforcement powers.  And the penalties for serious interferences with privacy, $340,000 for an individual and $1,700,000 for a company, and breaches of the Credit Reporting provisions of the Act (Part IIIA) are very significant.  The question is, and has always been, how active and effective the regulator will be.  Part of the problem in the past has been Read the rest of this entry »

There has been some critisism about the effectiveness of the Guidelines to the APP.  That has prompted quite a lively response from the Privacy Commissioner (found here).  He rarely reacts so quickly and assertively to media reportage. It is important issue to clarify.  The extent of work undertaken to comply by organisations has been uneven, to put it mildly.  That has been a subject of reports over the last 15 months.  Having mixed signals in the marketplace can only hamper regulatory compliance.  Ultimately the assertiveness of the Privacy Commissioner will influence how compliant organisations really become.

The consultation details relevantly provides:

Significant amendments to the Privacy Act 1988 (the Privacy Act), made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the Privacy Amendment Act), commence on 12 March 2014.

The amendments include Read the rest of this entry »

The release of guides, policies and Codes is gathering pace ahead of E day, the day the amendments contained in the Privacy (Enhancing Privacy) Act 2012 takes effect, on 12 March 2014.  As part of the process the Privacy Commissioner is seeking to update the Guide to undertaking Privacy Impact Assessments.  The draft is found here.  Comments are sought by 28 March 2014.

The Draft Guide provides, absent appendices:

Introduction to privacy impact assessments

About this Guide

The Guide to undertaking privacy impact assessments (the Guide) has been prepared by the Office of the Australian Information Commissioner (OAIC) to provide an overview of a process for undertaking a privacy impact assessment (PIA). The Guide is intended for use by both government agencies and private sector organisations.

The Guide sets out Read the rest of this entry »

The amendments to the Privacy Act 1988 take effect on 12 March 2014.  It is as much an issue for the Privacy Commissioner as organisations and agencies.  While compliance will be a significant issue proper regulation and enforcement is as important.  In the past Read the rest of this entry »

The OAIC has released the enforcement guidelines (found here).

Significant changes to the Privacy Act 1988 will commence on 12 March 2014. The changes include a new set of harmonised Australian Privacy Principles (or APPs) that will replace the two sets of principles that currently apply to Australian Government agencies and to businesses. There will also be changes to credit reporting, including the introduction of a more ‘comprehensive credit reporting’ system and a simplified and enhanced correction and complaints process. The reforms also include new enforcement powers and remedies in relation to investigations.

The Office of the Australian Information Commissioner (OAIC) has Read the rest of this entry »