This document summarizes a seminar on privacy acts and data collection. It discusses how data has become central to modern marketing and the CMO's increased focus on data and analytics. It outlines key privacy principles around fair collection and use of personal data, including obtaining consent, ensuring security of data, and individuals' right to access and correct their own data. The document also provides examples of privacy issues faced by companies like Telstra, McDonald's, AAPT and Grays when customer data was mishandled, and advises what to do in response to a crisis like accidental disclosure of customer financial details.
16. issues we will cover
AUSTRALIAN PRIVACY PRINCIPLES
REASONABLE EFFORTS TO ENSURE COMPLIANCE
IT SECURITY
THE POWERS OF THE COMMISSIONER
SOME CASE STUDIES
17. what is
personal information?
PERSONAL INFORMATION IS INFORMATION OR AN OPINION ABOUT
AN IDENTIFIED INDIVIDUAL, OR AN INDIVIDUAL WHO IS REASONABLY
IDENTIFIABLE WHETHER THE INFORMATION OR OPINION IS TRUE OR
NOT, AND WHETHER THE INFORMATION IS RECORDED IN A
MATERIAL FORM OR NOT.
18. The Australian
privacy principles
THIRTEEN PRINCIPLES WHICH SET OUT HOW ORGANISATIONS MUST
DEAL WITH PERSONAL INFORMATION
APPLY TO COMMONWEALTH GOVERNMENT AGENCIES AND BUSINESSES
WITH TURNOVER OF MORE THAN $3M
19. Personal information must be managed in an open and transparent way.
You must take reasonable steps to ensure you comply with the APPs, and you
must have a clearly expressed and up to date Privacy Policy (usually posted on
your website).
OPEN AND TRANSPARENT MANAGEMENT
OF PERSONAL INFORMATION
1
20. You must provide individuals with the option of not identifying themselves, or
of using a pseudonym when dealing with you.
This obligation doesn’t apply where it is impracticable to do so.
ANONYMITY AND PSEUDONYMITY2
21. You can only collect personal information where it is reasonably necessary for
your functions or activities.
Higher standards apply to the collection of ‘sensitive information’ (e.g. race,
religion, health information, sexual preference), in which case the individual
must consent to the collection of this information.
COLLECTION OF PERSONAL INFORMATION3
22. This APP sets out how you must deal with unsolicited information you receive.
Broadly, you will have to determine whether you would have been able to
collect the information in accordance with APP 3. If not, you must destroy or
de-identify the information.
Unsolicited information is that which you receive when you have taken no
active steps to collect it. For example, random job applications, flyers,
purchased mailing lists.
DEALING WITH
4
23. APP 5 sets out when and in what circumstances you must notify an individual
of certain matters including your identity and contact details.
You should notify the ‘APP 5’ matters at or prior to the point of collection.
‘APP 5’ matters include:
Your identity and contact details
The purposes for which you collect the information
To whom you may disclose the information (including overseas)
Details of your privacy policy
Generally a clear and prominent link to the privacy policy at the point of
collection is OK.
NOTIFICATION OF THE COLLECTION
OF PERSONAL INFORMATION5
24. You can only use information for the purposes for which you collected it,
unless the person has consented or should reasonably expect that you would
use it for other related purposes.
USE OR DISCLOSURE OF
PERSONAL INFORMATION6
25. Imposes a general prohibition on use or disclosure of personal information for
direct marketing, unless certain criteria are met:
the person has consented or would reasonably expect you to; and
you provide a simple opt out mechanism.
Note this does not include electronic commercial messages (email, text
message), which are covered by the SPAM Act 2003.
DIRECT MARKETING7
26. You cannot disclose personal information to overseas recipients unless you
take reasonable steps to ensure that the overseas recipient will comply with
the APPs.
Unless:
You believe that the overseas recipient is subject to a privacy regime
substantially similar to Australia’s;
The individual provided express consent to the disclosure and agreed
that the APPs wouldn’t apply.
What is ‘disclosure’? Cloud computing etc generally not disclosure.
CROSS-BORDER DISCLOSURE
OF PERSONAL INFORMATION8
27. You cannot use an individual’s government related identifier (eg. passport
number) as your own identifier for that individual.
Example: An accounting firm can’t use tax file numbers as the basis for its
identification system.
You can only use or disclose government related identifier if you reasonably
need to use the identifier to verify the identity of an individual.
ADOPTION, USE OR DISCLOSURE OF
GOVERNMENT RELATED IDENTIFIERS9
28. You must take reasonable steps to ensure that the personal information you
collect, use and disclose is accurate, up-to-date and complete.
‘Reasonable steps’ depend on the size of your organisation, the types of
information, the consequences of having wrong information.
The Commissioner recommends reviewing personal information regularly,
and providing individuals with a simple means of updating details.
QUALITY OF PERSONAL INFORMATION10
29. You must take reasonable steps to protect personal information
you hold from:
Misuse;
Interference and loss; and
Unauthorised access, modification or disclosure.
You must destroy personal information which you don’t need.
SECURITY OF PERSONAL INFORMATION11
30. Generally, you must give individuals access to personal information you hold
about them.
There are a number of exceptions, including where access would threaten life
or safety, it relates to legal proceedings, or the request is frivolous.
You must respond to a request within a reasonable time.
You must verify the identity of an individual before handing over information.
ACCESS TO PERSONAL INFORMATION12
31. If you know (or the individual tells you) personal information is incorrect,
then you must correct it within a reasonable time.
If you have disclosed information, you must also advise those
entities of the corrections.
CORRECTION OF PERSONAL INFORMATION13
32. REASONABLE EFFORTS to ensure
information security
WHAT DOES YOUR BUSINESS NEED TO DO TO PROTECT PERSONAL INFORMATION?
SOME THINGS TO CONSIDER:
Access (eg. strong passwords)
Backing up
Communications security (eg. docs left on printers, emails, discussions
outside the office)
Data breaches (have a response plan and know what to do)
Physical security (physical access to the workplace/desks)
Personnel security and training (including contractors and service providers)
Workplace policies
34. The Commissioner could always investigate breaches, but in the absence of a
complaint had no powers but bad publicity.
Now the Commissioner has the full range of remedies even in the event of
‘own motion’ investigations.
investigations
35. The Commissioner may determine:
To dismiss a complaint;
That a person must take certain steps to redress loss or ensure the breach
doesn’t occur again;
That a person is entitled to a specific amount of compensation.
No further action to be taken.
If a person does not comply with a determination, the Commissioner may
apply to the Federal Court for an order to enforce.
determinations
36. The Commissioner has the power to accept undertakings from an entity that
it will do certain things to ensure compliance.
If the entity doesn’t comply, the Commissioner may apply to the Court
for enforcement.
Enforceable undertakings
37. This is new!
If serious or repeated interferences with privacy, the Commissioner may seek
a civil penalty order from the Court.
Currently, the maximum penalty for a corporation is $1.7 million, and an
individual $340,000.
penalties
39. A mail out to 60,300 customers inadvertently had the wrong
customer addresses.
Telstra’s security measures included:
The contract with the mailing house included privacy and
confidentiality obligations;
They always conducted privacy impact assessments on each new job;
Each mail-out went through a series of approvals
Quality control procedures for staff handling of all campaigns
In the circumstances Telstra got off – the Commissioner said it was due to
human error, and Telstra’s systems were adequate.
Telstra
40. McDonalds ran a campaign in which it encouraged customers to send their
friends a link on its Happy Meal website, which included promotional games
Result
The Australian Communications and Media Authority (ACMA) thought this
was a breach of the SPAM Act as the recipients did not consent to
receiving commercial electronic messages from McDonald’s, and they
didn’t have an unsubscribe facility.
McDonald’s serves spam
41. AAPT customer data held by contractor Melbourne IT was hacked and
published online.
The Commissioner found AAPT had breached the Act for failing to adequately
protect customer data from unauthorised access.
The Commissioner said:
It was not clear contractually who was responsible for addressing and
identifying data security issues;
Old versions of applications and software were used; and
Data which was no longer needed was not destroyed.
Under the current Act he couldn’t impose a penalty, but under the changes
to the Act he can.
AAPT
42. Grays sent an email to its customers introducing its new
website ‘GraysEscape’.
They had decided that it was not commercial, and therefore sent it to
customers who had previously unsubscribed, and it also did not have an
unsubscribe facility.
ACMA found that it was commercial, and hit them with a $165,000 fine.
It was made worse by the fact that Grays made a conscious determination
that the email was not promotional (ie it was not the result of an error).
Grays don’t escape
43. Crisis management
CUSTOMER INFORMATION (INCLUDING BANK ACCOUNT DETAILS)
OF ABOUT 600 PEOPLE IS INADVERTENTLY EMAILED TO A HOUSEWIFE
IN MILWAUKEE.
WHAT DO YOU DO?
44. What should you do?
FIRST STEP – LOOK AT YOUR OWN PROCEDURES.
HAVE YOUR SYSTEMS FAILED?
NO OBLIGATION TO NOTIFY THE CUSTOMERS OR THE COMMISSIONER.
LOOK AT IMPACT OF THE DISCLOSURE, THREAT TO THE CUSTOMER?
BE REASONABLE