 Jayne
Van Souwe, Principal, Wallis Consulting Group
 Andrew Maher, Partner, HR
Legal
Agenda
•
What do Australians think about Privacy?
•
The APPs
•
The market and social research industry’s response
•
Questions
What do Australians think about privacy?
 Key
findings from “Community Attitudes
towards Privacy” – study completed by
Wallis for the Office of the Australian
Information Commissioner
Australian Privacy Principles
•
Definition and coverage
•
The principles and their implications
The Australian Privacy Principles





Cover all Australian government agencies and most private
businesses.
Replace the Information Privacy Principles (previously applied to
government) and the National Privacy Principles (applied to
businesses)
The market and social research industry had its own set of Privacy
Principles (Market and Social Research Privacy Principles) and will
have its own Code again.
APPs are minimum standards that can only be exceeded in separate
industry codes – previous codes allowed limited trade-offs.
They are data protection laws and only apply to information about
private individuals.
The Australian Privacy Principles

State government agencies excluding SA and WA remain bound by
the relevant state data and privacy protection legislation usually
administered by state privacy commissioners:






ACT – Health records are administered by the Human Rights
Commission, no territory specific privacy law
NSW – Privacy and Personal Information Protection Act 1998
NT – Information Act 2002
QLD – Right to Information Act 2009, Information Privacy Act 2009
TAS – Personal Information and Protection Act 2004
VIC – Information Privacy Act 2000 (health information is covered by
the Health Services Act administered by the Health Services
Commissioner)
The Australian Privacy Principles




State governments with their own privacy legislation are
taking a “wait and see” approach to the APPs. They are likely
to bring their own legislation into line eventually.
At present state legislation exceeds base requirements of
federal law and/or clarifies state-specific situations, eg states
have different systems for managing health records
State and federal laws (and codes that have force of law)
always take precedence over industry guidelines.
Researchers should be aware of related guidelines, but
recognise their place!
ACT = CODE = LAW
Guideline = good practice
The Australian Privacy Principles

For market researchers the situation is clear – if you abide by
the Code of Professional Behaviour of AMSRS you will
continue to exceed ANY privacy legislation currently in force.
(Note the Code of Professional Behaviour is being re-written
so that it complements the new Industry Privacy Code, which
in turn references the Code of Professional Behaviour).
The Australian Privacy Principles



For other areas of business the situation is less clear
Federal and state privacy commissioners work together to
ensure that legislation complements rather than conflicts – it
is more a matter for ensuring that any companies working for
state government agencies are clear about which piece of
legislation applies.
If in doubt, comply with the most stringent piece of
legislation.
The Australian Privacy Principles

What do we mean by Privacy?

Personal information
 Information or an opinion that identifies or could reasonably identify a person,
whether true or not
 Examples include, name, age, DOB, phone number, email address, photograph,
credit card details, salary, information collected from customer surveys etc
Sensitive information
 information about an individual’s racial or ethnic origin, political opinions,
membership of a political association, religious beliefs or affiliations, philosophical
beliefs, membership of a professional or trade association, membership of a trade
union, sexual preferences or practices criminal record or health information.
 Under the APPs, the definition of sensitive information has been expanded to
include biometric information used for biometric verification or identification
(such as fingerprints, iris recognition, DNA etc).

The Australian Privacy Principles

13 new APPs replace IPPs and NPPs

Single set of principles which apply to both public and private sectors
(APP entities)

Structured to reflect the information life cycle — collection, use and
disclosure, quality and security, access and correction

Mandatory minimums which must be equalled or exceeded in every case
Provides a single set of rules (at least for the majority of
agencies and businesses bound only by them). No
longer allows trade-offs in specific industry codes – all
agencies and businesses must meet minimum standards
App 1 – Open and Transparent
Management of personal information
 Agencies must have a clearly expressed
and up to date privacy policy and complaints procedure
 Agencies must take reasonable
steps to implement
processes that will ensure that the agency complies with
the APPs
While most organisations have privacy
policies they will need to update them
and
their complaints procedures
regularly and ensure that they have
processes in place to meet APP
requirements
APP 2 – Anonymity and pseudonymity
 Allows individuals to interact with agencies anonymously
 Permits the individual
to use a pseudonym – unless it is
impracticable to deal with an unidentified individual
Organisations need to allow
people to use pseudonyms or
deal with them anonymously
where possible
APP 3 – Collection of personal and
sensitive information
 Collection must be ‘reasonably necessary’ for, or ‘directly
related’ to, one or more of an agency’s functions or
activities
 Higher standards for collection of sensitive information
(necessary and with consent).
The definition of sensitive information hasn’t
changed, but if it can be implied (eg some
surnames are particular to specific races and ethnic
groups) then information should be treated the
same way.
APP 4 – Dealing with unsolicited
personal information
 Unsolicited personal information now has the same
protections as solicited personal information
 New principle for handling unsolicited personal
information mandates that such data should be
destroyed or de-identified if it could have been collected
overtly and is not part of a commonwealth record.
Ensure that only necessary information is
transferred
to
external
companies.
Companies receiving unsolicited information
should destroy it.
APP 5 – Notification of collection

This principle outlines the information that must be given to an
individual when the agency collects their personal information. It
includes:

Information about an agency’s APP policy

Who the agency is and how to contact it

The purpose(s) of the collection

Any collections from third parties

Consequences of non-collection

Complaint handling process

Potential overseas disclosure
There is no substantial change in this APP
compared with previous regulations on data
collection
APP 6 – Use or disclosure

Deals with use and disclosure of personal information

Different (more stringent) obligations apply to the use or disclosure
of sensitive information eg must gain permission

New limited exceptions, to permit use or disclosure for secondary
purpose to:

Locate missing person

Establish, exercise or defend a legal equitable claim

Confidential alternative dispute resolution
There is no substantial change in this APP
compared with previous regulations on data
collection
APP 7 – Direct marketing
 Prohibits organisations from using or disclosing personal
information for direct marketing purposes, except in
specified circumstances
 Provides a compulsory ‘opt out’ clause
 Includes personalised advertisements on websites which
use information gathered from “cookies” and similar to
target individuals
This is a completely new Principle and
differentiates Direct Marketing practices
aimed at selling or marketing products. It
includes electronic personalised DM
APP 8 – Cross border disclosure
 Introduces an accountability approach for cross-border
disclosure
 Agencies must take reasonable steps to ensure
overseas
recipients do not breach APPs
 Agencies may be accountable for a breach of APPs by
overseas recipients
While this is now a separate Principle the
concepts contained within it were in the
NPPs previously.
APP 9 – Adoption, use or disclosure
of government related identifiers
 Prohibits an organisation from adopting, or using a
government related identifier as its own identifier
Open data sets and the ability to conduct
meta-analysis have led to the introduction
of this additional measure to ensure data
protection. It is recommended that an
organisation uses its own identification
system for records.
It can hold a
concordance, but must do so carefully.
APP 10 – Quality
 Requires agencies to take reasonable
steps to ensure
personal information it collects, uses or discloses is:



Accurate
Up-to-date
Complete
 Agencies should
ensure that personal information that it
uses or discloses is also relevant for the purpose of the
use or disclosure
There is no substantial change in this APP compared with
previous regulations
APP 11 – Security
 Inclusion
of ‘interference’
 an agency must take reasonable
steps to protect
personal information it holds from misuse,
interference and loss, and from unauthorised access,
modification or disclosure (including hacking)
There is no substantial change in this APP
compared with previous regulations on data
handling
APP 12 – Access

Agencies required to respond to requests for access of personal
information within 30 days

Exceptions apply – Freedom of Information Act 1982 or other
legislation

Access should be provided in the requested manner (where
reasonable and practicable)

Individual not to be charged

Written reasons for the refusal and complaint mechanism
There is no substantial change in this APP
compared with previous regulations
APP 13 – Correction

Agencies required to take ‘reasonable steps’ to correct personal information
to ensure it is accurate, up-to-date, complete, relevant and not misleading,
if:


agency satisfied it needs to be corrected, or
individual requests correction

Agency to respond to request within 30 days

Individual not to be charged

Statement required if agency refuses to correct and individual requests
statement

Written reasons for refusal and complaint mechanism
There is no substantial change in this APP
compared with previous regulations
Commissioner’s New Powers

Ability to investigate a potential privacy
breach without receiving a complaint (own
motion investigations - OMIs) as well as in
response to complaint

Wider range of action to be taken if a
breach of the Act is substantiated whether
as a result of OMI or complaint (as before)

Written undertakings can now be enforced

Seek civil penalties for serious or repeated
breaches (up to $1.7 million for
corporations)
Commissioner can take unilateral action,
fines are larger.
Market Research Industry Response
•
New Privacy Code
•
Information/template pack for AMSRO
companies
New Market and Social Research
Industry Privacy Code


New codes must follow the format of the APPs and add to it
To our knowledge the market research industry is the only one
that has tendered its own Code for ratification. This will mean
that the Code administrator is the industry body (AMSRO)
rather than the OAIC.
New Market and Social Research
Industry Privacy Code

The main areas of change are:




Subscribers to Code (AMSRO members) will have access to an industry
Dispute Resolution mechanism, but must ensure public access to Privacy
Policies, Complaints Procedures and the industry Code, as well as reporting
complaints systematically and regularly to AMSRO
Allow respondents to use a pseudonym if a name is needed and it is
practicable
Definition of personally identified information – care in what happens with
de-identified data sets in public arena. MR data falls into three areas
irrespective of the collection method:
 Contact details of research participants/sample
 Research status
 Research data
New Privacy Principle for Direct Marketing will allow the industry to
differentiate practice further
New Market and Social Research
Industry Privacy Code

Main changes are…..:


Government identifiers must not be used as research identifiers,
unless :
 Is reasonably necessary for verifying the person’s identity
 Is reasonably necessary for the organisation to fulfil its
obligations to an agency or a state/territory authority
 It is authorised by or under an Australian law or a court order
 It is necessary for enforcement activities
If a respondent requests that their personally identified data be
amended or corrected and this would damage the original point
in time data, keep a record of the amendment if practical
PRIVACY Do’s and Don’ts
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Do ensure appropriate systems and processes are in place to comply with the
APPs
Don’t collect more personal information than is necessary or relevant
Do tell individuals what you are going to do with the collected information
Don’t use information for an unrelated secondary purpose without consent
Don’t disclose personal information unnecessarily
Do give people access to their personal information if they ask unless there are
proper grounds not to
Do keep information secure and free from interference
Don’t keep personal information you no longer need or are no longer required to
retain
Do keep personal information accurate and up to date
Don’t disclose information to overseas recipients in countries without equivalent
privacy laws and the ability to enforce those rights unless consent is provided
Do make someone in the organisation responsible for privacy complaint
handling, processes and systems.
Information pack for AMSRO companies

AMSRO has produced information for members to help them
comply with the requirements in particular:


Templates for privacy policies
Guidance on how to meet the requirements
The Trustmark


The Trustmark guarantees business and government decision
makers that they are buying research that is quality-assured
and meets not only ethical standards, but also the new Privacy
Code.
AMSRO member organisations operate under the following
stringent, mandatory criteria:



Privacy: Adherence to the Market & Social Research Privacy Code
Quality assurance: Companies must have the International
Standard for Market, Opinion and Social Research qualifications
(ISO 20252)
Ethics: Adherence to the AMSRS Code of Professional Behaviour
Questions?