Jayne Van Souwe, Principal, Wallis Consulting Group Andrew Maher, Partner, HR Legal Agenda • What do Australians think about Privacy? • The APPs • The market and social research industry’s response • Questions What do Australians think about privacy? Key findings from “Community Attitudes towards Privacy” – study completed by Wallis for the Office of the Australian Information Commissioner Australian Privacy Principles • Definition and coverage • The principles and their implications The Australian Privacy Principles Cover all Australian government agencies and most private businesses. Replace the Information Privacy Principles (previously applied to government) and the National Privacy Principles (applied to businesses) The market and social research industry had its own set of Privacy Principles (Market and Social Research Privacy Principles) and will have its own Code again. APPs are minimum standards that can only be exceeded in separate industry codes – previous codes allowed limited trade-offs. They are data protection laws and only apply to information about private individuals. The Australian Privacy Principles State government agencies excluding SA and WA remain bound by the relevant state data and privacy protection legislation usually administered by state privacy commissioners: ACT – Health records are administered by the Human Rights Commission, no territory specific privacy law NSW – Privacy and Personal Information Protection Act 1998 NT – Information Act 2002 QLD – Right to Information Act 2009, Information Privacy Act 2009 TAS – Personal Information and Protection Act 2004 VIC – Information Privacy Act 2000 (health information is covered by the Health Services Act administered by the Health Services Commissioner) The Australian Privacy Principles State governments with their own privacy legislation are taking a “wait and see” approach to the APPs. They are likely to bring their own legislation into line eventually. At present state legislation exceeds base requirements of federal law and/or clarifies state-specific situations, eg states have different systems for managing health records State and federal laws (and codes that have force of law) always take precedence over industry guidelines. Researchers should be aware of related guidelines, but recognise their place! ACT = CODE = LAW Guideline = good practice The Australian Privacy Principles For market researchers the situation is clear – if you abide by the Code of Professional Behaviour of AMSRS you will continue to exceed ANY privacy legislation currently in force. (Note the Code of Professional Behaviour is being re-written so that it complements the new Industry Privacy Code, which in turn references the Code of Professional Behaviour). The Australian Privacy Principles For other areas of business the situation is less clear Federal and state privacy commissioners work together to ensure that legislation complements rather than conflicts – it is more a matter for ensuring that any companies working for state government agencies are clear about which piece of legislation applies. If in doubt, comply with the most stringent piece of legislation. The Australian Privacy Principles What do we mean by Privacy? Personal information Information or an opinion that identifies or could reasonably identify a person, whether true or not Examples include, name, age, DOB, phone number, email address, photograph, credit card details, salary, information collected from customer surveys etc Sensitive information information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices criminal record or health information. Under the APPs, the definition of sensitive information has been expanded to include biometric information used for biometric verification or identification (such as fingerprints, iris recognition, DNA etc). The Australian Privacy Principles 13 new APPs replace IPPs and NPPs Single set of principles which apply to both public and private sectors (APP entities) Structured to reflect the information life cycle — collection, use and disclosure, quality and security, access and correction Mandatory minimums which must be equalled or exceeded in every case Provides a single set of rules (at least for the majority of agencies and businesses bound only by them). No longer allows trade-offs in specific industry codes – all agencies and businesses must meet minimum standards App 1 – Open and Transparent Management of personal information Agencies must have a clearly expressed and up to date privacy policy and complaints procedure Agencies must take reasonable steps to implement processes that will ensure that the agency complies with the APPs While most organisations have privacy policies they will need to update them and their complaints procedures regularly and ensure that they have processes in place to meet APP requirements APP 2 – Anonymity and pseudonymity Allows individuals to interact with agencies anonymously Permits the individual to use a pseudonym – unless it is impracticable to deal with an unidentified individual Organisations need to allow people to use pseudonyms or deal with them anonymously where possible APP 3 – Collection of personal and sensitive information Collection must be ‘reasonably necessary’ for, or ‘directly related’ to, one or more of an agency’s functions or activities Higher standards for collection of sensitive information (necessary and with consent). The definition of sensitive information hasn’t changed, but if it can be implied (eg some surnames are particular to specific races and ethnic groups) then information should be treated the same way. APP 4 – Dealing with unsolicited personal information Unsolicited personal information now has the same protections as solicited personal information New principle for handling unsolicited personal information mandates that such data should be destroyed or de-identified if it could have been collected overtly and is not part of a commonwealth record. Ensure that only necessary information is transferred to external companies. Companies receiving unsolicited information should destroy it. APP 5 – Notification of collection This principle outlines the information that must be given to an individual when the agency collects their personal information. It includes: Information about an agency’s APP policy Who the agency is and how to contact it The purpose(s) of the collection Any collections from third parties Consequences of non-collection Complaint handling process Potential overseas disclosure There is no substantial change in this APP compared with previous regulations on data collection APP 6 – Use or disclosure Deals with use and disclosure of personal information Different (more stringent) obligations apply to the use or disclosure of sensitive information eg must gain permission New limited exceptions, to permit use or disclosure for secondary purpose to: Locate missing person Establish, exercise or defend a legal equitable claim Confidential alternative dispute resolution There is no substantial change in this APP compared with previous regulations on data collection APP 7 – Direct marketing Prohibits organisations from using or disclosing personal information for direct marketing purposes, except in specified circumstances Provides a compulsory ‘opt out’ clause Includes personalised advertisements on websites which use information gathered from “cookies” and similar to target individuals This is a completely new Principle and differentiates Direct Marketing practices aimed at selling or marketing products. It includes electronic personalised DM APP 8 – Cross border disclosure Introduces an accountability approach for cross-border disclosure Agencies must take reasonable steps to ensure overseas recipients do not breach APPs Agencies may be accountable for a breach of APPs by overseas recipients While this is now a separate Principle the concepts contained within it were in the NPPs previously. APP 9 – Adoption, use or disclosure of government related identifiers Prohibits an organisation from adopting, or using a government related identifier as its own identifier Open data sets and the ability to conduct meta-analysis have led to the introduction of this additional measure to ensure data protection. It is recommended that an organisation uses its own identification system for records. It can hold a concordance, but must do so carefully. APP 10 – Quality Requires agencies to take reasonable steps to ensure personal information it collects, uses or discloses is: Accurate Up-to-date Complete Agencies should ensure that personal information that it uses or discloses is also relevant for the purpose of the use or disclosure There is no substantial change in this APP compared with previous regulations APP 11 – Security Inclusion of ‘interference’ an agency must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure (including hacking) There is no substantial change in this APP compared with previous regulations on data handling APP 12 – Access Agencies required to respond to requests for access of personal information within 30 days Exceptions apply – Freedom of Information Act 1982 or other legislation Access should be provided in the requested manner (where reasonable and practicable) Individual not to be charged Written reasons for the refusal and complaint mechanism There is no substantial change in this APP compared with previous regulations APP 13 – Correction Agencies required to take ‘reasonable steps’ to correct personal information to ensure it is accurate, up-to-date, complete, relevant and not misleading, if: agency satisfied it needs to be corrected, or individual requests correction Agency to respond to request within 30 days Individual not to be charged Statement required if agency refuses to correct and individual requests statement Written reasons for refusal and complaint mechanism There is no substantial change in this APP compared with previous regulations Commissioner’s New Powers Ability to investigate a potential privacy breach without receiving a complaint (own motion investigations - OMIs) as well as in response to complaint Wider range of action to be taken if a breach of the Act is substantiated whether as a result of OMI or complaint (as before) Written undertakings can now be enforced Seek civil penalties for serious or repeated breaches (up to $1.7 million for corporations) Commissioner can take unilateral action, fines are larger. Market Research Industry Response • New Privacy Code • Information/template pack for AMSRO companies New Market and Social Research Industry Privacy Code New codes must follow the format of the APPs and add to it To our knowledge the market research industry is the only one that has tendered its own Code for ratification. This will mean that the Code administrator is the industry body (AMSRO) rather than the OAIC. New Market and Social Research Industry Privacy Code The main areas of change are: Subscribers to Code (AMSRO members) will have access to an industry Dispute Resolution mechanism, but must ensure public access to Privacy Policies, Complaints Procedures and the industry Code, as well as reporting complaints systematically and regularly to AMSRO Allow respondents to use a pseudonym if a name is needed and it is practicable Definition of personally identified information – care in what happens with de-identified data sets in public arena. MR data falls into three areas irrespective of the collection method: Contact details of research participants/sample Research status Research data New Privacy Principle for Direct Marketing will allow the industry to differentiate practice further New Market and Social Research Industry Privacy Code Main changes are…..: Government identifiers must not be used as research identifiers, unless : Is reasonably necessary for verifying the person’s identity Is reasonably necessary for the organisation to fulfil its obligations to an agency or a state/territory authority It is authorised by or under an Australian law or a court order It is necessary for enforcement activities If a respondent requests that their personally identified data be amended or corrected and this would damage the original point in time data, keep a record of the amendment if practical PRIVACY Do’s and Don’ts 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Do ensure appropriate systems and processes are in place to comply with the APPs Don’t collect more personal information than is necessary or relevant Do tell individuals what you are going to do with the collected information Don’t use information for an unrelated secondary purpose without consent Don’t disclose personal information unnecessarily Do give people access to their personal information if they ask unless there are proper grounds not to Do keep information secure and free from interference Don’t keep personal information you no longer need or are no longer required to retain Do keep personal information accurate and up to date Don’t disclose information to overseas recipients in countries without equivalent privacy laws and the ability to enforce those rights unless consent is provided Do make someone in the organisation responsible for privacy complaint handling, processes and systems. Information pack for AMSRO companies AMSRO has produced information for members to help them comply with the requirements in particular: Templates for privacy policies Guidance on how to meet the requirements The Trustmark The Trustmark guarantees business and government decision makers that they are buying research that is quality-assured and meets not only ethical standards, but also the new Privacy Code. AMSRO member organisations operate under the following stringent, mandatory criteria: Privacy: Adherence to the Market & Social Research Privacy Code Quality assurance: Companies must have the International Standard for Market, Opinion and Social Research qualifications (ISO 20252) Ethics: Adherence to the AMSRS Code of Professional Behaviour Questions?