Privacy Update for Australian Government Agencies. What we've seen in the first 12 months of the new APPs and what's next!

Transcription

1 Privacy Update for Australian Government Agencies What we've seen in the first 12 months of the new APPs and what's next! Presented by Sharon Rowe and Alec Christie Canberra, 31 March 2015

2 What we are discussing today Setting the scene the results of our "survey" The main issues we've seen How should these issues be dealt with? How is the Commissioner applying the APPs? Immediate concerns The main issues we expect in the next 12 months and how these should be dealt with How to manage ongoing compliance Questions? Privacy Update for Australian Government 31 March

3 Setting the scene: Results of our "survey" Our "survey" of over 100 website and app privacy policies found that around 50% were not compliant with the APPs. Of that 50% non-compliance: 5% - no privacy policy at all 10% - using a policy based on the law of another country (a parent company's policy?) 10% - failed to update from the previous National Privacy Principles/Information Privacy Principles 30% - failed to comply with required notification/consent processes / transparency 45% - failed to fully comply with APP 5 (notification of collection of personal information) Privacy Update for Australian Government 31 March

4 The main issues in the first 12 months of the APPs Basic compliance: non-compliant privacy policy no notification at or prior to collection Commonwealth contracts/contractors Third party collections Security of information De-identification / destruction of personal information Privacy Update for Australian Government 31 March

5 How should these issues be dealt with? Up to date and bespoke policy Prominent notice of policy at the time of providing information Have the 3 rd party notify (get consent to) your privacy policy Review template contracts and update privacy clauses (it is not sufficient to just replace 'IPP' with 'APP'!) Review the OAIC security guidance with the IT Dept. to determine what you do/don't do Your document retention policy must address the APP 11 de-identification / destruction obligation Privacy Update for Australian Government 31 March

6 How is the Privacy Commissioner applying the APPs? The amendments to the Privacy Act included increased powers of the Privacy Commissioner and these powers are being used! Guidance on numerous areas Own motion investigations / public reports Public appearances and comments Privacy by design! Privacy Update for Australian Government 31 March

7 Immediate concerns What the Privacy Commissioner is up to now! Audit of 50 top Australian websites recently completed and audit of 21 random privacy policies for compliance with APP 1. It may be you! "Simple compliance is not enough" the Commissioner's "privacy management framework" What does compliance with APP 1 look like? Privacy Update for Australian Government 31 March

8 What should Government focus on for the next 12 months? Checking Privacy Act compliance and addressing non-compliances Establishing good governance processes to minimise the risk of breaches Implementing internal training programs and raising awareness Getting ready for breaches Privacy Update for Australian Government 31 March

9 Our predictions: The main global privacy issues for the next 12 months Cyber security/privacy governance Big Data analytics Internet of Things Metadata retention and mandatory breach notification Impact of the EU Data Protection Regulation Privacy Update for Australian Government 31 March

10 Cyber security/privacy governance Privacy governance a top priority for Commissioner Detailed OAIC security guidance Cyber / privacy security a governance issue from top down Practical tips: cyber risk/security management from top down Agency executives need to be involved basic security measures can thwart 80% of cyber attacks Privacy Update for Australian Government 31 March

11 Big Data analytics Significant increase in Big Data projects in last 12 months Despite recent media reports to the contrary (eg The 7.30 Report) Big Data is regulated by the APPs Notified purposes for which personal information collected 3 rd party sources of personal information your primary obligations under the APPs Re-identification of de-identified /anonymous data Practical tips Privacy Update for Australian Government 31 March

12 The Internet of Things IoT is starting to happen! Build in privacy from the beginning privacy by design Transparency, "opt-in" and "opt-out", an ongoing relationship and clearly notifying the purposes for collection/uses to be made of information Consent for sensitive / health information wearables! Privacy Update for Australian Government 31 March

13 How to manage your ongoing compliance Privacy Policy Processes (Notification/Consent) Provisions in your Commonwealth contracts including offshore data processing contracts Personnel (Training and Internal Systems and Procedures) Privacy Update for Australian Government 31 March

14 Questions Privacy Update for Australian Government 31 March

15 Further reading OIAC privacy guidance Australian Government Protective Security Framework Recent DLA Piper articles 5/02/privacy-commissioner-to-audit-21-privacy-policies/ 5/02/privacy-update-australia-5-february-2015/ DLA Piper Global Data Protection Handbook (2015) Privacy Update for Australian Government 31 March

16 Contact information Sharon Rowe Partner DLA Piper T sharon.rowe@dlapiper.com Alec Christie Partner DLA Piper T alec.christie@dlapiper.com This presentation is intended as a first point of reference and should not be relied on as a substitute for professional advice. Specialist legal advice should always be sought in relation to any particular circumstances and no liability will be accepted for any losses incurred by those relying solely on this presentation. Privacy Update for Australian Government 31 March