Employee Data Privacy A Regional Overview

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Employee Data Privacy A Regional Overview"

Transcription

1 Employee Data Privacy A Regional Overview

2 Introduction All employers collect, handle and use employee personal data. Most jurisdictions have laws regulating such collection, handling and use of employee personal data. With increasing globalization and mobility of employees and the relative ease with which data can be transferred between legal entities and across borders complying with all requirement relating to personal data has become an increasingly difficult exercise. This publication attempts to ease such burden. This publication covers 16 different jurisdictions in Asia. For each of the jurisdictions covered we asked the following questions: A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? C. For how long must an employer retain an employee s personal data? What is best practice? D. What are the legal restrictions on transferring employees personal data outside your country? E. What are the legal restrictions on transferring employees personal data to a third party? F. What are the consequences of breaching privacy laws in your jurisdiction? G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data?

3 We have set out the answers to each of these questions in two different formats. Section 1 contains an Executive Summary of each jurisdiction responses. This is intended to be a short - at a glance - overview of the position. Section 2 contains the more substantive answers to the questions. We do hope that you find this publication useful. It has been made possible with the input from lawyers in leading law firms in each jurisdictions. Should you wish to contact the lawyers in any of the jurisdictions, their contact details are set out at the last Section of this publication. Phillipa Muir Partner Simpson Grierson

4 Asia Asia Section 1 Executive Summary 1 Section 2 The Expanded Answer to the Questions by Jurisdiction Australia 33 Hong Kong 47 India 55 Indonesia 59 Japan 63 Mainland China 67 Malaysia 69 New Zealand 73 Pakistan 81 Philippines 83 Singapore 91 South Korea 97 Sri Lanka 99 Taiwan 101 Thailand 111 Vietnam 117

5 Executive Summary AUSTRALIA A. Is there a law regulating employee personal data? A range of State and federal legislation regulates the handling of personal data. The principal piece of legislation for incorporated entities can be applied to employee data; however, it is substantially limited in such respect. B. Do I need to have a privacy statement or agreement? There is no legal requirement for such a statement or agreement; however, it is prudent to have a privacy code, policy or procedure in place. C. How long must I retain employee data? What is best practice? Various state and federal legislations require certain employee records (which could include personal data) to be retained for specified periods. Specific legislation requires that certain employee records be kept for at least 7 years D. Can I transfer employee data overseas? Yes, subject to certain requirements. E. Can I transfer employee data to a third party? Yes, subject to certain requirements. F. What are the consequences of breach? A determination may be made by the Privacy Commissioner, including a declaration that a reasonable act should be performed to redress any loss or damage suffered by a complainant, or that a complainant is entitled to a specified amount of compensation for any loss or damage suffered (including injury to feelings or humiliation). Determinations may be enforced by proceedings commenced in the Federal Court or Federal Magistrates Court. The Court may make such orders as it thinks fit. 1

6 AUSTRALIA G. What are the main pitfalls? Pitfalls include: Assuming privacy regulation is the same across all jurisdictions. Failure to ensure that any records held containing the personal information of employees are only dealt with in a manner that directly relates to the employment relationship; that is, any employee records should only be collected, used and disclosed for the purpose of the employment relationship. Collection of unnecessary personal information and consequent exposure to legal risk. Failure to develop, implement and enforce comprehensive policies and procedures around the handling of personal information. Contributed by Corrs Chambers Westgarth 2 Employee Data Privacy in Asia

7 Executive Summary HONG KONG A. Is there a law regulating employee personal data? Yes. The Personal Data (Privacy) Ordinance. B. Do I need to have a privacy statement or agreement? No particular form of document is needed. Certain information required to be provided by legislation is typically provided in a Personal Information Collection Statement (PICS). C. How long must I retain employee data? What is best practice? The Employment Ordinance requires certain employee data be retained for at least 12 months. Best practice suggestion: 2 years for recruitment data and 7 years for employment data unless employer has a legitimate reason for retaining data longer (e.g. litigation). D. Can I transfer employee data overseas? Yes, subject to certain requirements. E. Can I transfer employee data to a third party? Yes, subject to certain requirements. F. What are the consequences of breach? Investigation by Commissioner. Commissioner may issue Enforcement notice. Criminal liability if failure to comply with an enforcement notice; on conviction, a fine at level 5 (currently HK$50,000), imprisonment for 2 years and, if continuing offence, a daily penalty of HK$10,000. Civil liability: data subject may claim compensation 3

8 HONG KONG G. What are the main pitfalls? Employers should issue PICS and ensure purpose of use of data specified in PICS covers employer s requirements. Employees can access and obtain their personal data by downloading a Data Access Request (DAR). An employer must provide all personal data of the employee in response to a DAR unless exception applies e.g. employees using DAR to fish for claims against employer. Contributed by Mayer Brown JSM 4 Employee Data Privacy in Asia

9 Executive Summary INDIA A. Is there a law regulating employee personal data? There is no specific law on the subject. However, action may be initiated for claim under the Information Technology Act, 2000, tort or for breach of fundamental right of life and liberty (including right to privacy) as guaranteed by the Constitution of India. B. Do I need to have a privacy statement or agreement? There is no legal requirement. However, it is advisable to have a privacy statement/agreement. C. How long must I retain employee data? What is best practice? Employees personal data may be retained for 3 years, and financial data for 8 years. D. Can I transfer employee data overseas? There is no law restricting transfer of employees personal data. However, the courts may impose reasonable restrictions if it considers the information to be of a sensitive nature. E. Can I transfer employee data to a third party? There is no law restricting transfer of employees personal data. However, the courts may impose reasonable restrictions if it considers the information to be of a sensitive nature. F. What are the consequences of breach? There is no specific law pertaining to transfer of employees personal data. However, action may be initiated by employee under tort or for breach of right to privacy or, in certain cases, under The Information Technology Act,

10 INDIA G. What are the main pitfalls? Though there is no specific law relating to data protection in India, there is some protection available under the Constitution of India Article 21 Right to Life and Liberty. The courts in India have interpreted Right to Privacy as part of the broad spectrum of Right to Life. Further, the Information Technology Act, 2000 extends protection to data in electronic form which is sensitive in nature (as may be notified by the Central Government). Further, the courts may impose restrictions on transfer of data in case it considers the data to be sensitive enough to cause irreparable harm to the employee if the data were so transferred. Therefore, it is advisable to seek the consent of the employee prior to any intended transfer of his/her personal data. Contributed by Trilegal 6 Employee Data Privacy in Asia

11 Executive Summary INDONESIA A. Is there a law regulating employee personal data? There is no specific law regulating employee personal data. Human Rights law provides right to privacy. B. Do I need to have a privacy statement or agreement? Yes, it is recommended to include statement in Company Regulation (work rules) clarifying employer s right to use personal data, albeit there is no legal requirement to do so. C. How long must I retain employee data? What is best practice? At discretion of Board of Directors. Best Practice: at least two (2) years after termination of employment. D. Can I transfer employee data overseas? There is no specific restriction but it is prudent to include such right in personal statement in Company Regulation. E. Can I transfer employee data to a third party? There is no specific restriction but it is prudent to include such right in personal statement in Company Regulation. F. What are the consequences of breach? In theory, causes of action may include civil tort, civil or criminal defamation, or criminal unpleasant act. G. What are the main pitfalls? Personal data should be handled responsibly to avoid employee suffering embarrassment or other damages. Contributed by Soewito Suhardiman Eddymurthy Kardono 7

12 8 Employee Data Privacy in Asia

13 Executive Summary JAPAN A. Is there a law regulating employee personal data? Yes. There is the Personal Information Protection Act ( PIPA ) and various governmental guidelines. B. Do I need to have a privacy statement or agreement? Generally no. However, it is advisable to establish a privacy policy as this is the most convenient way to satisfy an employer s obligation upon receiving personal data, i.e. inform the employee of (or publicly announce) the purpose for use of such personal data. C. How long must I retain employee data? What is best practice? Certain important documents must be retained for 3 years. D. Can I transfer employee data overseas? Yes, so long as the transfer occurs within the same legal entity, no restrictions exist in transferring personal data overseas. However, transfer to a third party (including an overseas parent or related company) requires the prior consent of the employee. E. Can I transfer employee data to a third party? The prior consent of the employee is needed to transfer the employee s personal data to a third party. 9

14 JAPAN F. What are the consequences of breach? The government may issue a recommendation and/or order to rectify the breach. Failure to comply with the order may lead to imprisonment of up to 6 months or a fine of up to JPY 300,000. If a breach of the PIPA causes any damage, a person responsible for such breach may be liable for the damages as a result thereof. G. What are the main pitfalls? Special regulations exist for health-related information and other sensitive information. When conducting background check separately, it is advisable to obtain the job applicant s consent for the acquisition of personal data from a third-party service provider. Contributed by Anderson Mori & Tomotsune 10 Employee Data Privacy in Asia

15 Executive Summary MAINLAND CHINA A. Is there a law regulating employee personal data? Yes. Employment Services and Management Regulations. B. Do I need to have a privacy statement or agreement? There is no legal requirement. However, ideally an employer should have a written agreement with its employee regulating the collection, use and handling of personal data. C. How long must I retain employee data? What is best practice? The law is unclear. We suggest 2 years as best practice D. Can I transfer employee data overseas? Yes, but if the transfer involves publicizing the employee s personal data, then written consent from the employee is required. E. Can I transfer employee data to a third party? Yes, but if the transfer involves publicizing the employee s personal data, then written consent from the employee is required. F. What are the consequences of breach? The consequences are unclear as there are no clear provisions setting out the consequences of breach. G. What are the main pitfalls? An employer is obliged to keep confidential the employee s personal data, and has to obtain the employee s written consent if it will publicize any such personal data. Contributed by JSM Shanghai Representative Office 11

16 12 Employee Data Privacy in Asia

17 Executive Summary MALAYSIA A. Is there a law regulating employee personal data? The Employment Act The Personal Data Protection Bill 2009 has been passed but not yet gazetted to commence. B. Do I need to have a privacy statement or agreement? No. C. How long must I retain employee data? What is best practice? 6 Years. D. Can I transfer employee data overseas? Yes. E. Can I transfer employee data to a third party? Yes. F. What are the consequences of breach? None. G. What are the main pitfalls? Ensuring up-to-date information on personnel. Be aware of the gazetting of the Personal Data Protection Bill 2009 to commence. Contributed by Shearn Delamore 13

18 14 Employee Data Privacy in Asia

19 Executive Summary NEW ZEALAND A. Is there a law regulating employee personal data? Yes, the Privacy Act B. Do I need to have a privacy statement or agreement? This is not required by the Privacy Act but is recommended as a matter of best practice. C. How long must I retain employee data? What is best practice? The Privacy Act does not require information to be held for any fixed period. The emphasis in the Act is on not holding information for longer than is necessary. However, there are various other statutes governing the minimum periods for which certain information must be held (for example, tax records must be held for 7 years, and wage records must be held for 6 years). D. Can I transfer employee data overseas? The Privacy Act does not contain specific restrictions on the transfer of personal information overseas. Individuals must be made aware of all intended recipients of their personal information at the time it is collected. If such notice is not provided, then the consent of employees must generally be obtained before transferring information to any other jurisdiction. E. Can I transfer employee data to a third party? The Privacy Act does not contain specific restrictions on the transfer of personal information to third parties. Individuals must be made aware of all intended recipients of their personal information at the time it is collected. If such notice is not provided, then the consent of employees must generally be obtained before transferring information to any other entity/third party. 15

20 New Zealand F. What are the consequences of breach? (1) Investigation by Privacy Commissioner (who can issue non-binding recommendations). (2) Human Rights Review Tribunal (potential remedies include damages up to NZ$200,000, although damage awards greater than NZ$10,000 are rare). (3) Administrative Penalties (may be liable on summary conviction for a fine not exceeding NZ$2,000). G. What are the main pitfalls? Common pitfalls include: The failure to properly notify an individual about the collection of personal information (in accordance with IPP 3). The use of personal information for a purpose other than that for which it was obtained (prohibited by IPP 10). Improper disclosure of personal information (prohibited by IPP 11). Contributed by Simpson Grierson 16

21 Executive Summary PAKISTAN A. Is there a law regulating employee personal data? Presently there is no statutory law, regulation or code which deals with collection, use and/or handling of an employee s personal data in Pakistan. However, normally all employers require personal data of their employees for security and crossreference reasons. Moreover, the employee s name, Computer National Identification Card and address is also used for filing of annual returns. The general principles of Law of Torts will apply but they do not require any strict compliance and lack of malice on the part of employer in collecting, storing and disclosing personal data of an employee will be sufficient defence against any potential action against the employer. Such an action, though a possibility, is seldom used. B. Do I need to have a privacy statement or agreement? There is no legal requirement to have a document to deal with the employee s personal data. C. How long must I retain employee data? What is best practice? There is no legal requirement for withholding of employee s personal data. The employers generally hold the employee s data for couple of years as a cross-reference and for their own personal record. D. Can I transfer employee data overseas? There are no legal restrictions on transferring employee s personal data outside Pakistan. 17

22 PAKISTAN E. Can I transfer employee data to a third party? As stated earlier, presently there is no statutory law which controls and regulates the collection and use of handling employee s personal data in Pakistan; therefore, there are no legal restrictions on transferring employee s personal data to a third party. However there is one exception and that is if employee and employer have entered into a confidentiality agreement, then both the parties would be governed by the terms of the confidentiality agreement. F. What are the consequences of breach? There are no privacy laws in Pakistan, therefore the occasion of their breach cannot arise; however, if privacy agreements are breached, then suit (civil action) for damages can be filed under the Law of Contracts. G. What are the main pitfalls? Presently, absence of laws regarding employee s personal data is the main drawback in Pakistan. However, if the personal data disclosed to a third party proves to be incorrect, the suit for damages under the Law of Torts can be filed demanding damages. This is a case of rare occurrence but still a possibility. Note: The above information is in reference to jurisdiction in Pakistan. Contributed by Meer & Hasan 18 Employee Data Privacy in Asia

23 Executive Summary PHILIPPINES A. Is there a law regulating employee personal data? Yes. However, these are general laws that regulate the use of personal data (including employee data) for the protection of the individual s constitutionally protected right to privacy and not a specific law that regulates the collection, use and/or handling of employee personal data per se. B. Do I need to have a privacy statement or agreement? None of the data privacy protection laws specifically require that a written privacy statement or agreement be in place before an employer may use employee personal data. The transfer of employee personal data to a third party is, however, subject to restrictions. (See Response to Question E.) C. How long must I retain employee data? What is best practice? There is no fixed period within which an employer is required to retain employee personal data. D. Can I transfer employee data overseas? Yes, as long as there is consent or a legitimate purpose for the transfer. E. Can I transfer employee data to a third party? Yes, as long as there is consent or a legitimate purpose for the transfer and as long as there is a written contract between the data processor (third party) and data controller (employer). F. What are the consequences of breach? The party divulging the information may be liable for the payment of damages. With respect to certain information, the party divulging such information may also open himself to a possible criminal liability. 19

24 PHILIPPINES G. What are the main pitfalls? There is no specific law that deals with the management of an employee s personal data. Contributed by SyCip Salazar Hernandez & Gatmaitan 20 Employee Data Privacy in Asia

25 Executive Summary SINGAPORE A. Is there a law regulating employee personal data? There is no single overarching legislation on employee data privacy in Singapore. However, the Computer Misuse Act ( CMA ) prohibits the unauthorised access to data and/or unauthorised interception of computer communications. The Model Data Protection Code for the private sector, which is not mandatory, has 10 principles that organisations should follow when collecting, processing and storing personal data. B. Do I need to have a privacy statement or agreement? An agreement with the person whose information is being collected is required for compliance with the CMA. No agreement is required for collection of employee data under other statutes. However, having one in place is nevertheless recommended. C. How long must I retain employee data? What is best practice? The time period for which employee data shall be retained depends on the individual statutes and generally varies from five to seven years. Where the retention period is not provided, the best practice is to retain the information for 7 years. D. Can I transfer employee data overseas? There are no restrictions on transferring employee data overseas. However, please note that the Banking Act restricts the transfer of customer information to third parties and such disclosure is permitted only under the specific circumstances prescribed therein. 21

26 SINGAPORE E. Can I transfer employee data to a third party? There are no restrictions on transferring employee data to third parties. However, please note that the Banking Act restricts the transfer of customer information to third parties and such disclosure is permitted only under the specific circumstances prescribed therein. F. What are the consequences of breach? Violation of the CMA provisions can lead to a maximum fine of S$5,000 or imprisonment for no more than 2 years or both for the first offence and a maximum fine of S$10,000 or imprisonment for no more than 3 years or both for subsequent offences. G. What are the main pitfalls? There is no single overarching legislation, although several legislations regulate this area. Contributed by Rajah & Tann 22 Employee Data Privacy in Asia

27 Executive Summary SOUTH KOREA A. Is there a law regulating employee personal data? No. B. Do I need to have a privacy statement or agreement? Advisable. C. How long must I retain employee data? What is best practice? 3 years. D. Can I transfer employee data overseas? Advisable to obtain employee consent. E. Can I transfer employee data to a third party? Advisable to obtain employee consent. F. What are the consequences of breach? Depending on the characterization of the breach, consequences may include civil and/or criminal liability. G. What are the main pitfalls? Depending on the circumstances, the Protection of Credit Information Act containing criminal punishment may apply. Contributed by Kim & Chang 23

28 24 Employee Data Privacy in Asia

29 Executive Summary SRI LANKA A. Is there a law regulating employee personal data? No. B. Do I need to have a privacy statement or agreement? No. C. How long must I retain employee data? What is best practice? Depends on the category of employee. D. Can I transfer employee data overseas? Yes. E. Can I transfer employee data to a third party? Yes. F. What are the consequences of breach? Not applicable. G. What are the main pitfalls? No statutory provision. Contributed by John Wilson Partners 25

30 26 Employee Data Privacy in Asia

31 Executive Summary TAIWAN A. Is there a law regulating employee personal data? Yes, the CPDPA, which will be substituted by the PDPA passed on April 27, 2010 with the effective date to be published by the Executive Yuan, the Republic of China. B. Do I need to have a privacy statement or agreement? CPDPA No, but the CPDPA requires an employer to prepare a book with certain information listed for employee s inspection or review. PDPA No, but the PDPA requires that: 1) a private sector employer makes the collected personal data of an employee available to such employee for inspection and review or provides a duplicate of such personal data upon such employee s request subject to certain exceptions, such as national security concerns, etc.; and 2) a notification with certain information shall be presented to the employee when the employee s personal data is collected, used, or handled. C. How long must I retain employee data? What is best practice? CPDPA Under the CPDPA, an employer shall comply with the length of retention approved by the competent authority. PDPA Under the PDPA, in general, an employer may retain an employee s personal data where a specific purpose exists or prior to the expiration of the retention period. D. Can I transfer employee data overseas? CPDPA Yes, if international transfer of personal data is registered with and approved by the competent authority under the CPDPA. 27

32 TAIWAN CPDPA & PDPA Under both the CPDPA and PDPA, in certain circumstances, the central competent authority may nevertheless restrict lawful international transfers. E. Can I transfer employee data to a third party? CPDPA Yes, under the CPDPA, subject to certain exceptions, the transfer shall be limited to the scope of the specific purposes. PDPA Under the PDPA, in general, sensitive data may not be transferred, while non-sensitive data shall be limited to the scope of the specific purposes for collecting such data. F. What are the consequences of breach? CPDPA & PDPA An employer in violation of either the CPDPA or PDPA may be subject to civil, criminal and/or administrative liabilities. PDPA The PDPA increases the civil, criminal and administrative liabilities to provide more protection for individual s right of privacy. G. What are the main pitfalls? An employer should pay close attention to the effective date of the PDPA as well as the upcoming passages of or amendments to the enforcement rules and supplemental laws and regulations in relation to the PDPA. Contributed by Lee, Tsai & Partners 28 Employee Data Privacy in Asia

33 Executive Summary THAILAND A. Is there a law regulating employee personal data? Currently, there is no law that regulates employees personal data although the Personal Data Protection Bill (the Bill ) has long been expected to be put in place. B. Do I need to have a privacy statement or agreement? Not currently, but if the Bill comes into force, an employer will need consent from its employee to handle the employee s personal data. C. How long must I retain employee data? What is best practice? Under the Thai Labour Protection Act, an employer must keep an employee s register for not less than two years after termination of employment. If the Bill becomes law, the employee s personal data processed for any purpose may not be kept longer than necessary for such purpose. D. Can I transfer employee data overseas? Currently, there is no law that prohibits transfer of an employee s personal data overseas, but if the Bill comes into effect, written consent from the employee will be required. E. Can I transfer employee data to a third party? Currently, there is no law that prevents an employer from transferring its employee s personal data to a third party, but if the Bill takes effect, written consent from the employee will be needed. F. What are the consequences of breach? If an employer s use or disclosure of personal data causes damage to an employee, the employer may be subject to civil and/or criminal punishment. If the Bill becomes law, any breach may be subject to administrative and/or criminal penalties. 29

34 THAILAND G. What are the main pitfalls? If the Bill is issued, any collection, utilization and disclosure of an employee s personal data will require such employee s express consent. The employer will also need a secured personal data collection system to prevent exploitation or disclosure of the personal data. Contributed by Mayer Brown JSM (Thailand) Limited 30 Employee Data Privacy in Asia

35 Executive Summary VIETNAM A. Is there a law regulating employee personal data? Yes. B. Do I need to have a privacy statement or agreement? Yes. C. How long must I retain employee data? What is best practice? There is no statutory requirement regarding how long employee data can be retained. In practice, the employer should agree with the employee on the time limit for retaining his/her data. It would be preferable that written consent from the employee is obtained. D. Can I transfer employee data overseas? Yes, subject to the employee s consent. E. Can I transfer employee data to a third party? Yes, subject to the employee s consent. F. What are the consequences of breach? The employee would sue the breaching party in a court of law. G. What are the main pitfalls? The breaching party, depending on the seriousness of the breach, would be subject to an administrative penalty. If the breach causes damages to the employee s health, honour, dignity or reputation, compensation must be paid. Contributed by Mayer Brown JSM (Vietnam) 31

36 32 Employee Data Privacy in Asia

37 The Expanded Answer to the Questions by Jurisdiction AUSTRALIA Australia A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Privacy in the employment context usually concerns the use by an employer of personal information 1 about an employee, including information about the employee s health and fitness. In Australia, legal obligations in respect of privacy of personal information are largely derived from statute. There is no constitutional protection of privacy rights similar to that which exists in other jurisdictions such as the United States. Privacy in Australia is regulated at both the federal and State level. Therefore, privacy obligations differ across the various jurisdictions, as well as between the public and private sectors. In each Australian jurisdiction, privacy of personal information may be regulated by specific privacy legislation and also by legislation in respect of health records, freedom of information and electronic surveillance. A summary of some of the key legislation that regulates privacy in Australia is set out below. Privacy Act 1988 (Cth) The Privacy Act 1988 (Cth) ( Privacy Act ) regulates the use, storage, handling, access, disclosure and security of personal information by Australian and Australian Capital Territory government agencies and Australian private sector organisations with an annual turnover greater than AUD 3 million. 1 It has been assumed for the purposes of this Australian section that the reference to personal data has the same or a similar meaning as the term personal information under the Privacy Act 1988 (Cth). Privacy issues also arise from the undertaking of workplace surveillance and monitoring. The issue of workplace surveillance and monitoring has not been covered in this report. 33

38 Australia AUSTRALIA There are some small businesses which may have an annual turnover of less than AUD 3 million whose activities are regulated by the Privacy Act. This includes health service providers or businesses that trade in personal information. The Privacy Act is intended to protect personal information about individuals who can reasonably be identified from the information. Personal information is generally defined as [i]nformation or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or an opinion. The Privacy Act establishes 12 National Privacy Principles which (together) operate to regulate the use, storage, handling, access and security of personal information by organisations in respect of which the Privacy Act applies. Organisations may discharge their obligations by creating and complying with a code of practice tailored to the organisation, and approved for use by the Privacy Commissioner. The Privacy Act expressly excludes acts done, or practices engaged in, by an employer (who is regulated by the Privacy Act) of an individual, if the act or practice is directly related to a current or former employment relationship between the employer and the individual and an employee record held by the organisation and relating to the individual. Employee records are broadly defined as a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about, amongst other things, the engagement, training, disciplining or resignation of the employee; the termination of the employment of the employee; the terms and conditions of employment of the employee; the employee s personal and emergency 34 Employee Data Privacy in Asia

39 Australia contact details; the employee s performance or conduct; the employee s hours of employment; the employee s salary or wages; the employee s membership of a professional or trade association and the employee s taxation, banking or superannuation affairs. Practically, this means an employer does not need to comply with the National Privacy Principles (for example, in relation to storage, access, use, disclosure and handling of the information) in relation to records about its employees which fall within the above definition. The existence of the employee records exemption does not mean that all activities of an employer that relate to employment are excluded. For example, a prospective employee does not have an employment relationship with the potential employer. Therefore, potential employers and/or recruitment agencies must comply with the obligations of the Privacy Act in respect of candidates for employment. Another limitation to the exemption is that it will no longer apply once an employer discloses the employee records to a third party which is not involved in the employment relationship. On 14 October 2009, the Federal Government announced that it would commence a reform of the Federal privacy laws. Part of the second stage of those reforms may include consideration of whether the employee records exemption should be removed. Fair Work Act 2009 (Cth) The Fair Work Act 2009 (Cth) regulates the employment relationship between employees and national system employers. A national system employer is broadly defined in the Fair Work Act and relevantly includes all incorporated employers and, subject to the location in which the employment is based, various other employers in Australia. 35

40 Australia AUSTRALIA Privacy rights under the Fair Work Act arise insofar as unions have certain rights to access employment records in respect of their members. In some cases a non-member record can be accessed, particularly in circumstances where the nonmember consents or Fair Work Australia makes an order granting access. It is important to note that unions that access employee records must then comply with the obligations set out in the Privacy Act in respect of those records. Further, the employee records exemption will not apply in respect of the union s management of those records. Accordingly, unions accessing employee records pursuant to their rights under the Fair Work Act will still be required to comply with the privacy obligations under the Privacy Act in respect of those records. State and Territory privacy legislation In most States and Territories, privacy regulation is limited to the public sector. Employers should be mindful of the following legislation: Victoria Information Privacy Act 2000 (Vic) and the Charter of Human Rights and Responsibilities Act 2006 (Vic); New South Wales Privacy and Personal Information Protection Act 1998 (NSW); Queensland Information Privacy Act 2009 (Qld); Western Australia Freedom of Information Act 1992 (WA); and South Australia Information Privacy Principles (IPPs) reissued by the State Government of South Australia in Employee Data Privacy in Asia

41 Australia There is also limited State legislation regulating privacy in respect of health records. In most States, access to health records retained by a public hospital or public health service is regulated by freedom of information legislation. Freedom of information legislation The Freedom of Information Act 1982 (Cth) provides that every person has a right to access documents held by federal government agencies or Ministers, other than exempt documents. Relevantly, one of the classes of exempt documents is where the disclosure of the document would involve the unreasonable disclosure of personal information of any person other than the applicant who has made the request. A number of factors will be taken into account in determining whether the disclosure would be unreasonable. Each State and Territory also has legislation dealing with freedom of information. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no general legal requirement to have a document to deal with employees personal data. However, as indicated in our response in section A above, organisations may discharge their privacy obligations by creating and complying with a code of practice tailored to the organisation and approved for use by the Privacy Commissioner. Employers may also be assisted in their compliance with privacy obligations by implementing privacy policies and procedures, setting out the kinds of information that are protected, relevant obligations and best practice. 37

42 Australia AUSTRALIA Accordingly, as a matter of risk management and regulatory compliance, it is prudent for an organisation to develop, implement and comply with a privacy policy or code of practice. This will be particularly important in circumstances where it is not clear whether employee records are being collected, used or disclosed for the purpose of the employment relationship. For example, employers should obtain a written consent from prospective employees in relation to the collection, use and disclosure of personal and sensitive information which is obtained during the recruitment process. C. For how long must an employer retain an employee s personal data? What is best practice? Provided that the personal data falls within the employee records exemption under the Privacy Act, there are no obligations with respect to the retention of personal data under the Privacy Act. However, various Federal and State legislation requires that employers retain certain records relating to employees (which could include personal data). The Fair Work Regulations 2009 (Cth) requires that specific employee records be retained for all employees (with certain limited exceptions) for a period of seven years. For the purposes of the Fair Work Regulations, record means any record about the employee (or former employee) containing information about the nature of their employment and their entitlements (e.g. applicable industrial instruments, classification, pay rates, hours, shift work, overtime, leave, superannuation etc.), and also information about the employee s termination (if a former employee). However, the Fair Work Regulations do not require that employers keep records relating to an employee s performance. 38 Employee Data Privacy in Asia

43 Australia The Fair Work Regulations stipulate that records must be kept in a legible form in the English language and in a form that is readily accessible to a Fair Work Inspector. Importantly, the Fair Work Regulations do not stipulate that the record must be an original copy, or kept in hard-copy. The Superannuation Guarantee (Administration) Act 1992 (Cth) requires corporations to retain specific superannuation documents for a period of five years. Further, the Income Tax Assessment Act 1997 (Cth) requires that specific taxation records must be retained for five years. Obligations in relation to employee records also arise under workers compensation legislation in each of the States and Territories. For example, in NSW employers are required under the Workers Compensation Act 1987 (NSW) to retain wages records (which may include personal data). Finally, it is important to note that where litigation is anticipated or has been commenced, an employer must not destroy or dispose of any documents that may be required for the purposes of the litigation (which may include employee records). D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? Transborder data flows are the subject of a specific National Privacy Principle referring to the movement of personal data across national borders. The Privacy Act originally dealt only with personal information collected and handled within Australia. However, it has since been amended to apply to acts done, or practices engaged in, by an organisation outside Australia and the external Territories. The purpose of these amendments to the Privacy Act was to prevent organisations from avoiding their privacy obligations by transferring the handling of personal information to countries with lower privacy protection standards. 39

44 Australia AUSTRALIA An organisation in Australia can only transfer personal information outside Australia if: the organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the National Privacy Principles; the individual consents to the transfer; the transfer is for the benefit of the individual and it is impracticable to obtain consent, but it is likely consent would have been given; the transfer is required by a contract between the individual and the organisation, or a contract between the organisation and a third party in the interests of the individual; or the organisation has taken reasonable steps to ensure the information will not be held, used or disclosed by its recipient inconsistently with the National Privacy Principles. The Privacy Commissioner has powers to oversee complaints that arise in respect of a breach which occurs outside of Australia and which fall within the scope of the Privacy Act. E. What are the legal restrictions on transferring employees personal data to a third party? As set out in our response in section A above, the obligations set out in the Privacy Act do not apply to the collection, use, disclosure and storage of personal information contained within an employee record, provided that the act or practice directly relates to the employment relationship. Unfortunately directly related is not defined in the Privacy Act and there is presently no case law which has considered the meaning of directly related to the employment 40 Employee Data Privacy in Asia

45 Australia relationship in a privacy context. However, an act which may not directly relate to the employment relationship may include sending a list of employee details to another organisation for marketing purposes. If an employer that is an organisation covered by the Privacy Act seeks to collect, use or disclose employee records in a way not directly related to the employment relationship, it must comply with the National Privacy Principles. Relevantly, we set out the key aspects of National Privacy Principles 1 and 2 below. National Privacy Principle 1 Collection An organisation must only collect personal information that is necessary for one or more of its legitimate functions or activities (the primary purpose). An organisation must only collect personal information by lawful and fair means and not in an unreasonably intrusive way. At the time of collection (or as soon as practicable afterwards) an organisation must take reasonable steps to ensure that the individual is told: the identity of the organisation and how to contact it; that they can access the information; why the information is collected; the disclosure practices of the organisation; and any law that requires the particular information to be collected and the consequences (if any) for the individual if the information is not provided. Where practicable, an organisation should collect personal information directly from the individual. 41

46 Australia AUSTRALIA National Privacy Principle 2 Use and disclosure As a general rule, an organisation should only use or disclose personal information for the purpose for which it was collected (the primary purpose). But an organisation can use or disclose personal information about an individual for another purpose (the secondary purpose) if: the individual has consented; or the secondary purpose is related to the primary purpose and might reasonably be expected to be used or disclosed for the secondary purpose. Special additional provisions apply for direct marketing and sensitive information (including health information). Legislation in the Australian Capital Territory, New South Wales and Victoria regulates organisations which collect, hold and use health information. Such legislation contains health record privacy principles which are broadly similar to the National Privacy Principles. In certain circumstances, if the employer collects health information, the employer will be required to comply with the health records legislation in the relevant State or Territory. F. What are the consequences of breaching privacy laws in your jurisdiction? General If an organisation breaches a National Privacy Principle, the organisation will have contravened section 16A(2) of the Privacy Act and interfered with the privacy of an individual contrary to section 13A(1)(b) of the Privacy Act. Individuals must make any complaints regarding an interference with privacy to the relevant organisation. If the complaint is not resolved it can be referred to the Office 42 Employee Data Privacy in Asia

47 Australia of the Privacy Commissioner for conciliation, and if this is not successful, for formal determination (enforceable by the Federal Court of Australia). Privacy Commissioner functions (a) Powers without complaint Under section 27(1)(ab) of the Privacy Act, the Privacy Commissioner has the power to investigate an act or practice of an organisation that may be an interference with the privacy of an individual because of section 13A and, if the Commissioner considers it appropriate to do so, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation. Where the Commissioner has investigated an act or practice (without a complaint having been made under section 36 of the Privacy Act), the Commissioner must report to the Minister about the act or practice, if the Commissioner thinks the act or practice is an interference with the privacy of an individual. The Minister must table the report before each house of the Federal Parliament. In this way, the report acts to name and shame contraveners of Privacy Act obligations. (b) Powers following complaint Pursuant to section 40 of the Privacy Act, the Commissioner must investigate an act or practice if: the act or practice may be an interference with the privacy of an individual; and a complaint about the act or practice has been made under section 36 of the Privacy Act. Pursuant to section 44 of the Privacy Act, if the Commissioner has reason to believe that a person has information or a document relevant to an investigation, the Commissioner may give to the person a written 43

48 Australia AUSTRALIA notice requiring the person to give the information to the Commissioner and/or to produce the document to the Commissioner. The Commissioner is also empowered to examine witnesses and direct persons to attend compulsory conferences for the purpose of the investigation. After investigating a complaint, the Commissioner may, under section 52 of the Privacy Act, find the complaint substantiated and make a determination, including a declaration that: the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant; and/or the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint. A determination by the Commissioner is not binding or conclusive between any of the parties to the determination. An organisation that is the respondent to a determination made under section 52: must not repeat or continue conduct that is covered by a declaration that determined the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; and must perform the act or course of conduct that is covered by a declaration that determined the 44 Employee Data Privacy in Asia

49 Australia respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant. The complainant or the Commissioner (if a determination was made under section 52) may commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce a determination. If the court is satisfied that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant, the court may make such orders (including a declaration of right) as it thinks fit. The court may, if it thinks fit, grant an interim injunction pending the determination of the proceedings. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Employers should be mindful to ensure that any records held which contain the personal information of employees are only dealt with in a manner that directly relates to the employment relationship. That is, any employee records should only be collected, used and disclosed for the purpose of the employment relationship. Employers should obtain a written consent from prospective employees in relation to the collection, use and disclosure of personal and sensitive information which is obtained during the recruitment process. Employers should consider including such consents in their contracts of employment. Such consents will reduce the likelihood of an employer inadvertently breaching the Privacy Act in relation to information that does not directly relate to the employment relationship. 45

The Use of Social Media in the Workplace

The Use of Social Media in the Workplace The Use of Social Media in the Workplace Introduction There has been an explosion in the popularity of social media sites such as Facebook, MySpace, Twitter, Bebo and LinkedIn in recent years. Their popularity

More information

Model Occupational Health and Safety Legislation. Submission to Safe Work Australia. November 2009

Model Occupational Health and Safety Legislation. Submission to Safe Work Australia. November 2009 Model Occupational Health and Safety Legislation Submission to Safe Work Australia November 2009 GPO Box 5218 SYDNEY NSW 2000 Privacy hotline 1300363992 www.privacy.gov.au Key Recommendations The objective

More information

AUSTRALIA S NEW PRIVACY LAWS - WHAT LAWYERS NEED TO KNOW ABOUT THEIR OWN PRACTICES

AUSTRALIA S NEW PRIVACY LAWS - WHAT LAWYERS NEED TO KNOW ABOUT THEIR OWN PRACTICES AUSTRALIA S NEW PRIVACY LAWS - WHAT LAWYERS NEED TO KNOW ABOUT THEIR OWN PRACTICES http://www.lawcouncil.asn.au The Privacy Commissioner has welcomed the Law Council s initiative in producing this overview.

More information

CYBER SECURITY - CYBER RISK MANAGEMENT AND MITIGATION. Scott Thiel, Partner June 2015

CYBER SECURITY - CYBER RISK MANAGEMENT AND MITIGATION. Scott Thiel, Partner June 2015 CYBER SECURITY - CYBER RISK MANAGEMENT AND MITIGATIN Scott Thiel, Partner June 2015 Agenda 1. Current threat environment 2. Regulatory frameworks of countries in the Asia Pacific region 3. Key challenges

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

COMPUTER MISUSE AND CYBERSECURITY ACT (CHAPTER 50A)

COMPUTER MISUSE AND CYBERSECURITY ACT (CHAPTER 50A) COMPUTER MISUSE AND CYBERSECURITY ACT (CHAPTER 50A) (Original Enactment: Act 19 of 1993) REVISED EDITION 2007 (31st July 2007) An Act to make provision for securing computer material against unauthorised

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

Best Practice Guide Workplace privacy

Best Practice Guide Workplace privacy Best Practice Guide Workplace privacy 01 Work & family 02 Consultation & cooperation in the workplace 03 Use of individual flexibility arrangements 04 A guide for young workers 05 An employer s guide to

More information

Queensland WHISTLEBLOWERS PROTECTION ACT 1994

Queensland WHISTLEBLOWERS PROTECTION ACT 1994 Queensland WHISTLEBLOWERS PROTECTION ACT 1994 Act No. 68 of 1994 Queensland WHISTLEBLOWERS PROTECTION ACT 1994 Section PART 1 PRELIMINARY TABLE OF PROVISIONS Division 1 Title and commencement Page 1 Short

More information

Overview of the Impact of the Privacy Reforms on Credit Reporting

Overview of the Impact of the Privacy Reforms on Credit Reporting Overview of the Impact of the Privacy Reforms on Credit Reporting June 2012 Andrew Galvin, Partner 1 OVERVIEW 1.1 Credit Reporting Reform - Background When initially passed, the Privacy Act 1988 essentially

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Getting Serious about Privacy and Cyber Security in Asia Pacific

Getting Serious about Privacy and Cyber Security in Asia Pacific SESSION ID: CDS-F04 Getting Serious about Privacy and Cyber Security in Asia Pacific Scott Thiel Partner DLA Piper @DLA_Piper Peter Jones Partner DLA Piper @DLA_Piper Agenda Current threat environment

More information

South East Asia: Data Protection Update

South East Asia: Data Protection Update Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how

More information

SURVEILLANCE AND PRIVACY

SURVEILLANCE AND PRIVACY info sheet 03.12 SURVEILLANCE AND PRIVACY Info Sheet 03.12 March 2012 This Information Sheet applies to Victorian state and local government organisations that are bound by the Information Privacy Act

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

Community Housing Providers (Adoption of National Law) Bill 2012

Community Housing Providers (Adoption of National Law) Bill 2012 Passed by both Houses [] New South Wales Community Housing Providers (Adoption of National Law) Bill 2012 Contents Part 1 Part 2 Preliminary Page 1 Name of Act 2 2 Commencement 2 3 Objects of Act 2 4 Definitions

More information

Casino, Liquor and Gaming Control Authority Act 2007 No 91

Casino, Liquor and Gaming Control Authority Act 2007 No 91 New South Wales Casino, Liquor and Gaming Control Authority Act 2007 No 91 Contents Part 1 Part 2 Preliminary Page 1 Name of Act 2 2 Commencement 2 3 Definitions 2 4 Meaning of gaming and liquor legislation

More information

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015 Draft Regulations to illustrate the Treasury s current intention as to the exercise of powers under clause 4 of the the Small Business, Enterprise and Employment Bill. D R A F T S T A T U T O R Y I N S

More information

JB Hi-Fi Limited Securities Trading Policy

JB Hi-Fi Limited Securities Trading Policy JB Hi-Fi Limited Securities Trading Policy 1. Introduction and scope of this Policy Purpose and objectives 1.1 This document sets out the securities trading policy (Policy) of JB Hi-Fi Limited (JB Hi-

More information

Witness Protection Act 1995 No 87

Witness Protection Act 1995 No 87 New South Wales Witness Protection Act 1995 No 87 Status information Currency of version Current version for 5 October 2012 to date (generated 10 October 2012 at 19:15). Legislation on the NSW legislation

More information

It is hereby notified that the President has assented to the following Act which is hereby published for general information:-

It is hereby notified that the President has assented to the following Act which is hereby published for general information:- PRESIDENT'S OFFICE No. 967. 14 June 1996 NO. 29 OF 1996: MINE HEALTH AND SAFETY ACT, 1996. It is hereby notified that the President has assented to the following Act which is hereby published for general

More information

Privacy and Data Protection Policy

Privacy and Data Protection Policy Privacy and Data Protection Policy Policy CP017 Prepared Reviewed Approved Date Council Minute No. Manager Corporate Administration SMT Council 25 February 2016 2016/0032 Trim File: 18/02/01 To be reviewed:

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

PRIVACY POLICY. comply with the Australian Privacy Principles (APPs); ensure that we manage your personal information openly and transparently; PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal

More information

Information Handling Policy

Information Handling Policy Information Handling Policy 10 December 2015 Information Handling Policy 1. Who We Are 1.1 In this Information Handling Policy, references to we, our, us and ClearView are to ClearView Wealth Limited and

More information

www.corrs.com.au OFFSHORING Data the new privacy laws

www.corrs.com.au OFFSHORING Data the new privacy laws www.corrs.com.au OFFSHORING Data the new privacy laws OFFSHORING DATA THE NEW PRIVACY LAWS Transfer of data by Australian organisations to other jurisdictions is increasingly common. This is a result of

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

Identity Cards Act 2006

Identity Cards Act 2006 Identity Cards Act 2006 CHAPTER 15 Explanatory Notes have been produced to assist in the understanding of this Act and are available separately 6 50 Identity Cards Act 2006 CHAPTER 15 CONTENTS Registration

More information

International. and when. technology. responsibly. and provide handled. including, in. Australia, in may rely on. (b) steps to notify collected.

International. and when. technology. responsibly. and provide handled. including, in. Australia, in may rely on. (b) steps to notify collected. Transportation Group International Privacy Policy 1 Introduction This Privacy Policy has been published to provide a clear outline of how and when personal information is collected, disclosed, used, stored

More information

2015 No. 1945 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Credit Information) Regulations 2015

2015 No. 1945 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Credit Information) Regulations 2015 S T A T U T O R Y I N S T R U M E N T S 2015 No. 1945 FINANCIAL SERVICES AND MARKETS The Small and Medium Sized Business (Credit Information) Regulations 2015 Made - - - - 26th November 2015 Coming into

More information

Crimes (Computer Hacking)

Crimes (Computer Hacking) 2009-44 CRIMES (COMPUTER HACKING) ACT 2009 by Act 2011-23 as from 23.11.2012 Principal Act Act. No. 2009-44 Commencement except ss. 15-24 14.1.2010 (LN. 2010/003) Assent 3.12.2009 Amending enactments Relevant

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong Legal Update Privacy & Security Hong Kong 20 January 2015 Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong Section 33 of the Hong Kong Personal Data (Privacy) Ordinance

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

New South Wales. 1 Name of Act 2 Commencement 3 Definitions 4 Who is a witness?

New South Wales. 1 Name of Act 2 Commencement 3 Definitions 4 Who is a witness? New South Wales Page 1 Name of Act 2 Commencement 3 Definitions 4 Who is a witness? 5 Witness protection program 5 6 Inclusion in the witness protection program 5 7 Assessing witness for inclusion in witness

More information

COMMENTARY. Hong Kong Strengthens Its Personal Data. on Direct Marketing JONES DAY

COMMENTARY. Hong Kong Strengthens Its Personal Data. on Direct Marketing JONES DAY May 2013 JONES DAY COMMENTARY Hong Kong Strengthens Its Personal Data Privacy Laws and Imposes Criminal Penalties on Direct Marketing In 2012 Hong Kong introduced the Personal Data (Privacy) (Amendment)

More information

Privacy fact sheet 17

Privacy fact sheet 17 Privacy fact sheet 17 Australian Privacy Principles January 2014 From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles Information Privacy Principles

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Carriers Insurance Brokers Pty. Limited

Carriers Insurance Brokers Pty. Limited Our Privacy Policy At Carriers Insurance Brokers Pty. Limited, ABN 66 001 609 936, we are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian

More information

Unfair Dismissal Overview Definitions What is a dismissal? Constructive Dismissal not What is unfair dismissal? unfairly dismissed

Unfair Dismissal Overview Definitions What is a dismissal? Constructive Dismissal not What is unfair dismissal? unfairly dismissed Unfair Dismissal Overview This module contains information on the new unfair dismissal laws and covers off the following matters: Definitions surrounding unfair dismissal The Small Business Fair Dismissal

More information

A GUIDE TO THE OCCUPATIONAL RETIREMENT SCHEMES ORDINANCE

A GUIDE TO THE OCCUPATIONAL RETIREMENT SCHEMES ORDINANCE A GUIDE TO THE OCCUPATIONAL RETIREMENT SCHEMES ORDINANCE Issued by THE REGISTRAR OF OCCUPATIONAL RETIREMENT SCHEMES Level 16, International Commerce Centre, 1 Austin Road West, Kowloon, Hong Kong. ORS/C/5

More information

005ASubmission to the Serious Data Breach Notification Consultation

005ASubmission to the Serious Data Breach Notification Consultation 005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation

More information

12 May 2014. Professor Barbara McDonald Commissioner Australian Law Reform Commission GPO Box 3708 Sydney NSW 2001. By Email to: info@alrc.gov.

12 May 2014. Professor Barbara McDonald Commissioner Australian Law Reform Commission GPO Box 3708 Sydney NSW 2001. By Email to: info@alrc.gov. 12 May 2014 Geoff Bowyer T 03 9607 9497 F 03 9607 5270 president@liv.asn.au Professor Barbara McDonald Commissioner Australian Law Reform Commission GPO Box 3708 Sydney NSW 2001 By Email to: info@alrc.gov.au

More information

Share Trading Policy GWA007

Share Trading Policy GWA007 GWA007 Created By Executive Director Date February 2005 Rev. No. 4 Updated By Executive Director Date December 2011 File Name Share Trading Policy GWA007 Approved By GWA Group Limited Board of Directors

More information

ASPEN AUSTRALIA BRANCH PRIVACY POLICY

ASPEN AUSTRALIA BRANCH PRIVACY POLICY ASPEN AUSTRALIA BRANCH PRIVACY POLICY INTRODUCTION This policy applies to the operations of Aspen s Australia branch. Aspen is committed to complying with the principles of the Privacy Act 1988 and accordingly

More information

Privacy business resource 3

Privacy business resource 3 Privacy business resource 3 June 2013 Credit reporting what has changed As part of the reforms to the Privacy Act 1988 (Privacy Act), credit reporting in Australia is regulated by a new Part IIIA. 1 The

More information

ISSUES PAPER LEGAL REPRESENTATION AND JURISDICTIONAL LIMIT IN SMALL CLAIMS

ISSUES PAPER LEGAL REPRESENTATION AND JURISDICTIONAL LIMIT IN SMALL CLAIMS DEPARTMENT OF THE ATTORNEY-GENERAL AND JUSTICE ISSUES PAPER LEGAL REPRESENTATION AND JURISDICTIONAL LIMIT IN SMALL CLAIMS June 2013 Legal Policy Division Department of the Attorney-General and Justice

More information

Lawlink NSW: Guide to the Workplace Video Surveillance Act

Lawlink NSW: Guide to the Workplace Video Surveillance Act Guide to the Workplace Video Surveillance Act A Guide to the Workplace Video Surveillance Act 1998 (NSW) Privacy NSW February 2002 CONTENTS The Workplace Video Surveillance Act 1998 Coverage of the Act

More information

Table of Contents. Introduction 3 What is Title Insurance? What are mortgage processing and loan servicing services? 3 This Privacy Policy 3

Table of Contents. Introduction 3 What is Title Insurance? What are mortgage processing and loan servicing services? 3 This Privacy Policy 3 Privacy Policy First American Title Insurance Company of Australia Pty Ltd First Mortgage Services Pty Ltd First Mortgage Services Australia Pty Ltd 1 P a g e Table of Contents Page Introduction 3 What

More information

Small Business Grants (Employment Incentive) Act 2015 No 14

Small Business Grants (Employment Incentive) Act 2015 No 14 New South Wales Small Business Grants (Employment Incentive) Act 2015 No 14 Contents Page Part 1 Part 2 Preliminary 1 Name of Act 2 2 Commencement 2 3 Object of Act 2 4 Definitions 2 Grant scheme 5 Grant

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

1.4 For information about our management of your other personal information, please see our Privacy Policy available at www.iba.gov.au.

1.4 For information about our management of your other personal information, please see our Privacy Policy available at www.iba.gov.au. Indigenous Business Australia Credit Information Policy 1 Purpose and application of this policy 1.1 This credit reporting policy (Credit Information Policy) describes and establishes how Indigenous Business

More information

The kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include:

The kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include: ABN 47 001 768 190 AFSL 244526 Our Privacy Policy At Capital Insurance Brokers, we are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian

More information

Chapter one: Definitions. Chapter Two: Conditions for Employment

Chapter one: Definitions. Chapter Two: Conditions for Employment FOREIIGN WORKERS ((Prrohiibiittiion off unllawffull emplloymentt and assurrance off ffaiirr condiittiions)) LAW,, 5751--1991 Chapter one: Definitions 1. In this law - Foreign worker - worker who is not

More information

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS 1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal

More information

Tax Agent Services Act 2009

Tax Agent Services Act 2009 Tax Agent Services Act 2009 No. 13, 2009 An Act to establish the Tax Practitioners Board and to provide for the registration of tax agents and BAS agents, and for related purposes Note: An electronic version

More information

SHARE TRADING POLICY

SHARE TRADING POLICY SHARE TRADING POLICY 1. Background 1.1 Murchison Holdings Limited ( MCH ) has adopted a corporate governance policy taking into account: 1.1.1 the Corporations Act 2001 (Cth); 1.1.2 the guidelines set

More information

Information Privacy Policy

Information Privacy Policy Information Privacy Policy pol-032 Version: 2.01 Last amendment: Oct 2014 Next Review: Aug 2017 Approved By: Council Date: 04 May 2005 Contact Officer: Director, Strategic Services and Governance INTRODUCTION

More information

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH Council of Australian Governments An agreement between the Commonwealth of Australia and the States and Territories, being: The State of New South Wales The State

More information

Chapter 5: Australian Privacy Principle 5 Notification of the collection of personal information

Chapter 5: Australian Privacy Principle 5 Notification of the collection of personal information Chapter 5: Australian Privacy Principle 5 Notification of the collection of personal information Version 1.0, February 2014 Key points... 2 What does APP 5 say?... 2 Taking reasonable steps to notify or

More information

Guidance Note AGN 520.1

Guidance Note AGN 520.1 Guidance Note AGN 520.1 Fit and Proper Requirements Definition of a responsible person 1. The definitions of responsible persons cover those persons whose conduct is most likely to have significant implications

More information

2013-2014-2015 THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA HOUSE OF REPRESENTATIVES/THE SENATE

2013-2014-2015 THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA HOUSE OF REPRESENTATIVES/THE SENATE 2013-2014-2015 THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA HOUSE OF REPRESENTATIVES/THE SENATE PRIVACY AMENDMENT (NOTIFICATION OF SERIOUS DATA BREACHES) BILL 2015 EXPLANATORY MEMORANDUM (Circulated

More information

This form must be accompanied by an Attending Physicians Statement, which can be obtained by telephoning any of our offices listed.

This form must be accompanied by an Attending Physicians Statement, which can be obtained by telephoning any of our offices listed. This form must be accompanied by an Attending Physicians Statement, which can be obtained by telephoning any of our offices listed. Full ne of Policyholder UNIVERSITY OF WESTERN AUSTRALIA Policy Number

More information

GUIDANCE FOR EMPLOYED BARRISTERS. Part 1. General

GUIDANCE FOR EMPLOYED BARRISTERS. Part 1. General GUIDANCE FOR EMPLOYED BARRISTERS Part 1. General 1.1 This guidance has been issued by the Professional Standards Committee, the Professional Conduct and Complaints Committee and the Employed Barristers

More information

Queensland building work enforcement guidelines

Queensland building work enforcement guidelines Queensland building work enforcement guidelines Achieving compliance of building work with the provisions of the Building Act 1975 and the Integrated Planning Act 1997 Effective 1 September 2002 Contents

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Proposal Form. BusinessGuard Accountants Professional Liability Insurance

Proposal Form. BusinessGuard Accountants Professional Liability Insurance BusinessGuard Accountants Professional Liability Insurance Important Notice Claims-Made and Notified Insurance This policy is issued by AIG Australia Limited on a claims-made and notified basis. This means

More information

Daltrak Building Services Pty Ltd ABN: 44 069 781 933. Privacy Policy Manual

Daltrak Building Services Pty Ltd ABN: 44 069 781 933. Privacy Policy Manual Daltrak Building Services Pty Ltd ABN: 44 069 781 933 Privacy Policy Manual Table Of Contents 1. Introduction Page 2 2. Australian Privacy Principles (APP s) Page 3 3. Kinds Of Personal Information That

More information

CRYOSITE LIMITED PERSONNEL SHARE TRADING POLICY

CRYOSITE LIMITED PERSONNEL SHARE TRADING POLICY 1 OVERVIEW The Corporations Act, and the laws of other jurisdictions in which Cryosite operates contain provisions which prohibit a person in possession of material, non public information ( Material Information

More information

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Finance Platforms) Regulations 2015

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Finance Platforms) Regulations 2015 Draft Regulations to illustrate the Treasury s current intention as to the exercise of powers under clause 5 of the Small Business, Enterprise and Employment Bill. D R A F T S T A T U T O R Y I N S T R

More information

Proposal Form. BusinessGuard Insurance Brokers Professional Liability Insurance

Proposal Form. BusinessGuard Insurance Brokers Professional Liability Insurance BusinessGuard Insurance Brokers Professional Liability Insurance BusinessGuard Insurance Brokers Professional Liability Insurance This policy is issued by AIG Australia Limited on a claims-made and notified

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

PLEASE NOTE. For more information concerning the history of this Act, please see the Table of Public Acts.

PLEASE NOTE. For more information concerning the history of this Act, please see the Table of Public Acts. PLEASE NOTE This document, prepared by the Legislative Counsel Office, is an office consolidation of this Act, current to May 30, 2012. It is intended for information and reference purposes only. This

More information

Anti-bullying jurisdiction

Anti-bullying jurisdiction Anti-bullying jurisdiction Summary of the case management model For implementation from 1 January 2014 1 Overview 1.1 Purpose 1. This paper summarises the procedures and associated functions to be adopted

More information

Compliance and enforcement. How regulators enforce the Australian Consumer Law

Compliance and enforcement. How regulators enforce the Australian Consumer Law Compliance and enforcement How regulators enforce the Australian Consumer Law This publication was developed by: Australian Capital Territory Office of Regulatory Services Australian Competition and Consumer

More information

WORKCOVER QUEENSLAND AMENDMENT BILL 2002

WORKCOVER QUEENSLAND AMENDMENT BILL 2002 1 WORKCOVER QUEENSLAND AMENDMENT BILL 2002 EXPLANATORY NOTES GENERAL OUTLINE Objectives of the legislation To provide for miscellaneous amendments to the WorkCover Queensland Act 1996. Reason for the Bill

More information

ABM Resources NL Security Trading Policy

ABM Resources NL Security Trading Policy ABM Resources NL Security Trading Policy 1. INTRODUCTION 1.1 The ordinary shares of ABM Resources NL (ABM) are listed on ASX. ABM aims to achieve the highest possible standards of corporate conduct and

More information

SUBSIDIARY LEGISLATION EQUAL TREATMENT IN EMPLOYMENT REGULATIONS

SUBSIDIARY LEGISLATION EQUAL TREATMENT IN EMPLOYMENT REGULATIONS EQUAL TREATMENT IN EMPLOYMENT [S.L.452.95 1 SUBSIDIARY LEGISLATION 452.95 EQUAL TREATMENT IN EMPLOYMENT REGULATIONS 5th November, 2004 LEGAL NOTICE 461 of 2004, as amended by Legal Notices 53 and 338 of

More information

Share Trading Policy. Australian Careers Network Limited ACN 168 592 434. Doc ID 165479751/v2

Share Trading Policy. Australian Careers Network Limited ACN 168 592 434. Doc ID 165479751/v2 Share Trading Policy Australian Careers Network Limited ACN 168 592 434 Ref 304685 Level 14, Australia Square, 264-278 George Street, Sydney Telephone +61 2 9334 8555 NSW 2000 Australia GPO Box 5408, Sydney

More information

No. of 2006. Freedom of Saint Christopher Information Bill and Nevis. ARRANGEMENT OF SECTIONS

No. of 2006. Freedom of Saint Christopher Information Bill and Nevis. ARRANGEMENT OF SECTIONS No. of 2006. Freedom of Saint Christopher Information Bill and Nevis. ARRANGEMENT OF SECTIONS SECTION PART 1 PRELIMINARY 1. Short title and commencement 2. Interpretation 3. Application PART 2 THE RIGHT

More information

1 L.R.O. 2001 Electronic Transactions CAP. 308B ELECTRONIC TRANSACTIONS

1 L.R.O. 2001 Electronic Transactions CAP. 308B ELECTRONIC TRANSACTIONS 1 L.R.O. 2001 Electronic Transactions CAP. 308B CHAPTER 308B ELECTRONIC TRANSACTIONS ARRANGEMENT OF SECTIONS SECTION PART I Preliminary 1. Short title. 2. Interpretation. 3. Non-application of Parts II

More information

Number 5 of 1994 TERMS OF EMPLOYMENT (INFORMATION) ACT 1994 REVISED. Updated to 1 October 2015

Number 5 of 1994 TERMS OF EMPLOYMENT (INFORMATION) ACT 1994 REVISED. Updated to 1 October 2015 Number 5 of 1994 TERMS OF EMPLOYMENT (INFORMATION) ACT 1994 REVISED Updated to 1 October 2015 This Revised Act is an administrative consolidation of the. It is prepared by the Law Reform Commission in

More information

Asia Pacific Legislative Analysis: Current and Pending Online Safety and Cybercrime Laws. A Study by Microsoft.

Asia Pacific Legislative Analysis: Current and Pending Online Safety and Cybercrime Laws. A Study by Microsoft. Asia Pacific Legislative Analysis: Current and Pending Online Safety and Cybercrime Laws. A Study by Microsoft. Table of Contents Legislative Gap Analysis Internet on Safety, Security and Privacy SECTION

More information

PRIVACY LAW. In an age of social media, cloud computing, global networks. and international data flows, incidents involving data security

PRIVACY LAW. In an age of social media, cloud computing, global networks. and international data flows, incidents involving data security Doing Business in Canada 1 O: PRIVACY LAW THE ROCKIES Canada s most visited mountain range, the Rockies, is an international destination for sports, sightseeing and escape from the daily grind. Privacy

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Queensland DRUG REHABILITATION (COURT DIVERSION) ACT 2000

Queensland DRUG REHABILITATION (COURT DIVERSION) ACT 2000 Queensland DRUG REHABILITATION (COURT DIVERSION) ACT 2000 Act No. 3 of 2000 Queensland DRUG REHABILITATION (COURT DIVERSION) ACT 2000 Section TABLE OF PROVISIONS PART 1 PRELIMINARY Page 1 Short title.....................................................

More information

Share Trading Policy. Ecosave Holdings Limited ACN 160 875 016. Revision 1: 4 July 2013. 94721781/v2

Share Trading Policy. Ecosave Holdings Limited ACN 160 875 016. Revision 1: 4 July 2013. 94721781/v2 Share Trading Policy Ecosave Holdings Limited ACN 160 875 016 Revision 1: 4 July 2013 94721781/v2 Table of Contents 1. Introduction...1 2. Definitions...1 3. Scope of transactions...2 4. Standards...2

More information

Important information about your credit card account ( Account )

Important information about your credit card account ( Account ) Important information about your credit card account ( Account ) This notice is provided to you with your December 2013 statement of Account and details changes to the terms and conditions of your account

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

Questions to ask a recruitment or labour hire firm prior to engagement of services in New Zealand

Questions to ask a recruitment or labour hire firm prior to engagement of services in New Zealand Questions to ask a recruitment or labour hire firm prior to engagement of services in New Zealand and labour hire worker service firms are a great way of complementing your business or organisation, however,

More information

Privacy Policy. 30 January 2015

Privacy Policy. 30 January 2015 Privacy Policy 30 January 2015 Table of Contents 1 Overview 3 Purpose 3 Scope 3 2 Collection 3 What information do we collect? 3 What if you do not give us the information we request? 4 3 Use of information

More information

In accordance with Listing Rule 12.10, Computershare Limited attaches its updated Share Trading Policy.

In accordance with Listing Rule 12.10, Computershare Limited attaches its updated Share Trading Policy. MARKET ANNOUNCEMENT Computershare Limited ABN 71 005 485 825 Yarra Falls, 452 Johnston Street Abbotsford Victoria 3067 Australia PO Box 103 Abbotsford Victoria 3067 Australia Telephone 61 3 9415 5000 Facsimile

More information

American Express. Business Credit Card Conditions

American Express. Business Credit Card Conditions American Express Business Credit Card Conditions Effective 1st June 2006 Postal Address American Express Australia Limited Cardmember Services GPO Box 1582 Sydney NSW 2001 Lost or Stolen Cards In Australia

More information

Privacy, the Cloud and Data Breaches

Privacy, the Cloud and Data Breaches Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, Information Integrity Solutions Legalwise Seminars Sydney, 20 March 2013 About IIS Building trust and privacy through global

More information

BYOD - Legal Considerations

BYOD - Legal Considerations BYOD - Legal Considerations Legal and risk considerations in developing BYOD policies Arvind Dixit Senior Associate Corrs Chambers Westgarth arvind.dixit@corrs.com.au 03 9672 3032 23 October 2012 7702923/1

More information

Terms and Conditions of Offer and Contract (Works & Services) Conditions of Offer

Terms and Conditions of Offer and Contract (Works & Services) Conditions of Offer Conditions of Offer A1 The offer documents comprise the offer form, letter of invitation to offer (if any), these Conditions of Offer and Conditions of Contract (Works & Services), the Working with Queensland

More information

Questions to ask a recruitment or on-hire firm prior to engagement of services in Australia

Questions to ask a recruitment or on-hire firm prior to engagement of services in Australia Questions to ask a recruitment or on-hire firm prior to engagement of services in Australia and on-hire worker service firms are a great way of complementing your business or organisation, however, as

More information

The Cloud and Cross-Border Risks - Singapore

The Cloud and Cross-Border Risks - Singapore The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in

More information

Protection from Harassment Bill

Protection from Harassment Bill Protection from Harassment Bill Bill No. 12/2014. Read the first time on 3rd March 2014. PROTECTION FROM HARASSMENT ACT 2014 (No. of 2014) Section ARRANGEMENT OF SECTIONS PART I PRELIMINARY 1. Short title

More information

Standard Terms of Engagement. and. Terms of Business

Standard Terms of Engagement. and. Terms of Business Standard Terms of Engagement and Terms of Business Contents 1. Standard Terms of Engagement of Keirs Carr... 4 1.1 Accounting Services... 4 Accounting Services... 4 Compilation of Financial Statements...

More information