PRIVACY IN THE CLOUD AND BIG DATA WHAT FRANCHISORS NEED TO KNOW!
|
|
- Marybeth Melton
- 8 years ago
- Views:
Transcription
1 PRIVACY IN THE CLOUD AND BIG DATA WHAT FRANCHISORS NEED TO KNOW! By Alec Christie, Partner, DLA Piper Franchisors will already be dealing with a number of day-to-day privacy issues arising from their implementation of the new Australian Privacy Principles ("APPs") which became effective from 12 March However, very different privacy issues arise from use of Big Data and the Cloud by franchisors. In this paper we aim to demystify these two ubiquitous IT terms, highlight the privacy issues that arise under the current Australian privacy law and provide some practical tips for franchisors to navigate the privacy landscape in respect of Big Data and Cloud. FIRST: BIG DATA AND THE CLOUD EXPLAINED What is Big Data? Big Data is the tracking and aggregation of a large volume of data (including personal information) from search engine histories, s, sales transaction histories, reward/loyalty programs, app downloads and other sources. The aggregation, tracking and analysis of large volumes of data across such a range of variables can be of considerable value to franchisors, allowing you to gain insight into your markets and consumers, making you more responsive, increasing efficiency and helping to shape possible new offerings or the entry "new" markets. As well as using your own and your franchisees generated data, franchisors are also finding more and more ways of combining their data with that of third parties (as well as publically available information) in order to analyse more variables and to "slice and dice" the data in numerous ways. AGC/SZM/AUM/
2 What is the Cloud? Web based (such as Gmail and Hotmail) and social networking websites (such as Facebook) are perhaps the most ubiquitous examples of Cloud services. However, Cloud services can be delivered through a multitude of models (including non public models such as "private Clouds" and "shared private Clouds"). Although the term "Cloud" does not have a precise meaning, it generally refers to information technology services, for example web based and social networking sites, that: 1. are delivered via the Internet (the "Cloud" being an icon for the Internet); 2. typically have a de centralised IT infrastructure (ie the supplier's data centres are spread across multiple, and sometimes offshore, locations); and 3. are dynamically scalable and used more like a utility (eg electricity) than traditional computing resources. PRIVACY CONCERNS WITH BIG DATA AND THE CLOUD Big Data The collection and use of Big Data gives rise to a number of potentially difficult privacy scenarios for franchisors. One such example, referred to in an article by journalist Aleks Krotoski 1, is the purchase of the social media start-up Social Calendar 2 by US chain store Walmart. Krotoski points out that, when users of Social Calendar listed friends' birthdays or their holiday details, users would have had no idea that the information they included in Social Calendar would end up in the hands of Walmart. The purchase of Social Calendar effectively means that Walmart will, subject to applicable law, be able to cross reference the data from Social Calendar users with its own data to generate profiles of users and 1 2 Article entitled "Big Data age puts privacy in question as information becomes currency" published in 'The Guardian' on 22 April A very popular calendar app on Facebook which allows users to record special events such as the birthdays, anniversaries, etc of family and friends. AGC/SZM/AUM/
3 their friends (and significant events/celebrations in their lives) for very direct and time sensitive marketing opportunities. 3 Perhaps the most dramatic example of the use of Big Data occurred in 2013 when Target's analysis of Big Data determined that a teen girl was pregnant (before her parents knew), but did not flag that she was a teen and sent her direct electronic marketing for baby and maternity products. This incensed the girl's father was Target trying to encourage his teen daughter to fall pregnant? Of course, Target failed to include in its analysis of the Big Data whether this person was over 18 before sending her this marketing. However, Target's analysis of the Big Data was able to determine that she was pregnant (and therefore a potential customer for its maternity wear and baby products). By tracking and analysing her spending habits (not just at Target) Target was able to determine (a) she was expecting a baby and (b) how far along with the pregnancy she was, with unsettling accuracy. Examples such as these make it clear that there is a large gap between what can be done with Big Data, what is currently regulated by privacy law and community perceptions as to what should be done with Big Data. The Cloud Concerns about privacy and control over data are often cited as the major impediments to the growth of Cloud and its wide adoption by both business and government in Australia. In light of the recent celebrity photo leaking scandals, these reservations have been reinforced. Moving to the Cloud means relinquishing a degree of physical control over IT infrastructure and relying, in part, on Cloud vendors to ensure that information is kept private and secure. If the data is stored in offshore locations, those locations may or may not be in countries that have privacy laws which are the same or similar to those in Australia. 3 Of course, this is subject to any consent requirements under the relevant US law. AGC/SZM/AUM/
4 However, contrary to popular perception, Cloud services models are not inherently incompatible with Australia's privacy laws or with privacy protection and security in general. Cloud does not raise legal issues, especially in respect of compliance with Australian privacy law, that are wholly new or even dissimilar to issues that have arisen in respect of other IT services (such as in the outsourcing and offshoring models). In respect of these other IT services, the issues have been successfully managed by well advised franchisors. THE CURRENT AUSTRALIAN LEGAL LANDSCAPE Australia has Federal, State and Territory laws which generally adopt similar (although not identical) privacy principles. The principal piece of Federal legislation, to which all Federal agencies and most private sector businesses (including franchisors) are subject, is the Privacy Act 1988 (Cth). The 13 APPs under the Privacy Act that regulate the collection, holding, use and disclosure of "personal information" have been in force since 12 March The Privacy Act defines "Personal Information" to mean: "information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not". For example, some addresses (such as alec.christie@dlapiper.com) are personal information, but anonymous information (such as purely statistical data) is not. The application of this regulatory framework to Big Data and the Cloud is discussed below. BIG DATA Outside of privacy and spam, Australian law does not currently regulate Big Data. Although not specific to Big Data, the Privacy Act imposes certain mandatory notification and consent obligations on entities collecting personal information which are relevant from a Big Data perspective. In addition, the SPAM Act prohibits the sending of electronic marketing communications without the prior "opt in" consent of the recipient. AGC/SZM/AUM/
5 Identified vs de-identified information The concepts of Personal Information, de-identified information and the applicability of the Privacy Act to Big Data appear, at first glance, simple enough. However, on further consideration, this is not straightforward in the Big Data context: can the information contained in Big Data ever truly (ie permanently) be de-identified? Big Data has historically been used for tracking the movements and interests of groups in a de-identified form (ie such that it does not identify any individual in the group). Of course, use of de-identified information is not regulated by the privacy law/apps and franchisors are free to collect, analyse and use such data as they see fit. However in recent years, as further potential uses for Big Data are discovered and the associated analytical tools developed, there has been an increasing ability to track (and a trend towards tracking) the movements and predicting the interests of identified individuals. Even if the data is de-identified (ie the franchisor is seeking to track/predict the behaviour of groups rather than individuals), the current (and future) data analysis capabilities are such that aggregation of vast amounts of data and the analysis available across such a vast range of Big Data collected from multiple sources (each of which may be de-identified individually) will almost certainly enable reidentification of the individuals concerned. Of course, as soon as the information is re-identified (or becomes reasonably re-identifiable), the collection, use and disclosure of such will be subject to the obligations of and restrictions imposed on the use of such personal information under the Privacy Act. When are mandatory notice & consent required? If Big Data held by a business includes Personal Information (including information which is reasonably capable of being re-identified), APP 5 requires that the relevant individuals from whom the information was collected be provided with mandatory notice regarding certain matters (such as the purpose of collection, use and the types of entities to which it is likely to be disclosed etc) at or before the time of AGC/SZM/AUM/
6 collection of such information. 4 Also, if any of the information to be collected is sensitive information (such as health records, criminal conviction information, race, sexual preference, etc) or if personal information is to be used for a purpose other than the primary purpose 5 for which it was collected then prior consent of the individual will be required. Franchisors (whether through their franchisees or directly) must provide the mandatory notices and obtain any necessary consent(s) through their privacy policy and processes at the time the personal information is first collected. As part of the process individuals are often required to expressly consent to the privacy policy (including the purposes for collection and any required consents), often by clicking a button or ticking a check-box in order to proceed. However in the Big Data context, at the time of the original collection of the information which later becomes part of Big Data, franchisors (even if they have collected all the relevant data themselves) are often not aware of the full extent of the potential uses they may have for such personal information as part of any future Big Data analysis. In addition, the significant volume of non-identified information collected legitimately without notice to and, sometimes, without the knowledge of the individual (eg via dynamic IP addresses, websites cookies, mobile phone location, etc) may itself become personal information when used as part of Big Data analysis, by being combined with other data and analysed in such a way that results in its identification of or connection to a specific individual. In practice it is expensive and impractical for franchisors to go back to individuals at a future date to renotify and/or re-consent for the new Big Data purpose(s) or for the "new" Personal Information collected (ie when de-identified information is re-identified). As a result many potential uses of the information, to which individuals may not have objected if asked when first collected, remain "locked-up" or, worse, franchisors will simply ignore the privacy law and push ahead regardless, exposing themselves to fines of up to $1.7 million. Essentially, the failure of regulation to keep pace with technology and the rise and use 4 Or, if it is not practicable to provide notice at this time, it can be provided as soon as possible after collection. 5 Or a purpose directly related to the primary purpose. AGC/SZM/AUM/
7 of Big Data acts as an impediment to commercialisation and technological innovation by businesses or, at least, a disincentive for businesses to comply with the privacy law. Where franchisors do anticipate certain future uses of personal information they may need to notify customers of (or require their consent to) either very complex or vague statements in their privacy policies in an attempt to comply with the obligations under the Privacy Act. Some customers may be put off by this and simply abandon the purchase of the goods or services, particularly in the online world. Also, individuals who provide consent without actually reading the privacy policy or understanding what they are consenting to, how their information will actually be used and whose hands it may end up in may be "shocked" by use of their personal information as part of Big Data analysis and there may be a customer revolt against the affected franchisors (even though the privacy policy of the relevant business technically notifies such use). A survey funded by the Australian Research Council identified that more than 60% of respondents rarely or never read website privacy policies. 6 Therefore the use of Big Data for purposes not reasonably expected by customers (particularly in the marketing context), without clear and transparent notice (ie informed consent), will likely result in unfavourable customer sentiment and may significantly increase the risk of a complaint to and investigation (or regulation) by the Privacy Commissioner. Marketing (electronic and traditional) Under the SPAM Act franchisors cannot send electronic marketing communications (such as s, SMS and MMS) to individuals, even if analysis of the Big Data shows that the individual wants such marketing, without that individual's prior consent. If the Big Data includes personal information (as it likely does in most Big Data circumstances), franchisors are also not able to use that personal information to send non-electronic (ie traditional hard copy) marketing if the recipients would not reasonably expect to receive such marketing communications. 6 Survey conducted by Mark Andrejevic of the University of Queensland's Centre for Critical and Cultural studies and presented by the Commissioner in Brisbane on 26 April 2012 at the University of Queensland Privacy Seminar. AGC/SZM/AUM/
8 Where consent is required to use Big Data for marketing initiatives, franchisors are faced with the same consent issues discussed above. WHERE TO FROM HERE? Both the Privacy Act and the SPAM Act were enacted before the rise of Big Data and neither adequately addresses the concerns of individuals or provide clarification for franchisors or other businesses regarding the steps that should be taken to manage the competing interests (ie balancing the protection of an individual's privacy against the commercial desire to use Big Data as a valuable "new economic asset"). Recently there has been much debate around whether uses of Big Data should be subject to increased or specific regulation. Some commentators have suggested that the use of Big Data should be subject to limitations that cannot be circumvented, even with an individual's consent. Others suggest, more reasonably, imposing "informed consent" obligations similar to the overseas transfer consent obligation in the new APPs (ie that the consequences of consent be specifically spelt out for and notified to individuals). Alternatively, we could see a shifting of the obligation for protecting Personal Information to the franchisor/business using that information in the Big Data context and a prohibition on using customer consent to get around those obligations. 7 The 12 March 2014 amendments to the Privacy Act did not specifically address Big Data and the Privacy Commissioner is yet to issue a guidance document on Big Data. However, given that the Commissioner has frequently mentioned the gap between practice and regulation when it comes to Big Data and the resulting pressures placed on the consent model under the Privacy Act (including the recent amendments), we expect some developments in this space in the near future. 7 In submissions to Microsoft in January 2013 the Privacy Commissioner indicated support for a move towards placing responsibility on data users (ie business) rather than individuals in order to ensure that the expectation of privacy is met, rather than the current approach of simply complying with black letter obligations. AGC/SZM/AUM/
9 THE CLOUD In the context of Cloud, the following APPs are especially relevant: APP 8 (Cross border disclosure of personal information) regulates the disclosure/transfer of personal information by a franchisor to a different entity (including a parent or related company) offshore. Before disclosure of personal information offshore, the Australian franchisor ("Australian Sender") must take reasonable steps to ensure the overseas recipient will comply with/not breach the APPs. This can be done by appropriate contractual provisions. However, the Australian Sender will (subject to limited exceptions) remain liable for the overseas recipient's acts and practices in respect of the personal information sent as if the Australian Sender had engaged in such activities in respect of that personal information in Australia and, where relevant, be in breach of the APPs due to the overseas recipient's acts or omissions. APP 11.1 (Security of personal information) requires that an organisation must "take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure". The Privacy Commissioner has issued a 32 page guidance as to what these "reasonable steps" might include. PRIVACY AND DIFFERENT CLOUD MODELS The practical importance of privacy issues for Cloud offerings very much depends on the nature of the particular Cloud services being acquired. In particular, whether the Cloud offering is simply a renting of the "tin" ie under an IaaS model or is more akin to a managed services, SaaS or EaaS 8 model, where the Cloud vendor has access to, takes possession of or processes the personal information of individuals provided by the customer. 8 "Everything as a Service". AGC/SZM/AUM/
10 Common issues There is (in our view, disproportionate) concern and focus on privacy and data security issues in respect of all Cloud offerings, in particular where the Cloud is (or may be) based outside of Australia. In fact, privacy and data security of information are consistently raised as the two main concerns for Australian businesses considering entering the Cloud. Potential customers (ie franchisors wishing to move to the Cloud) are concerned, where the Cloud offering is based/has servers outside of Australia, that the placing of any of Personal Information in the Cloud always results in a disclosing or transfer of the Personal Information offshore and this raises concerns for franchisors as to whether or not you have the appropriate notifications/consents in place. While there are some real concerns in respect of certain Cloud offerings in certain circumstances in reality, under the IaaS model for example, the data is not usually "transferred" or "disclosed" to a third party (ie the vendor). Rather, the information usually remains under the control of the Australian franchisor and, therefore, does not require any specific notifications or consents as the franchisor remains liable for privacy compliance under Australian law, no matter where it takes the data. Of course, under the managed services/saas model (if the vendor does access or process the customer's data), there are concerns as to overseas transfer/disclosure where the vendor's servers are outside of Australia. However, this can be (and often usually already is) covered by the franchisor's existing notifications/privacy policy and privacy processes. Australian Cloud customers (eg franchisors) are also often concerned (again, we believe, disproportionately) about the possible access to their data by foreign governments (eg under the terms of the USA Patriot Act 2001 or similar legislation of other countries) if hosted overseas. While this is not the place for a philosophical debate about the rights or wrongs of government (including intelligence agencies) accessing one's information and the recent events/publicity around this issue, 9 it is safe to assume that most governments can access one's information (wherever it is kept in electronic form) if 9 For example, the global press about the PRISM program as exposed by Edward Snowden. AGC/SZM/AUM/
11 they want to. In rare cases there may be information of a business (unlikely in the franchise context) which is so sensitive/of such national importance that there must be no chance of it being accessed by a foreign Government and so a foreign hosted Cloud offering is out of the question (as would be any offshoring, outsourcing or third party data centre hosted offering). However, for most franchisors and for most franchisor information, access by the Australian Government or a foreign Government is not either anticipated or overly concerning in a practical sense. While security in general and the security standards to which a Cloud vendor complies are important, the practical impact of the USA Patriot Act for US hosted Cloud offerings (or like legislation or potential actions of foreign Governments for other foreign hosted Cloud offerings) should not be overstated. The IaaS model Where the Cloud vendor is simply renting the "tin" to the customer and is not itself involved in any handling, use or processing of the personal information held by the franchisor, as in the IaaS Cloud model, all obligations with respect to privacy (and, generally, compliance with relevant laws) rightfully rest with the franchisor. In such circumstances it is usual for the franchisor to warrant (and be obliged to ensure) that it has all necessary privacy consents and has made all necessary privacy notifications in order to use the relevant Cloud service. The managed services/saas model Where the Cloud vendor has a more "active" role in handling, holding, using or processing the personal information originally collected or held by the franchisor, then the vendor also needs to consider its obligations under (and be compliant with) Australia privacy law even if, in practice, much of the mechanics of compliance is pushed down to the franchisor. That is, the franchisor must make the appropriate notifications/obtain the appropriate consents to provide the personal information to the vendor, but the vendor still needs to consider its separate privacy obligations. The vendor is also likely, in such circumstances, to have an obligation to notify the individuals (whose personal information the franchisor provides to it) that the vendor now holds their information and to provide the appropriate privacy notifications (usually done via its privacy policy). Of course, there are AGC/SZM/AUM/
12 practical ways of incorporating this into the franchisor's processes going forward but there needs to be extra care taken with (and thought given to) the Personal Information the franchisor has already collected and wishes to put into the Cloud. PRACTICAL TIPS FOR COMPLIANCE Big Data In the absence of clear regulation or guidance from the Privacy Commissioner on Big Data at present, franchisors can adopt a number of best practice steps to minimise the risks of infringing the Privacy Act/ending up being investigated by the Commissioner following a customer complaint. Specifically, franchisors can: Audit existing databases to determine what Personal Information they collect and hold, the purpose of collection and whether they are (or are likely) to track and aggregate such information for marketing purposes or purposes other than for which the information was originally collected. Knowing what you have and how you use it is the first step to compliance. Examine the Big Data used and whether information that is not identified separately is "re identifiable" by combination or through analysis and, if so, review original notices provided and consents obtained at the time of collection of that information. Focus on transparency by providing continuous notification each time there is a change in practices around collection, use or disclosure of personal information. Such notification should clearly set out the main ways in which the new practices are likely to impact individuals. Although keeping individuals informed will not remedy the shortcomings of the Privacy Act in respect of Big Data, greater transparency will (it is hoped) decrease potential customer fall out from unexpected use of personal information as part of any analysis of Big Data. Ensure your privacy policy is clear, concise and customer friendly. Mobile websites and apps should contain a short form privacy notice (ideally no longer than one screen shot) which is easy AGC/SZM/AUM/
13 to locate and which must be viewed before the customer can submit any personal information. The short form privacy notice could contain a link to the full privacy policy. Adopt continuous and flexible consent regimes where business wishes to use Big Data for marketing activities. For example, require customers to re-consent periodically to ensure their consent is current. Consider, in certain circumstances, detangling consents relating to uses of personal information which are not essential to the purchase of the goods or services from the remainder of the privacy policy so that customers can choose to consent to essential and non-essential uses separately. In such cases, incentivise the consent for non-essential uses. Ensure internal practices with respect to the handling of personal information are compliant with the recent guidance documents issued by the Privacy Commissioner (including the "Guide to Information Security"). The Cloud Franchisors which rely on Cloud services commonly address their obligations under the Privacy Act by (i) notifying/obtaining any relevant consents from individuals whose personal information they collect to process and store their information in the Cloud (often pushed down to the franchisees to do) and (ii) by placing appropriate Australian specific contractual obligations of privacy on the Cloud vendor. From a privacy perspective, some of the most important matters for franchisors to fully investigate and understand when negotiating an agreement with a Cloud vendor include: the types and sensitivity of the information that the franchisor wants to put into the Cloud (eg personal and/or confidential information about customers and employees); what privacy and other obligations the franchisor has with respect to the information (eg contractual, regulatory or statutory obligations); AGC/SZM/AUM/
14 the mechanisms and protections that the vendor has in place to protect and manage the information, including disaster recovery processes to protect against data loss; the locations of the vendor's data centres and other infrastructure and, if offshore locations are involved, what foreign laws will apply; and the vendor's reputation and track record in relation to security and privacy. A franchisor that enters into an agreement for a Cloud service should ensure that the agreement places appropriate privacy related obligations on the vendor. However, the franchisor also needs to ensure that it understands (and does not try and impose on the vendor) the privacy obligations which are rightfully those of the franchisor or, practically, are best managed by the franchisor (eg around the original collection of the information). Some of the appropriate vendor obligations to consider will relate to: retention of ownership of the information (ie ensuring it is clear that the information is owned by the franchisor); security arrangements to ensure that all information is safeguarded and secure and gives the franchisor the right to audit the vendor's compliance with security arrangements; reporting of information breaches and indemnities with respect to losses resulting from privacy related breaches; disaster recovery measures to help protect against information loss; storage of information only in nominated countries that have privacy protections which are compatible with Australian privacy law; and rights to audit and access information, including a right to the return of information when the agreement ends. Of course the ability to demand and negotiate contractual measures and protections will depend, in part, on relative bargaining position of the parties, the contract value and the type of Cloud services being AGC/SZM/AUM/
15 acquired. Accordingly, in some circumstances, a franchisor may be forced to assess the risks of proceeding without certain security or privacy protections against the benefits/cost savings it will receive from the Cloud service. CONCLUSION The use of Big Data and the Cloud by franchisors (and businesses generally) will only become more pervasive in the years to come. However, this increased use of Big Data and Cloud services by franchisors raises a variety of privacy, security, regulatory and other practical issues that need to be carefully addressed and managed by franchisors. While the regulation of Big Data is relatively undeveloped in Australia, practical measures can be taken now to minimise legal risks and to prepare for any changes in the regulatory landscape. From a privacy perspective at least, the legal issues that arise in respect of Cloud services are similar to issues that arise in the context of outsourcing, offshoring and other IT service models and can, as in these other areas, be appropriately managed and dealt with in the agreement between the parties. It is crucial that your legal advisor fully understands the nature of both the Cloud and Big Data and your privacy obligations in order to be able to tailor the legal protections for your organisation and to ensure compliance with privacy law/the APPs. AGC/SZM/AUM/
BIG DATA, BIG ISSUES?
BIG DATA, BIG ISSUES? IS AUSTRALIAN PRIVACY LAW KEEPING UP? By Reyhaneh Saadati, Solicitor & Alec Christie, Partner, DLA Piper Big Data has been dubbed by many as the "new economic asset" of our age and
More informationClearing the Legal fog:
Clearing the Legal fog: cloud computing explained MARCH 2010 This issues summary highlights some of the main legal issues that are claimed to negatively affect users of cloud computing and provides practical
More informationPRIVACY POLICY Personal information and sensitive information Information we request from you
PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage
More informationAlec Christie, Partner, DLA. Piper Australia 26 October 2014
hat franchisors need to know bout privacy, the cl oud and big ata Alec Christie, Partner, DLA Piper Australia 26 October 2014 hat we will cover today! Privacy: What has changed? (What hasn't?) The "new"
More informationCatalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.
PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that
More informationPrivacy and Cloud Computing for Australian Government Agencies
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
More informationAASA Online Privacy Policy CRP.020
Introduction Alzheimer s Australia SA Inc values your privacy and takes reasonable steps to protect your personal information (that is, information which identifies or may reasonably be used to identify
More informationPRIVACY POLICY. This document is our privacy policy and it tells you how we collect and manage your personal information.
PRIVACY POLICY Introduction iproximity Pty Ltd (we, our, us) recognise the importance of protecting the privacy and the rights of individuals in relation to their personal information this includes existing
More informationPrivacy Policy Draft
Introduction Privacy Policy Draft Please note this is a draft policy pending final approval Alzheimer s Australia values your privacy and takes reasonable steps to protect your personal information (that
More informationFISHER & PAYKEL PRIVACY POLICY
FISHER & PAYKEL PRIVACY POLICY 1. About this Policy Fisher & Paykel Australia Pty Limited (ABN 71 000 042 080) and its related companies ('we', 'us', 'our') understands the importance of, and is committed
More informationAustralia s unique approach to trans-border privacy and cloud computing
Australia s unique approach to trans-border privacy and cloud computing Peter Leonard Partner, Gilbert + Tobin Lawyers and Director, iappanz In Australia, as in many jurisdictions, there have been questions
More informationPRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;
PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal
More informationPacific Smiles Group Privacy Policy
Pacific Smiles Group Privacy Policy Pacific Smiles Group Limited and its related bodies corporate (PSG, we, our, us) recognise the importance of protecting the privacy and the rights of individuals in
More informationQUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt
QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.
More informationHow not to lose your head in the Cloud: AGIMO guidelines released
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
More informationCHARTER OF PATIENT RIGHTS
CHARTER OF PATIENT RIGHTS Welcome to QUEENSLAND COUNTRY DENTAL Queensland Country Dental will always endeavour to advise patients about their rights and the way our practice operates. Part of the process
More informationPrivacy Policy. Ignite your local marketing
Privacy Policy Ignite your local marketing Contents 1) Introduction... 3 2) What is your personal information?... 3 3) What personal information do we collect and hold?... 3 4) How do we collect your personal
More informationDESTINATION MELBOURNE PRIVACY POLICY
DESTINATION MELBOURNE PRIVACY POLICY 2 Destination Melbourne Privacy Policy Statement Regarding Privacy Policy Destination Melbourne Limited recognises the importance of protecting the privacy of personally
More informationInformation Sheet: Cloud Computing
info sheet 03.11 Information Sheet: Cloud Computing Info Sheet 03.11 May 2011 This Information Sheet gives a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.
More informationZinc Recruitment Pty Ltd Privacy Policy
1. Introduction Zinc Recruitment Pty Ltd Privacy Policy We manage personal information in accordance with the Privacy Act 1988 and Australian Privacy Principles. This policy applies to information collected
More informationCORPORATE TRAVEL MANAGEMENT PRIVACY POLICY
CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY 1. About this Policy Corporate Travel Management Group Pty Ltd (ABN 52 005 000 895) (CTM) ('we', 'us', 'our') understands the importance of, and is committed
More informationDisclosure is the action of making new or secret information known.
/PURPOSE OF POLICY Pty Limited (Momentum) is required and committed to comply with the Australian Privacy Principles (APPs) in the Privacy Act 1998 (Cth) (Privacy Act). The APPs regulate the manner in
More informationPrivacy Update for Australian Government Agencies. What we've seen in the first 12 months of the new APPs and what's next!
Privacy Update for Australian Government Agencies What we've seen in the first 12 months of the new APPs and what's next! Presented by Sharon Rowe and Alec Christie Canberra, 31 March 2015 What we are
More information2. What personal information do we collect and hold?
PRIVACY POLICY Conexus Financial Pty Ltd [ABN 51 120 292 257], (referred to as Conexus, us, we" or our"), are committed to protecting the privacy of the personal information that we collect and complying
More informationOverview of the Impact of the Privacy Reforms on Credit Reporting
Overview of the Impact of the Privacy Reforms on Credit Reporting June 2012 Andrew Galvin, Partner 1 OVERVIEW 1.1 Credit Reporting Reform - Background When initially passed, the Privacy Act 1988 essentially
More informationRevelian Pty Ltd ABN 58 089 022 202 Privacy Policy Effective 1 September 2014
Revelian Pty Ltd ABN 58 089 022 202 Privacy Policy Effective 1 September 2014 OUR COMMITMENT Your privacy is important to us. This document explains how Revelian collects, handles, uses and discloses your
More informationPrivacy Policy Australian Construction Products Pty Limited
Privacy Policy Australian Construction Products Pty Limited What is this privacy policy about? This Privacy Policy describes how Australian Construction Products 63 091 618 781 (we or us) will treat the
More information005ASubmission to the Serious Data Breach Notification Consultation
005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation
More informationThe kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include:
ABN 47 001 768 190 AFSL 244526 Our Privacy Policy At Capital Insurance Brokers, we are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian
More informationCloud Computing in a Government Context
Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationUNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY
UNILEVER PRIVACY PRINCIPLES Unilever takes privacy seriously. The following five principles underpin our approach to respecting your privacy: 1. We value the trust that you place in us by giving us your
More information3 What Personal Information do we collect and why do we need it?
Privacy Policy 1 Protecting your privacy The worldwide rental system operated as Europcar is owned by Europcar International, a French Corporation. A number of independently owned licensees also trade
More informationINFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationWhat's Up with Apps in Hong Kong July 2013
What's Up with Apps in Hong Kong July 2013 In May this year, the Hong Kong Privacy Commissioner for Personal Data ("Privacy Commissioner") joined the Global Privacy Enforcement Network ("GPEN") to conduct
More informationCaptain Compare Privacy Policy
Captain Compare Privacy Policy This Privacy Policy contains important information about the type of personal information we collect from you on the Captain Compare website (www.captaincompare.com.au) (Website),
More informationROYAL AUSTRALASIAN COLLEGE OF SURGEONS
1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal
More informationPrivacy Law in Canada
Privacy Law in Canada Federal and provincial privacy legislation has a profound impact on the way virtually all organizations carry on business across the country. Canada s privacy laws, while likely the
More informationCoffey International Limited Privacy Policy. July 2014
Coffey International Limited Privacy Policy July 2014 Privacy Policy 1. Introduction Coffey International Limited and its related bodies corporate (we, our, us) recognise your rights under the Privacy
More informationBelmont 16 Foot Sailing Club. Privacy Policy
Belmont 16 Foot Sailing Club Privacy Policy APRIL 2014 1 P age Belmont 16 Foot Sailing Club Ltd (the 16s ) respects your right to privacy and is committed to protecting your personal information. This
More informationDaltrak Building Services Pty Ltd ABN: 44 069 781 933. Privacy Policy Manual
Daltrak Building Services Pty Ltd ABN: 44 069 781 933 Privacy Policy Manual Table Of Contents 1. Introduction Page 2 2. Australian Privacy Principles (APP s) Page 3 3. Kinds Of Personal Information That
More informationATMD Bird & Bird. Singapore Personal Data Protection Policy
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
More informationThe Cloud and Cross-Border Risks - Singapore
The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in
More informationZEN Telecom Pty. Ltd. Privacy Policy
ZEN Telecom Pty. Ltd. Privacy Policy ZEN Telecom provides broadband internet, mobile voice & data, and PSTN fixed landline telephone, products and services, to residential and small to medium business
More informationNext Business Telecom is also subject to other laws relating to the protection of personal information.
NEXT BUSINESS TELECOM PRIVACY POLICY The Next Business Telecom brand (Next Business Telecom, we, us, our) Next Business Telecom provides data and voice services to its customers with a focus on business
More informationTable of Contents. Introduction 3 What is Title Insurance? What are mortgage processing and loan servicing services? 3 This Privacy Policy 3
Privacy Policy First American Title Insurance Company of Australia Pty Ltd First Mortgage Services Pty Ltd First Mortgage Services Australia Pty Ltd 1 P a g e Table of Contents Page Introduction 3 What
More informationCarriers Insurance Brokers Pty. Limited
Our Privacy Policy At Carriers Insurance Brokers Pty. Limited, ABN 66 001 609 936, we are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian
More informationPrivacy Policy. Federal Insurance Company, Singapore Branch Singapore Personal Data Protection Privacy Policy. 1. Introduction
Privacy Policy 1. Introduction Federal Insurance Company, Singapore Branch ( we, our or us ) recognise the importance of protecting the privacy and the rights of individuals in relation to their personal
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationUsing AWS in the context of Australian Privacy Considerations October 2015
Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview
More informationPrivacy Policy. 30 January 2015
Privacy Policy 30 January 2015 Table of Contents 1 Overview 3 Purpose 3 Scope 3 2 Collection 3 What information do we collect? 3 What if you do not give us the information we request? 4 3 Use of information
More informationPolice Financial Services Limited Copyright exists in this document Privacy Policy 1
Privacy January 2015 Policy Police Financial Services Limited ABN 33 087 651 661 ('we', 'us', 'our', BankVic ) is bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth) (Privacy Act).
More informationPrivacy fact sheet 17
Privacy fact sheet 17 Australian Privacy Principles January 2014 From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles Information Privacy Principles
More informationBHF Southern African Conference
BHF Southern African Conference Navigating the complexities of the new legislative framework Peter Hill, Director: IT Governance Network TOPICS TO BE COVERED The practical implementation of the PPI Act
More informationSchool Information Security and Privacy in the Cloud
School Information Security and Privacy in the Cloud Information Sheet and FAQ s Staying competitive in today s digital world means using technology in ways that are innovative in scope and reach. The
More informationThe Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation
The Impact on Marketing-Related Activities of the Data Protection Audience 1. This guidance is intended for all University staff who maintain or use database of contacts for marketing purposes, including
More informationPRIVACY AND CREDIT REPORTING POLICY
PRIVACY AND CREDIT REPORTING POLICY 12 March 2014 CONTENTS What is personal information?...3 Information we may collect, use and disclose about you...4 Collection of sensitive information...6 How personal
More informationPERSONAL DATA PROTECTION CHECKLIST FOR ORGANISATIONS
PERSONAL DATA PROTECTION CHECKLIST FOR ORGANISATIONS How well does your organisation protect personal data? This self-assessment checklist is based on the nine personal data protection obligations underlying
More informationCredit Reporting Privacy Policy of Baybrick Pty Ltd
Credit Reporting Privacy Policy of Baybrick Pty Ltd Introduction 1. This Credit Reporting Privacy Policy is the official privacy policy of Baybrick Pty Ltd and its subsidiaries which includes JBS Australia
More information2. Open and transparent management of personal information
Privacy Policy - Talison Lithium Pty Ltd 1. Overview Talison Lithium Pty Ltd (Talison) believes privacy is an important right of individuals. Talison takes steps to protect your personal information from
More informationPRIVACY POLICY. Privacy Statement
PRIVACY POLICY Privacy Statement Blue Care is one of Australia's leading providers of retirement living, community health, help at home services and aged care homes, caring for more than 12,500 people
More informationE-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY
E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:
More informationIn-House Counsel Day Priorities for 2012
In-House Counsel Day Priorities for 2012 Cloud Computing the benefits, potential risks and security for the future Presented by Anthony Willis Group Head IP and Technology Thursday 1 March 2012 WIN: What
More informationDefinitions. Broker means Veda Advantage Information Systems and Solutions Limited;
Definitions Authorised Purposes means: (a) dealings with interests in land authorised by Law; or (b) a purpose directly related to such dealing provided that the purpose is not contrary to any Law; or
More informationDirect Recruitment Privacy Policy
Direct Recruitment Privacy Policy Direct Recruitment manages personal information in accordance with the Privacy Act 1988 and Australian Privacy Principles (APP). This policy applies to information collected
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationABC PRIVACY POLICY. The ABC is strongly committed to protecting your privacy when you interact with us, our content, products and services.
ABC PRIVACY POLICY The ABC is strongly committed to protecting your privacy when you interact with us, our content, products and services. Our goal is to provide you and your family with media experiences
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationPrivacy Policy (Solitaire Automotive)
Privacy Policy (Solitaire Automotive) Solitaire Automotive Group is committed to ensuring that any personal information collected during the course of our operations is treated with respect and managed
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationService Schedule for BT Business Lite Web Hosting and Business Email Lite powered by Microsoft Office 365
1. SERVICE DESCRIPTION 1.1 The Service enables the Customer to: set up a web site(s); create a sub-domain name associated with the web site; create email addresses. 1.2 The email element of the Service
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationCUA Group APP Privacy & Credit information Policy
For more information: Call 133 282 Visit www.cua.com.au Drop into your local branch CUA Group APP Privacy & Credit information Policy 1 August 2015 Credit Union Australia Limited ABN 44 087 650 959 AFSL
More informationPrivacy Statement. April 2015
Privacy Statement April 2015 RACT Health Insurance is provided by GMHBA Limited. In this privacy statement, references to RACT Health Insurance are references to GMHBA Limited. References to RACT are references
More informationPrivacy, the Cloud and Data Breaches
Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, Information Integrity Solutions Legalwise Seminars Sydney, 20 March 2013 About IIS Building trust and privacy through global
More informationCloud Computing. Introduction
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
More informationPrivacy in complaint handling systems
Privacy in complaint handling systems A review of how privacy obligations in the Information Privacy Act 2009 (Qld) have been incorporated in Queensland government agencies complaint handling systems Report
More informationQuorum Privacy Policy
Quorum Privacy Policy Quorum Analytics Inc. ( Quorum") has created this website (the "Website" or the "Site") to provide an online analytical tool that Subscribers can use to generate Derived Analytics
More informationCloud Computing: Privacy and Other Risks
December 2013 Cloud Computing: Privacy and Other Risks by George Waggott, Michael Reid and Mitch Koczerginski, McMillan LLP Introduction While the benefits of outsourcing organizational data storage to
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationPrivacy Policy. Board for Lutheran Education Australia. Policy. Purpose. Exclusion
Policy Relevant to Responsible officer Contact officer Authorisation Date introduced March 2014 Effective date of latest version March 2014 Next review date March 2017 Relevant legislation or source Board
More informationBest Practice Guide Workplace privacy
Best Practice Guide Workplace privacy 01 Work & family 02 Consultation & cooperation in the workplace 03 Use of individual flexibility arrangements 04 A guide for young workers 05 An employer s guide to
More informationBLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY
BLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY Version 1-1 1 July 2015 Blue Badge Insurance Australia Pty Ltd 2014 ABN 59 162 783 306 A.R. No. 438547 is an Authorised
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:
More informationService Schedule for Business Email Lite powered by Microsoft Office 365
Service Schedule for Business Email Lite powered by Microsoft Office 365 1. SERVICE DESCRIPTION Service Overview 1.1 The Service is a hosted messaging service that delivers the capabilities of Microsoft
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationwww.corrs.com.au OFFSHORING Data the new privacy laws
www.corrs.com.au OFFSHORING Data the new privacy laws OFFSHORING DATA THE NEW PRIVACY LAWS Transfer of data by Australian organisations to other jurisdictions is increasingly common. This is a result of
More informationOpal Privacy Policy. Opal Electronic Ticketing System
Opal Electronic Ticketing System Contents 1 Background... 4 1.1 The Opal Ticketing System... 4 1.2 Channels for acquiring Opal cards... 4 1.3 TfNSW... 4 2 Scope of policy... 5 2.1 Applicable privacy legislation...
More informationPROFESSIONAL INDEMNITY RENEWAL DECLARATION IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS RENEWAL DECLARATION
PROFESSIONAL INDEMNITY RENEWAL DECLARATION IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS RENEWAL DECLARATION A. Obtaining a Quotation To minimise delays in obtaining
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationInternational money transfers public interest determination applications. Consultation paper
International money transfers public interest determination applications Consultation paper Closing date for comment 4 August 2014 Purpose of consultation paper The Office of the Australian Information
More informationInformation Privacy Policy
Information Privacy Policy pol-032 Version: 2.01 Last amendment: Oct 2014 Next Review: Aug 2017 Approved By: Council Date: 04 May 2005 Contact Officer: Director, Strategic Services and Governance INTRODUCTION
More informationSOLICITORS EXCESS PROFESSIONAL INDEMNITY PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL
SOLICITORS EXCESS PROFESSIONAL INDEMNITY PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL A. Your Duty of Disclosure Before you enter into a contract
More informationHow To Know What You Can And Can'T Do At The University Of England Students Union
HOW WE USE YOUR INFORMATION This privacy notice tells you what to expect when University of Essex Students Union (referred to as the SU herein) collects personal information. It applies to information
More informationPrivacy Law in Canada
by PATRICIA WILSON & MICHAEL FEKETE Protection of personal information remains at the forefront of public policy debate in. Federal and provincial privacy legislation has a profound impact on the way virtually
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationRequirements made under the Intermediaries Byelaw
Chapter 2 Requirements made under the Intermediaries Byelaw Section 1 Delegated Underwriting Registers of coverholders and registered binding authorities Part B of the Intermediaries Byelaw Format and
More informationCollection and Use of Information
AVO Privacy Policy AVOapp, Inc. treat with responsibility for the safety of your personal data. Please read the following to be informed about our Privacy Policy ("Policy"). This Policy details how we
More informationCLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?
CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? Lindsey Finch Senior Global Privacy Counsel Salesforce.com lfinch@salesforce.com David T.S. Fraser Partner McInnes Cooper David.fraser@mcinnescooper.com
More information