Submission in relation to the Draft Guidelines on Australian Privacy Principles 1 to 5

Similar documents
Response to Insurance Contracts Amendment Bill December Submission on behalf of Legal Aid NSW. Consumer Action Law Centre,

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

1.4 For information about our management of your other personal information, please see our Privacy Policy available at

Ausgrid Privacy Policy

Draft Australian Privacy Principles (APP) Guidelines first tranche

ACCC/ASIC 'Debt collection guideline for collectors and creditors' publication review

Compliance and enforcement. How regulators enforce the Australian Consumer Law

Summary of the 2009 Debt Collection Round Table convened by the Legal Services Commissioner of Victoria

Privacy business resource 3

Australian Charities and Not-for-profits Commission: Regulatory Approach Statement

Australian Retail Credit Association Authorisation A Principles of Reciprocity & Data Exchange

Complaint management policy About this policy

Privacy fact sheet 17

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

AMA NSW AND ASMOF NSW Submission on Health Practitioners Regulation National Law

CONSULTATION PAPER 61. ACCC / ASIC debt collection guideline: For collectors, creditors and debtors (First draft)

Consumer Action Law Centre Policy and Campaigns Plan

INQUIRY INTO OPPORTUNITIES TO CONSOLIDATE

Hume Bank Limited Privacy Policy

Credit Reporting Privacy Policy of Baybrick Pty Ltd

Joint Consumer Submission regarding the. Credit Reporting Privacy Code

THE GENERAL INSURANCE BROKERS CODE OF PRACTICE

Privacy and Cloud Computing for Australian Government Agencies

Submission to the Australian Communications and Media Authority on Proposed revisions to the Telecommunications (Do Not Call Register) (Telemarketing

Redfern Legal Centre provides its comments on the topics for discussion in the attached submission.

Submission by AFA Pty Ltd on the development of new Terms of Reference for the Financial Ombudsman Service

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

Submission to the Australian Government Attorney-General s Department, the Honourable Robert McClelland MP

Supplementary Policy on Data Breach Notification Legislation

Best Practice Guide Workplace privacy

Proposals to streamline IP processes and support small business. SUBMISSION by the OFFICE OF THE AUSTRALIAN SMALL BUSINESS COMMISSIONER

in the ALRC Discussion Paper relating to solicitors rules (Question 7-2) and consumer protection (Question 11-1) 1).

Revised pregnancy termination laws. proposed for Tasmania

Cloud Computing Consumer Protocol

Litigation schemes and proof of debt schemes: Managing conflicts of interest

Submission Competition Policy Review: Draft Report

Insurance Broking Terms of Reference

Using AWS in the context of Australian Privacy Considerations October 2015

A guide to. conciliation conferences

CBHS HEALTH FUND LIMITED PRIVACY POLICY

The Legal Aid Commission of NSW appreciates the opportunity to make submissions to the Task Force on Industry Self- Regulation.

GENERAL INSURANCE CODE OF PRACTICE. Level 3, 56 Pitt Street, Sydney NSW 2000 t f

Department of Communications. Enhancing Online Safety for Children Discussion Paper. Submission by the Australian Federal Police

LEGAL ADVICE AND ASSISTANCE POLICY AND GUIDANCE

This version of the General Insurance Code of Practice took effect on 1 July 2014.

POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES

Office of the Small Business Commissioner

Fact sheet: Duties of directors of a company limited by guarantee

T: [redacted] F: [redacted]

Privacy and Health Record Resource Handbook. For Medical Practitioners in the Private Sector

The Privacy Act 1988 contains 10 National Privacy Principles (the NPPs) which specify how organisations should handle personal information.

Client Services Agreement: Financial Planning and Investment Consultation

BLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY

Diners Club Corporate Travel System Terms and Conditions

Submission in Response to the Personally Controlled Electronic Health Record System: Legislation Issues Paper

The Australian Guidelines for Electronic Commerce

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

12 May Professor Barbara McDonald Commissioner Australian Law Reform Commission GPO Box 3708 Sydney NSW By to:

Terms and Conditions for Tax Services

The kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include:

Submission on the Proposal for a National Energy Consumer Advocacy Body

SAMPLE. Professional Indemnity Insurance (PII) Policy 2015/16. lawcover.com.au Page 1

Third Party Litigation Funding

Product Rationalisation Managed Investment Schemes and Life Insurance Products

Westpac Business Debit MasterCard Application

As requested at the meeting on 20 November 2014, this letter just lists the many differences between (a) and (b), without further explanation.

COMMONWEALTH GOVERNMENT RESPONSE TO THE PRODUCTIVITY COMMISSION INQUIRY: THE MARKET FOR RETAIL TENANCY LEASES IN AUSTRALIA

GENERAL INSURANCE CODE OF PRACTICE 2014

Transcription:

Submission in relation to the Draft Guidelines on Australian Privacy Principles 1 to 5 by the Consumer Credit Legal Centre (NSW) Inc. and Consumer Action Law Centre About Consumer Credit Legal Centre Consumer Credit Legal Centre (NSW) Inc ( CCLC ) is a community-based consumer advice, advocacy and education service specialising in personal credit, debt, banking and insurance law and practice. CCLC operates the Credit & Debt Hotline, which is the first port of call for NSW consumers experiencing financial difficulties. We also operate the Insurance Law Service which provides advice nationally to consumers about insurance claims and debts to insurance companies. We provide legal advice and representation, financial counselling, information and strategies, and referral to face-to-face financial counselling services, and limited direct financial counselling. CCLC took over 18,000 calls for advice or assistance during the 2011/2012 financial year. A significant part of CCLC s work is in advocating for improvements to advance the interests of consumers, by influencing developments in law, industry practice, dispute resolution processes, government enforcement action, and access to advice and assistance. CCLC also provides extensive web-based resources, other education resources, workshops, presentations and media comment. About Consumer Action Law Centre Consumer Action is an independent, not-for-profit, campaign-focused casework and policy organisation. Consumer Action offers free legal advice, pursues consumer litigation and provides financial counselling to vulnerable and disadvantaged consumers across Victoria. Consumer Action is also a nationally-recognised and influential policy and research body, pursuing a law reform agenda across a range of important consumer issues at a governmental level, in the media, and in the community directly.

Thank you for the opportunity to comment on the proposed draft Guidelines on Australian Privacy Principles 1 5. CALC and CCLC endorse the submission by ACCAN and the Australian Privacy Foundation. General Comments The Australian Privacy Principles (APP) are the key guiding principle for privacy in Australia. This is why it is critical that the APP Guidelines (Guidelines) are clear and provide practical guidance to the public and APP entities on how the APP apply. Our general comments are: The introductory chapters are quite long and not easily accessible. There should be a box at the beginning of the whole document that summarises the document with a master contents page. The key points at the beginning of each Principle are supported. The APP guidelines should be in plain language and avoid technical language as much as possible. There should be lots of examples to provide guidance in commonly occurring situations. The examples should be in boxes and in a different colour. The language of the Guidelines should be direct language and as specific as possible. A good precedent for best practice guides are the ASIC Regulatory Guides. Where possible the APP Guidelines should be structured and written in a similar way. Given the length of the Guidelines an index should be produced to make the Guidelines more accessible. If there are relevant legal decisions by a Court, Tribunal or the OAIC then these should be mentioned and referenced. Chapter A Introductory Matters Who is covered by the APPs? This section is circular. It refers back to the Act. While it is appreciated that the Act gives the precise definition, a brief summary or guide to those provisions should be provided. This is so that anyone looking at the Guidelines has some indication whether they are covered or not. Do the APPs apply to a contracted service provider under a Commonwealth Contract? A.11 needs to be very clear about the obligation being imposed. Firstly, the key point here is that the Commonwealth Agency needs to be responsible for the actions of its contracted service providers. Accordingly, the contract must clearly specify and bind the contracted service provider to ensure that the Act is not breached. Further guidance should be included on the main matters that must be covered in the contract. Is it sufficient to simply October 2013 Page 2

require compliance with the Privacy Act? We would argue that this is not sufficient guidance to ensure that the contracted service provider is clear on their obligations. Do the APPs apply to a credit reporting participant? This section should summarise when the APPs apply or apply in addition to Part IIIA of the Act. There has been constant confusion over many years about the interaction of credit reporting and the APP. It is important that this is summarised in the Guidelines for the sake of clarity. It is also important that credit reporting examples are included throughout the Guidelines where applicable. This further reinforces the interaction of credit reporting and the APP. Chapter B Key concepts APP Entity B.5 This section needs to clarify whether a sole trader is a small business operator. B.7 should clarify that an agency must be a Commonwealth agency. Collection B.15 should be clarified. Reading the newspaper is not collecting information but keeping a folder of clippings or saved articles would arguably be collection. The example needs to change or be clarified. All examples should be separate, highlighted and with sufficient detail to cover the issue. This example needs further detail. Express or implied consent Consent is a key right for individuals. This section is important in providing guidance on obtaining consent. The guidelines need to be very clear about what is implied consent and what is consent. There should be a list of clear examples. We contend that best privacy practice is to obtain express consent and not use implied consent. If the privacy commissioner believes there are limited circumstances when it would be acceptable then there should be clear and detailed guidance on what those circumstances are. This section appears to be structured upside down. The section should start with describing best practice express consent and guidance on how to do this. Several clear examples should be included. The section should then list the problems with implied consent. There should be an itemised list of when implied consent would be unacceptable. We contend that a failure to opt-out is clearly not consent. The guideline states that the more factors in the bucket point list that are met the more likely that the failure to opt-out is implied consent. This is ambiguous and could lead to a "race to the bottom" in privacy. This type of guidance encourages APP entities to simply keep testing how few factors need to be covered to use opt-out. The Guidelines should be encouraging good privacy practice October 2013 Page 3

not poor privacy practice. We contend that for the sake of clarity the Guidelines should state that all of the listed factors need to (or at least should be) be demonstrated to rely on opt-out. The bullet point list at B.27 should also include a requirement to send an acknowledgment if the individual opts out later (the last bullet point). Voluntary A key feature of the concept of voluntary is that the consent can be withdrawn. This should be made clear. Bundled consent Bundled consent is a ubiquitous problem for individuals. Any typical application for a financial services product has a Willy Wonka contract full of fine print and bundled consents. Individuals have simply stopped reading these bundled consents. This section defines bundled consent at B.32. At B.33 it is stated that bundled consents have the potential to undermine consent. This is a very weak statement. A stronger and more detailed statement is required to discourage the use of bundled consents. Otherwise the likely outcome for individuals is just more bundled consents which represent illusory consent. Current and specific B.36 gives the individual the right to withdraw consent. This needs a lot more detail if not at this point then later. Withdrawal of consent needs to be easy, accessible and acknowledgment. This is particularly important as it is currently very easy to give consent. The processes should be symmetrical. It is essential that: APP entities provide a simple, one step method for revoking consent; and Directly or indirectly revoking consent should be a free service APP 1- Open and transparent management of personal information We strongly support the importance of individuals being able to access plain language privacy policies. Currently, this policy is often buried at the bottom of an internet home page. It is recommended that the Guidelines provide further detail in how to make a privacy policy more accessible. For example, avoiding fine print at the by bottom of an internet home page. Accessing and seeking correction of personal information October 2013 Page 4

At 1.21 the second bullet point refers to a contact person. It should be a contact department given frequent staff changes (as suggested on the line below). We also contend that any privacy policy should cover a procedure for responding to matters raised including: - acknowledgments of withdrawal of consent - dispute resolution - procedures for responding to access requests including disclosure of costs Which could be added to 1.30. Likely overseas disclosures Consumers are often very aggrieved to find their personal information has been sent overseas to a call centre. Individuals are completely justified in having concerns about where in the world their information is going and how secure that information is. Further guidance should be provided on "impracticable". Although it is not defined it is still possible to provide guidance. APP 3 Collection of solicited personal information An overall comment on APP 3 is that there is insufficient guidance on what is meant by reasonably necessary. This is a key term and needs detailed explanation and examples. Collecting sensitive information when a permitted general situation exists A common problem we encounter is the collection of sensitive information from a consumer of an insurance product when there is an investigation of possible fraud. Insurance companies often then demand a very large list of sensitive personal information from the consumer including: phone records financial records criminal records driving history If the consumer insists the information is sensitive and personal the claim is rejected. The consent to provide this information is often obtained under duress because the consumer is told the claim will be reject if the information is not provided. The consumer is not provided with details of what will happen to this information. Given that the above situation is a common problem the guidelines should provide an example to cover this situation and give guidance. In particular 3.35 should include this situation as a detailed example. October 2013 Page 5

Similarly with 3.39 the example given there is not detailed enough. Guidance needs to be given on the extent of the exception. The example given should be a detailed example to demonstrate the limits of the exception. For example, collecting irrelevant health information by getting an entire medical history on unrelated conditions is intrusive and unnecessary. Insurance companies literally go on a fishing expedition with incredibly sensitive health information. If you have any questions please do not hesitate to contact Kat Lane on 02 82041350. October 2013 Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information