ADMA Briefing Summary March

Similar documents
PRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.

Policy on Privacy and Management of Personal Information

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

This policy also applies to personal information about you that the Federation collects from any other third party.

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

DATA PROTECTION POLICY THE HOLST GROUP

TABLE OF CONTENTS. Page

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Maritime Union of Australia. Privacy Policy 2014

Privacy Policy Wealth Elements Pty Ltd

FLIPOUT Privacy Charter. We will handle any information we collect about you in accordance with our privacy Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Policy Objectives (the Association) Privacy Act APPs Policy Application ACTU The Police Association Website

Ambition Training. Privacy Policy

Privacy and Spam Policy Ten Tigers Grain Marketing Pty Ltd

Privacy Policy First National Group of Independent Real Estate Agents Limited ACN

The Australian Privacy Act An overview of the Australian Privacy Principles (APPs) Author: Paul Green

DATA PROTECTION POLICY

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Data Protection Policy

Islam21c.com Data Protection and Privacy Policy

SYDNEY FESTIVAL PRIVACY POLICY

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

Privacy Policy. Revisions to this Policy. What Information we collect. How do we collect Information?

INNOVENT LEASING LIMITED. Privacy Notice

Motorola Mobility Binding Corporate Rules (BCRs)

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Privacy Policy First National Real Estate Ireson Real Estate Pty Ltd ACN

GENERAL PRIVACY POLICY

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Privacy policy. Last updated September Caravan Trade & Industries Association of Queensland ABN (CTIAQ)

KIN GROUP PTY LTD PRIVACY POLICY

DATA PROTECTION POLICY

1 Privacy Statement INDEX

Policy & Procedure Privacy Policy

Frequently Asked Questions

Requirements for a Managed System

Subject: Kier Group plc Data Protection Policy

PS Mailing Services Ltd Data Protection Policy May 2018

Jefferies EMEA Privacy Notice

PRIVACY POLICY 1. ABOUT THIS POLICY

The Code has also been developed to demonstrate the industry s commitment to high ethical standards and best practice.

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

PRIVACY POLICY. Catholic Diocese of Ballarat

Data Protection Policy

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Privacy Notice. General Information Protection Regulation ( GDPR )

Rights of Individuals under the General Data Protection Regulation

We also recommend reading the methods available to OPT OUT and control your data, such methods are listed in this policy.

Privacy Notice - General Data Protection Regulation ( GDPR )

The British Museum. Data Protection Code of Practise. 1 Introduction

HOW WE USE YOUR INFORMATION

Data Protection Policy

Data Protection Policy

Cognizant Careers Portal Privacy Policy ( Policy )

It s still very important that you take some steps to help keep up security when you re online:

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

MBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).

Data Protection Policy

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

InComm Australia & New Zealand Pty Ltd Privacy Policy (AUSTRALIA)

Introductory guide to data sharing. lewissilkin.com

Data protection legal jungle or common sense Susan Healy. Religious Archives Group 22 Mar 2010

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

UWC International Data Protection Policy

This policy is a public document and has been prepared in light of the National Privacy Principle 5: Openness.

Creative Funding Solutions Limited Data Protection Policy

Breach Notification Form

Privacy Policy GENERAL

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

About the information we collect We collect and process personal data including but not limited to:-

Down Under Centre Employment Hub - Privacy Policy Introduction

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Government data matching and the Privacy Act 1988 (Cth)

ELTA GROUP ASIA PACIFIC (EGAP) COMPANIES

FIRESOFT CONSULTING Privacy Policy

UWTSD Group Data Protection Policy

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

PATRIOT CAMPERS PTY LTD PRIVACY POLICY

Brasenose College ICT Systems Privacy Notice (v1.2)

This Privacy Policy governs our processing of all personal data provided to us at Environmental Essentials in relation to our E-learning services.

What personal data or information do we collect? The personal information we collect may include:

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

NEDS PRIVACY POLICY 1. PRIVACY ACT 1988 (CTH) AND THE AUSTRALIAN PRIVACY PRINCIPLES

TIX Privacy Policy. 1. Scope of this Privacy Policy. 2. What personal information does TIX collect? Updated 7 September 2015

DATA PROTECTION A GUIDE FOR USERS

GLOBAL DATA PROTECTION POLICY

The information we collect

Technical Requirements of the GDPR

Last updated 31 March 2016 This document is publically available at

GLOBAL DATA PROTECTION POLICY

You can find a brief summary of this Privacy Policy in the chart below.

ADMIRAL MARKETS PTY LTD PRIVACY POLICY

Link Group Privacy Policy LINK GROUP. For all subsidiaries of the Link Group in Australia. Privacy Policy. LINK Group, 2017 Page 1 of 11

TIX NZ Privacy Policy

KSi Malta Privacy Policy

PRIVACY POLICY SECTION 1 CONTACTS

GRANDSTREAM PRIVACY STATEMENT

Transcription:

ADMA Briefing Summary March 2013 www.adma.com.au

Privacy issues are being reviewed globally. In most cases, technological changes are driving the demand for reforms and Australia is no exception. From 2004 2012 ADMA was involved in a review of the privacy laws which has led to the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The new privacy legislation, including the changes affecting marketing will come into effect on 12 March 2014. Major changes Definition of Personal Information: The new definition of personal information is now: Information or an opinion about an identifiable individual, or an individual who is reasonably identifiable: Whether the information or opinion is true or not; and Whether the information or opinion is recorded in a material form or not. www.adma.com.au 1

This new definition of personal information potentially captures more data than the previous definition. It includes data where you can identify an individual by name. It also potentially includes data where you can identify a single person even though you may not necessarily know the person s name. This would include, for example, cookie information that identifies a single user. Note that information that you collect which is anonymous may also be considered personal information if you intend to combine the anonymous information with other information that will identify the individual. Similarly, if you collect anonymous information that is likely to be combined with personal information (whether or not there is an intention to do so) you will need to treat that information as personal information from the beginning. If you want to avoid anonymous information becoming personal information you will also need to provide added protections to prevent that from happening. You can choose to put a policy in place to prevent the anonymous information from being identified, use encryption or passwords to protect data, or implement similar processes to reduce the risk of re-identification. If you can t or choose not to make re-identification unlikely to happen, you should treat that information as if it was personal information. Sensitive Information Additional rules apply to sensitive personal information Reasonably identifiable information about a person s: Racial or ethnic origin Political opinion Membership of a political party Religious beliefs Philosophical beliefs Membership of professional or trade association Sexual preferences or practices Criminal record Health and genetic information that is about an individual www.adma.com.au 2

Australian privacy principles (APP) 1. Transparency Open and transparent management of personal information. Organisations must have a clearly expressed and up-to-date privacy policy that is reviewed regularly. This should be in clear, understandable English. Staff should understand what the privacy policy means in practice, and be trained to implement it. The privacy policy must have the following information: the kinds of personal information collected and held; how such information is collected and held; the purposes for which the entity collects, holds, uses and discloses personal information; access and correction procedures; complaint-handling procedures; information about any cross-border disclosure of personal information that might occur; and any significant handling practice should be identified, such as if a company has specific information retention or destruction policies or obligations. Privacy policies must be made available free of charge. This can be on your website, but you should also be prepared to provide it upon request in any other format. You should also have documented privacy compliance practices that apply to your organisation. It is important to note that the Australian Privacy Commissioner has the power to ask you to present your compliance practices document. These should be developed in advance of 12 March 2014. www.adma.com.au 3

2. Anonymity and pseudonymity Individuals have the option of dealing with a company anonymously or under a pseudonym. The new privacy law requires organisations to provide individuals the options to deal with the company anonymously or under a pseudonym. You don t have to comply with this if it is not practical to do so, or if it is authorised under law (or court or tribunal order). When you are considering whether you require the name of the individual, consider the following: can you provide the service without identifying the individual? what are the consequences of not capturing that information? Will this impact your ability to do business with the individual? should you make the name field mandatory when collecting information? It might not be practical to offer anonymity or pseudonymity if you need to: process a payment deliver goods and services require the name for a future service send personalised marketing or communications to the individual de-duplicate records and maintain data accuracy. 3. Collecting personal information You are permitted to collect personal information for marketing purposes either directly from the individual or from a third-party source (eg through third-party lead generation, online data gathering, public source information, purchased list) providing that the rules relating to collection (APP 3); notification (APP 5) and direct marketing (APP 7) are complied with. In relation to collection, the following rules apply: Collect only what is: reasonably necessary for the purpose; or related to one of your functions or activities Only collect sensitive information with consent Only use lawful and fair means for collection Where possible, only collect personal information from the individual, with some exceptions www.adma.com.au 4

4. Unsolicited personal information This new rule says that if you receive personal information that you did not request, then you should destroy or delete it unless you can show that you could have collected it under the rules for APP 3, Collecting Personal Information. This would apply where a customer provides you with information that you have not requested. Such data should not be stored or used. Instead, it should be deleted. 5. Notification You must notify the individual, before or at the time, or as soon as practical after collection, as to how and why you are collecting their personal information. Your notification statement should include the following information: 1. Contact details of the organisation; 2. Whether information has been collected from a third party and the circumstances of that collection; 3. Whether the collection of the personal information was required by Australian law or a court/tribunal order (and details about that collection); 4. The purpose of the collection; 5. The main consequences to the individual of not collecting the personal information; 6. Any other companies, or types of companies, that the personal information might be disclosed to; 7. Complaint-handling and access/correction information in the organisation privacy policy; 8. That the privacy policy contains details of how to complain about a breach of the APP s and how the company will deal with such a complaint; 9. Information about disclosure to overseas recipients; and 10. The countries to which such information may be disclosed. When collecting personal information directly from the individual, the notification should be given at the point of data collection. If the personal information is being collected from a third party source, the notification should be given the first time that individual is contacted using the personal information. www.adma.com.au 5

6. Use and disclosure NOTE: This APP does not apply to direct marketing please see APP 7 You can use the personal information for the purpose it was collected, but you must not use or disclose it for any other purpose, unless: You have the individual s consent; The individual would reasonably expect the information to be used for another purpose; The purpose is a related purpose. 7. Direct marketing An entity must not use or disclose personal information for the purpose of direct marketing unless they follow these rules: www.adma.com.au 6

Data collected from an individual The individual would reasonably expect the organisation to use the information for direct marketing*; The organisation has provided a simple means by which the individual can request not to receive direct marketing; and The individual has not availed him or herself of this means. *Note: If the individual would not reasonably expect it to be used for direct marketing, and it is impractical to obtain consent, you must follow the rules for data collected from a third party. Data collected from a third party The individual has consented to the use of information for direct marketing or it is impractical to obtain consent; The organisation has provided a simple means by which the individual can request not to receive direct marketing; and In each direct marketing communication the organisation includes a prominent opt-out statement or otherwise draws the individual s attention to this option; and The individual has not availed him or herself of this means. Note that direct marketing is not defined and therefore is likely to mean any marketing that is directed to an individual using personal information. www.adma.com.au 7

8. Cross-border disclosure A cross-border disclosure is when personal information can be viewed in another country by another party. It is important to note that a disclosure can occur within a group of companies therefore it is important to conduct an audit of where personal information is being viewed. Personal information stored in another country is also considered to have been disclosed if the storage provider can access the data, therefore, those using cloud-based services need to comply with this provision. An individual must be provided the same level of protection for their personal data if it is disclosed in another country, as they would have under the Australian Privacy Principles. Organisations disclosing personal information in another country have the following options: If the foreign entity is subject to similar law or legally binding code as the Australian Privacy Principles; If a company contracts with the foreign entity to provide the same level of protection; and If the individual is fully informed and chooses to waive their right to protection in advance. If the organisation chooses the third option, they will remain responsible for the personal information after it has left Australia. Should anything happen to the data whilst in another country, the Australian entity will be held accountable. 10-13. Integrity of personal information APP 10-13 relate to the integrity of personal information. These rules are about quality, security, access and correction. Quality Organisations must take reasonable steps in the circumstances to ensure information collected, used or disclosed is accurate. Accuracy includes ensuring information is up-to-date, complete and relevant. Security Organisations must take all reasonable steps to protect personal information. This includes adopting both physical and technological security measures. Personal information must be protected from misuse, loss, disclosure, unauthorised access. www.adma.com.au 8

Access Organisations must give individuals access to their personal information on request. Correction Organisations must correct personal information on request. If personal information is not to be corrected, reasons must be given for refusal, and information provided on how to complain. Enforcement powers of the Privacy Commissioner: The Privacy Commissioner has new enforcement powers. These include: Assessment: Assessments can be proactively conducted and the Privacy Commissioner can request that you demonstrate your compliance with the new privacy laws even if no complaint has been lodged against you. Enforceable undertakings: The Privacy Commissioner may seek an enforceable undertaking from organisations that are in breach of the new laws. He/she can also refer issues to dispute resolution and issue determinations. Fines: $1.7million fines per infringement. Summary of key impacts Privacy policies need to be updated to make sure you give clear notification of what you intend to do with the personal information. Document your privacy practices. Make sure you get the right consent for the use and disclosure of data that suits your intended activity. Make sure you can prove you have consent to use or disclose the data, in accordance with the Australian Privacy Principles. Make sure you have systems in place to manage compliance issues and complaints, and the relevant people are trained in using them. Have a discussion with the IT team about data security; be aware that privacy breaches most often happen through human error. Make sure you have adequate systems for managing opt-outs, and requests for information about the sources of personal information. www.adma.com.au 9

Be aware that you will be held accountable when personal information you collected (or disclosed to a third party) is used or disclosed off-shore. Understand that a breach of the Act will potentially incur fines of up to $1.7million per infringement. Stay Connected Web: http://www.admaknowledgelab.com.au/compliance/ Email: comply@adma.com.au Twitter: @adma www.adma.com.au 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback