Franchise businesses should be aware of the recent developments in Australian Privacy Law and the possible implications for the franchise industry.
Outline
On August 11 2008, the Australian Law Reform Commission (“ALRC”) released its landmark report reviewing Australian Privacy Laws (For Your Information: Australian Privacy Law & Practice).
The ALRC recommendations in relation to the following areas may significantly impact upon businesses, including franchisors:
- Proposed removal of the small business exemption – all businesses, regardless of their annual turnover, would be required to comply with the privacy regulations;
- Proposed removal of the employee record exemption – employee records would now be covered under the privacy scheme;
- Credit reporting system – credit providers would be able to access more detailed personal information when conducting credit checks.
Franchise businesses should be prepared to amend their privacy policies and processes in light of the Government’s indication that the recommendations from the ALRC Report will form the basis of significant changes to Australian Privacy Law.
The Australian Privacy Commissioner has also published a data breach guide regarding the prevention and recommended response to data breach (Guide to Handling Personal Information Security Breaches), (released 25 August 2008). The guide is a useful resource for franchise businesses when addressing privacy issues.
(1) For Your Information: Australian Privacy Law and Practice – ALRC report [1]
Current Privacy Laws
The existing Privacy Laws came into operation in 2001, under the Privacy Amendment (Private Sector) Act. The 2001 laws established national standards in relation to the manner in which personal information is stored, used and disclosed by private sector organisations.
Currently, the following types of organisations are covered under current the Privacy Act:
- Businesses with an annual turnover of $3 million or more
- Businesses with an annual turnover of less than $3 million which are related to organisations with an annual turnover of more than $3 million
- Health service providers or other organisations that hold health information
- Organisations that collect, disclose and provide personal information for a benefit, service or advantage
- Organisations that are contracted service providers to the Federal Government
- Charitable and other not-for-profit organisations
- Unions
Background to the report
On 11 August 2008, the ALRC published a three volume, 2700 page report which recommended 295 changes to privacy law and practices. Conducted over a two year period, the ALRC inquiry included an extensive research and consultation process with a strong community input. The recommendations aim at simplifying Australian privacy laws in light of technological developments. They come in response to public concerns surrounding a range of previously unforeseen privacy issues associated with the modern “Information Age”.
Key Recommendations
In the report’s Executive Summary [2], the ALRC outlined the following key recommendations to the Attorney General:
- Redrafting and restructuring of the Privacy Act 1998 (Cth): creation of a uniform, single set of privacy principles (“Unified Privacy Principles”) from the current IPPs [3] and NPPs [4];
- Redefinition of key terms: terms such as “personal” and “sensitive” information should accommodate technological advances and international instruments;
- Rationalisation of exemptions to the Privacy Act: removal of exemptions for small businesses, employee records and political parties, and clarification of the journalism exemption;
- Streamlining of complaint handling systems: expansion of Privacy Commissioner’s powers to decline investigations and commence proceedings in the federal courts to seek a civil remedy in cases of serious or repeated interference with an individual’s privacy;
- Reorganisation of the Office of the Privacy Commissioner;
- Mandatory data breach notification: new procedures to ensure that organisations notify the Privacy Commissioner and affected individuals when a data breach has occurred;
- More comprehensive credit reporting: wider categories of personal information should be allowed to be added to an individual’s credit file, to encourage better risk management practices by credit suppliers and lenders;
- Redrafting of Part 13 of the Telecommunications Act 1997 (Cth): review of provisions relating to the use and disclosure of personal information in the telecommunications industry;
- Health Privacy: the ALRC recommended the drafting of new Privacy (Health Information) regulations to address issues relating to electronic health records and patient and researcher accessibility of medical records;
- Introduction of a ‘cross-border data flows’ model: organisations should be held responsible for all uses and disclosure of personal information they send offshore;
- Statutory cause of action for serious invasion of privacy: federal law should provide a statutory cause of action for a serious invasion of privacy where there was a reasonable expectation of privacy. Such circumstances could include interference with home or family life, unauthorised surveillance, interference with private correspondent or the disclosure of sensitive information about a person’s private life. Remedies should include damages, injunctions, declarations, apologies or corrections.
Governmental Response
The Cabinet Secretary and Special Minister of State, Senator John Faulkner indicated that the Government will consider the report in two stages [5]. Within the next twelve to eighteen months, the Government will introduce legislation in relation to the Unified Privacy Principles, health and credit reporting regulations, powers of the Privacy Commissioner and cross border data flows.
The second stage of reforms will relate to the removal of designated exemptions, redrafting of Part 13 of the Telecommunications Act 1997 and the implementation of a statutory cause of action for privacy invasion. The ALRC report also recommended that the Australian Government review any amendments to the Privacy Act five years following their commencement.
(2) Guide to Handling Personal Information Security Breaches - Australian Privacy Commissioner Guidelines
The Australian Privacy Commissioner has released a data breach guide in relation to preventing and responding to internal privacy complaints within organisations [6]. Whilst compliance with the guide is not mandatory, it is recommended that franchise businesses consider the key steps and factors outlined in the guide when responding to a personal information security breach.
Identifying Personal Information Security Breaches
Under the Privacy Act, organisations must take reasonable steps to prevent a malicious or unintentional loss of personal information that they hold.
The guide provides examples of personal information security breaches, including [7]:
- Lost or stolen laptops, storage devices or physical files containing personal information;
- Paper records inadequately recycled;
- Computer storage media disposed of without erasing contents;
- Mistaken provision of personal information to the wrong person;
- Personal information databases being illegally accessed or ‘hacked into’ by individuals outside the organisation;
- Employees accessing personal information outside the requirements of their employment.
Preventing Security Breaches
It was also recommended that organisations consider security safeguards of personal information in numerous scenarios. This could include maintaining physical security, implementing privacy enhancing technologies, personnel training and periodic reviews of security policies.[8]
Responding to a breach
The guide provides four key steps for organisations to consider when responding to a breach or suspected breach of personal information:
Step 1: Contain the breach and do a preliminary assessment [9]:
- Where a breach of personal information has arisen because of unauthorised access involving electronic systems, the organisation may need to shut down the electronic system, change computer access privileges or upgrade electronic security;
- The organisation should appoint an employee with sufficient authority to investigate the breach and make initial recommendations to address the issue.
Step 2: Evaluate the risks associated with the breach [10]:
- When assessing the potential risks which could result from the breach, the organisation should consider: the type of personal information involved, who is affected by the breach, the context of the information and the cause and extent of the breach.
Step 3: Consider notification of affected individuals or third parties[11]:
- Whilst notification is not always appropriate, if there is a serious risk of harm to the individual whose personal information has been breached, it is appropriate to notify that individual;
- Where an organisation has contractual obligations relating to privacy, they are required to notify any affected individuals, to whom they have obligations to;
- It may also be necessary to involve 3rd parties including the Privacy Commissioner (particularly if large numbers of people are affected by the breach) or the police (if theft or other crime is suspected).
Step 4: Prevent future breaches [12]:
- After taking immediate steps to try to mitigate the risks associated with the breach, organisations should develop a prevention plan in preparation for future breaches;
- A prevention plan may include an audit of physical and technical security or a review of employee selection and training practices.
The Privacy Commissioner has indicated the Government’s proposed privacy reforms, could take into consideration the Guide’s suggestions relating to breach notification, alongside the ALRC August Privacy Report, which had recommended that mandatory breach notification be introduced into law.
Stephens Lawyers & Consultants advises on all aspects of Privacy Law and works with its clients in the development and implementation of privacy compliance programs.
Our firm has extensive experience in conducting internal privacy audits, preparing procedures and policies in accordance with privacy regulations and developing and implementing tailored Privacy Codes for organisations.
[1] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008).
[2] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008) 110-128.
[3] Information Privacy Principles, extracted from s 14 of the Privacy Act 1988 (Cth).
[4] National Privacy Principles, extracted from Schedule 3 of the Privacy Act 1988 (Cth).
[5] The Hon John Faulkner, ‘Speech to Launch the Australian Law Reform Commission’s Report on Privacy’ (Speech delivered at the Launch of the Australia Law Reform Commission’s Report – Privacy Week, Sydney, 11 August 2008)
[6] The term ‘organisations’ should be read consistent with the definition provided under the Privacy Act.
[7] Office of the Privacy Commissioner, Guide to Handling Personal Information Security Breaches, August 2008. [7]
[8] Office of the Privacy Commissioner, Guide to Handling Personal Information Security Breaches, August 2008. [8]
[9] Office of the Privacy Commissioner, Guide to Handling Personal Information Security Breaches, August 2008. [14-15]
[10] Office of the Privacy Commissioner, Guide to Handling Personal Information Security Breaches, August 2008, [16-21].
[11] Office of the Privacy Commissioner, Guide to Handling Personal Information Security Breaches, August 2008, [22-31].
[12] Office of the Privacy Commissioner, Guide to Handling Personal Information Security Breaches, August 2008, [32-36].
27-Nov-2008