PRIVACY CHANGES: LESS THAN ONE MONTH TO GO!

Transcription

1 PRIVACY CHANGES: LESS THAN ONE MONTH TO GO! On 12 March 2014, the amendments to the Privacy Act will become effective. These amendments make significant changes to compliance. Many charities and not-for-profits are affected by these changes. You may have attended our breakfast seminar series last year in which we set out the changes and sought to identify the ways in which they make impact upon your organisation. On and from 12 March you will need to be compliant. If we can provide any assistance in this regard either by way of preliminary advice or to assist you in ensuring compliance, please do not hesitate to contact Damian Ward on or If you need to comply with the privacy legislation, it is important you take immediate steps. Following is a price list for services we offer and a checklist for you to assist in identifying your needs. List of Services and Proposal in relation to compliance with the Privacy Act We set out in the table below services we offer at fixed prices in relation to Privacy compliance in the NFP and Charity sector with the soon to be operational legislative forms. COMPLIANCE DOCUMENTS Drafting a privacy policy in compliance with the upcoming amendments due to come into force in March 2014 under the Privacy Act 1988 including a complaints policy and disclosure notice. This is a complete suite of documents necessary for compliance. $2,750 plus GST EXECUTIVE TRAINING - WORKSHOP The implications of privacy law workshop. This workshop will take between 2 ½ - 3 hours and addresses the following issues: What is privacy? The Australian privacy principles and what they mean. Risk management. Managing systems to ensure compliance. Best practice rules. Q and A. Practical examples. $399 plus GST per person (a maximum of 10 people per workshop session do not all need to be from your organisation) Page 1

2 TRAINING YOUR TEAM Training your team (either at your site or at Mills Oakley) on the basics of the privacy regime. Educating your staff as to the do s and don ts and dealing with the private information of individuals is a key to ongoing compliance. This is a one hour seminar targeted at giving your employees a road map as to what they can and can t do in relation to the private information of others. $1,500 per training session for up to 12 people (plus incidental costs if at your site) Larger groups are more cost effective - we can provide you with a price on application for a larger group. COMPLAINTS PROCESSING SYSTEMS WORKSHOP Having an effective and practically useful complaints handling system in relation to potential infringements of the privacy of individuals is a key component of ongoing compliance with the legislation. This workshop, again for senior members of staff, will run for 2 2 ½ hours and addresses: The mandatory requirements for a complaint registration system under the legislation. The implementation and effective conduct of a complaints management system. Issues of procedural fairness and practical operational issues around dealing with complaints. Risk management. Real life case examples. Dealing with the office of the Australian Information Commissioner the regulator. Q and A. $399 plus GST per person. (maximum of 10 per workshop) All sessions will end with attendees taking home materials to reinforce what has been discussed. We will provide lunch at the end of each of the workshops. If we need to travel to present a workshop or seminar, an additional charge for each attendee on a pro rata basis will be made at cost. Page 2

3 Privacy Compliance Check List The reforms to the Privacy Act 1988 will commence on 12 March 2014 (reforms). Among other changes to the statutory privacy regime, these reforms will unify the existing National Privacy Principles (applicable to private sector organisations) and Information Privacy Principles (applicable to agencies and government organisations) into a single set of 13 Australian Privacy Principles (APPs). Review the checklist below to ensure you are compliant with the CHECKLIST YES NO ACTIONS 1 Does your organisation deal with individual s health information, have an annual turnover of $3 million or more or adopt best practice with regard to privacy? 2 Does your organisation handle personal information or sensitive information about others? 3 Do you have an organisational understanding of the differences between personal and sensitive information? 4 Do you have a privacy policy that is compliant with the reforms? 5 Do you take steps to implement new practices, procedures and systems to ensure compliance with the APPs and any applicable binding APP code? Determine whether your organisation is subject to the APPs and required to or should comply with the Review information held to determine whether and what personal and/or sensitive information is held. Provide training to staff about appropriate information handling procedures, systems and processes. Draft or update your privacy policy and ensure it is available in an appropriate form and free of charge. Review practices, procedures and systems to ensure they are transparent, up to date and compliant with the 6 Do you have a privacy officer? Appoint a privacy office to ensure an operationally effective way of handling privacy issues and complaints. 7 Do you have a system to allow individuals to interact with you anonymously or by a pseudonym? If no, is it impractical or otherwise impossible to do so given the nature of your activities? 8 Do you receive unsolicited personal information? 9 Do you disclose personal or sensitive information? If yes, does your privacy policy explain the purposes for which you disclose such information? Unless an exception applies under the Privacy Act, you must allow individuals to interact with your organisation anonymously or by using a pseudonym. Review practices for handling, de-identifying and destroying unsolicited personal information. Review processes and systems to ensure that any personal or sensitive information held is only used and disclosed for lawful purposes and in compliance with the Page 3

4 CHECKLIST YES NO ACTIONS 10 If your organisation engages in direct marketing, are you compliant with the reforms? 11 Does your organisation send or store personal information overseas? 12 Do you have a security regime for the protection of personal information from misuse, interference, loss and unauthorised access, modification or disclosure? 13 Do you have systems and procedures in place for dealing with destruction or deidentification of personal information? 14 Are all of your processes for dealing with privacy and personal and sensitive information transparent, efficient and timely? 15 Do you have processes in place to correct inaccurate personal information, whether requested by individuals or otherwise? 16 Do you have a complaints handling procedure that is compliant with the reforms? Review direct marketing practices to ensure compliance with the reforms and ensure a functional opt-out mechanism is available Review practices, procedures and systems for sending personal information overseas, including implementing appropriate arrangements with overseas recipients to ensure compliance with the Implement practices and systems to prevent misuse, interference, loss of and unauthorised access to, modification or disclosure of personal information held. Review practices and procedures to ensure personal information is destroyed or de-identified when no longer needed. Implement processes for correcting personal information and ensuring it is accurate, up to date and complete. Implement procedures for responding to access requests for personal information that are timely and compliant with the Review practices and procedures for dealing with complaints and inquiries about privacy. Page 4

5 Privacy - Cheat Sheet 1. There is a wide amount of information you may collect about others (either directly or indirectly) that fall within the Privacy Act 1988 and its provisions. 2. Ensure you have a privacy policy which addresses all of the APPs. 3. Ensure you have systems and procedures which allow for day-to-day compliance with the APPs. In particular focus on a compliant complaints system, requests for access to private information, correcting private information and the independent obligation to have to update, correct and maintain the accuracy of information. 4. Direct marketing in addition to other legal obligations (i.e. Spam Act) ensure you do not use or disclose information for direct marketing in breach of the relevant principles. 5. Maintain the quality of personal information about individuals this is whether they ask for information to be corrected or not. 6. If you no longer need information, make sure you can destroy it or de identify it as is appropriate. 7. Transparency is key in relation to each of: a. Privacy Policies; b. Notification of collection of personal information; c. Use and disclosure; d. Access to personal information; and e. Inadvertent or mistaken disclosures. Contact Us Damian Ward Partner Commercial Litigation & IP T: (02) E: dward@millsoakley.com.au Vera Visevic Partner Not for Profit T: (02) E: vvisevic@millsoakley.com.au Page 5