SlideShare una empresa de Scribd logo

Vanessa Baic

Informa Australia
Informa Australia
TecnologíaNoticias y política
1 de 55
Descargar para leer sin conexión
Copyright © 2013 by K&L Gates. All rights reserved. Getting privacy compliance right Vanessa Baic Senior Associate
1 Good and not-so-good news!
2 Good news!  Aware of the importance of proper handling of information  Strong compliance culture  Process driven Not-so-good news…  Repeated “mistakes”
3 What is today about?  Privacy 101  The Golden Rules  Implementation
4 Privacy 101 The basics
5 Privacy 101 – The information lifecycle
6 COLLECT USE/DISCLOSE STORE
7 COLLECT USE/DISCLOSE STORE COLLECTION
8
9 Personal information means information or an opinion about an identifiable individual, or an individual who is reasonably identifiable whether the information or opinion is: • true or not; and • recorded in a material form or not Sensitive information includes race, ethnic origin, political opinions, membership of professional/trade associations, religious or philosophical beliefs, sexual preferences, criminal history and health information Health information includes: • information or an opinion about the health or disability of an individual or a health service provided to, or to be provided to, an individual • other PI collected to provide, or in providing, a health service
10 COLLECT USE/DISCLOSE STORE COLLECTION
11 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E COLLECTION
12 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E A C C E S S COLLECTION
13 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E A C C E S S COLLECTION
14 Privacy 101 – New laws  10 National Privacy Principles replaced with 13 Australian Privacy Principles  The Commissioner’s powers have been increased  New laws commence on 12 March 2014
15 The Golden Rules What you need to know to comply with the current and new laws
16 Collection Rules
17
18 Do not collect PI unless you need it  You must not collect PI unless the information is necessary for one or more of your functions or activities  eg. Membership application form
19
20 Obtain consent before collecting sensitive information  An organisation must not collect SI about an individual unless (amongst other things) the individual has consented  eg. Information from a CDMP provider
21 Provide a collection statement before or at the time of collection
22 Collection statements – current requirements:  Your identity and how to contact you  The fact he/she can gain access to the information  The purposes for which the information is collected  The organisations (or types of organisations) to which you usually disclose information of that kind  Any law that requires or authorises the particular information to be collected  The main consequences (if any) for the individual if all or part of the information is not provided Collection statements – additional requirements:  Whether you collect PI about the individual from a third party and the circumstances of that collection  The fact that your privacy policy contains information about how the individual may:  access and correct PI  complain about a breach of the APPs and how you will deal with such a complaint  Whether you are likely to disclose PI overseas and, if so, the countries where such recipients are likely to be located
23 Are you properly providing collection statements and obtaining necessary consents? Members? Healthcare providers?
24
25 Collecting unsolicited information  Decide within a reasonable period whether you could have collected the PI if you had solicited it  If you could not have collected the PI, and it is not contained in a “Commonwealth record”, destroy or de- identify it  If you could have collected the PI, then the APPs apply
26 Use and Disclosure Rules
27 Use and disclosure  Do not use or disclose PI about an individual for a purpose (the secondary purpose) other than the primary purpose of collection without consent unless:  The secondary purpose is related to the primary purpose of collection (directly related in the case of SI)  The individual would reasonably expect you to use or disclose the information for the secondary purpose  eg. CDMP programs
28 Direct marketing New “prohibition” on direct marketing – APP 7.1 • information collected from individual • reasonably expect use or disclosure • opt out options • has not opted out • information collected from individual • not reasonably expect use or disclosure • impracticable to obtain consent • opt out options • prominent statement or draw attention to opt out • has not opted out • information collected from third party • consent or impracticable to obtain consent • opt out options • prominent statement or draw attention to opt out • has not opted out Actions – review collection notices and information collection methods unless APP 7.3 APP 7.3APP 7.2
29 Disclosure overseas
30 Disclosure overseas (cont.) APP 8 – New accountability approach to cross border disclosure of personal information Overseas recipient subject to similar principles as APPs and enforcement action available Individual consents to disclosure after being expressly informed that APP 8.1 will not apply • Must take reasonable steps to ensure compliance of APPs by the overseas recipient – contractual obligation, audit • Sender is potentially liable for misuse by overseas recipient! Implication If: disclosure of personal information to overseas recipient
31 Disclosure overseas (cont.) Weak Medium Strong • Singapore – draft bill • China • Bangladesh • Pakistan • Sri Lanka • Nepal • Hong Kong • Macau • India • Philippines • Thailand • Vietnam • Malaysia – legislation still to come into force • South Korea • Taiwan • Japan Privacy in Asia – indicative examples
32 Storage and Disposal Rules
33
34 Storage and disposal  You must take reasonable steps to protect PI:  from misuse, interference and loss  unauthorised access, modification or disclosure  You must take reasonable steps to destroy or permanently de- identify PI if you do not need it  Take care of other obligations to retain information
35 Other Rules
36 Parent Co. ABC Health Insurance ABC Insurance ABC Life Insurance ABC General Insurance XYZ Health Insurance XYZ Healthcare XYZ Allied Health XYZ CDMP
37 You are not one big happy family!  Related bodies corporate exemption does not apply where:  SI is concerned  the related body corporate is overseas
38 You need to have robust privacy processes and policies  Standard operating procedures  Privacy policy
39 Privacy policy  The kinds of PI you collect and hold  How you collect and hold PI  The purposes for which you collect, hold, use and disclose PI  How an individual can access PI held by you and seek correction of such PI  How an individual can complain about a breach of the APPs and how you will deal with the complaint  Whether you are likely to disclose PI overseas and, if so, the countries in which such recipients are likely to be located
40 Implementation What should you do to comply?
41 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
42 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
43 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
44 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
45 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
46 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
47 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
48 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
49 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
50 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
51 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
52 Why bother?  Because you cannot afford not to!  What will adverse publicity do for your business?  New powers afforded to the Commissioner
53 Commissioner’s new powers Office of the Australian Information Commissioner Investigate complaints about interference with privacy Monitoring related functions – security and accuracy of credit reports Conduct on assessment relating to APPs Apply to Federal Court for civil penalty orders Request copy of privacy impact assessment from an agency Accept enforceable undertakings Undertake investigations and order actions
54 Questions Further information Vanessa Baic Senior Associate K&L Gates Phone: +61 9205 2046 vanessa.baic@klgates.com www.klgates.com

Recomendados

Data privacy and digital strategy
Data privacy and digital strategyData privacy and digital strategy
Data privacy and digital strategyProf. Jacques Folon (Ph.D)
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Michael Adamberry
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Constantine Karbaliotis
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
ISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP AlignmentISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP AlignmentMohammed J. Khan
 

Recomendados

Data privacy and digital strategy
Data privacy and digital strategyData privacy and digital strategy
Data privacy and digital strategyProf. Jacques Folon (Ph.D)
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Michael Adamberry
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Constantine Karbaliotis
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
ISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP AlignmentISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP AlignmentMohammed J. Khan
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeIBB Law
 
Administrative and public law seminar
Administrative and public law seminarAdministrative and public law seminar
Administrative and public law seminarBrowne Jacobson LLP
 
Ichec dig strat gdpr
Ichec dig strat gdpr Ichec dig strat gdpr
Ichec dig strat gdpr Prof. Jacques Folon (Ph.D)
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training) Elizabeth Baker, JD, CRCMP
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteClive Rich
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR readyHarrison Clark Rickerbys
 
Foipressy
FoipressyFoipressy
Foipressydominicponsford
 
Foipressy2
Foipressy2Foipressy2
Foipressy2dominicponsford
 
CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CMSLondon
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...Browne Jacobson LLP
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for OpsKamil Rextin
 
Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...Browne Jacobson LLP
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance bookletGerardo Medina
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...Browne Jacobson LLP
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CMSLondon
 
Estequiometría química
Estequiometría químicaEstequiometría química
Estequiometría químicaDMITRIX
 
Ley De Avogadro
Ley De AvogadroLey De Avogadro
Ley De Avogadroandreaeli21
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 

Más contenido relacionado

La actualidad más candente

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeIBB Law
 
Administrative and public law seminar
Administrative and public law seminarAdministrative and public law seminar
Administrative and public law seminarBrowne Jacobson LLP
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteClive Rich
 
CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CMSLondon
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...Browne Jacobson LLP
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for OpsKamil Rextin
 
Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...Browne Jacobson LLP
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance bookletGerardo Medina
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...Browne Jacobson LLP
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CMSLondon
 

La actualidad más candente (19)

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
 
Administrative and public law seminar
Administrative and public law seminarAdministrative and public law seminar
Administrative and public law seminar
 
Ichec dig strat gdpr
Ichec dig strat gdpr Ichec dig strat gdpr
Ichec dig strat gdpr
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training)
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
Foipressy
FoipressyFoipressy
Foipressy
 
Foipressy2
Foipressy2Foipressy2
Foipressy2
 
CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for Ops
 
Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance booklet
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1
 

Destacado

Estequiometría química
Estequiometría químicaEstequiometría química
Estequiometría químicaDMITRIX
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika AldabaLightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldabaux singapore
 

Destacado (8)

Estequiometría química
Estequiometría químicaEstequiometría química
Estequiometría química
 
Ley De Avogadro
Ley De AvogadroLey De Avogadro
Ley De Avogadro
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming Convention
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media Plan
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
 
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika AldabaLightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
 
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
 

Similar a Vanessa Baic

MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014Infodec Communications
 
What’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerWhat’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerMaRS Discovery District
 
The changing face of privacy laws
The changing face of privacy lawsThe changing face of privacy laws
The changing face of privacy lawsRussell_Kennedy
 
Imac 2011
Imac 2011Imac 2011
Imac 2011sebmojo
 
GDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareGDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareWinston & Strawn LLP
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentationAlan Teh
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Patrick Doyle
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochureJean Luc Creppy
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus ruleDusaElraha
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009rogersons
 
The Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationThe Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationEndcode_org
 
The Start-Up’s Guide to Privacy - MaRS Best Practices
The Start-Up’s Guide to Privacy - MaRS Best PracticesThe Start-Up’s Guide to Privacy - MaRS Best Practices
The Start-Up’s Guide to Privacy - MaRS Best PracticesMaRS Discovery District
 

Similar a Vanessa Baic (20)

MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014
 
What’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerWhat’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy Primer
 
The changing face of privacy laws
The changing face of privacy lawsThe changing face of privacy laws
The changing face of privacy laws
 
Imac 2011
Imac 2011Imac 2011
Imac 2011
 
GDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareGDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To Prepare
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentation
 
Data Management Protection Acts
Data Management Protection ActsData Management Protection Acts
Data Management Protection Acts
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochure
 
B2: Fundraising in an age of GDPR
B2: Fundraising in an age of GDPRB2: Fundraising in an age of GDPR
B2: Fundraising in an age of GDPR
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule
 
CONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptCONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.ppt
 
4514611.ppt
4514611.ppt4514611.ppt
4514611.ppt
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
The Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationThe Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A Presentation
 
PDPA 2010 (part 2) - What's Next?
PDPA 2010 (part 2) - What's Next?PDPA 2010 (part 2) - What's Next?
PDPA 2010 (part 2) - What's Next?
 
The Start-Up’s Guide to Privacy - MaRS Best Practices
The Start-Up’s Guide to Privacy - MaRS Best PracticesThe Start-Up’s Guide to Privacy - MaRS Best Practices
The Start-Up’s Guide to Privacy - MaRS Best Practices
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Vanessa Baic

  • 1. Copyright © 2013 by K&L Gates. All rights reserved. Getting privacy compliance right Vanessa Baic Senior Associate
  • 3. 2 Good news!  Aware of the importance of proper handling of information  Strong compliance culture  Process driven Not-so-good news…  Repeated “mistakes”
  • 4. 3 What is today about?  Privacy 101  The Golden Rules  Implementation
  • 6. 5 Privacy 101 – The information lifecycle
  • 9. 8
  • 10. 9 Personal information means information or an opinion about an identifiable individual, or an individual who is reasonably identifiable whether the information or opinion is: • true or not; and • recorded in a material form or not Sensitive information includes race, ethnic origin, political opinions, membership of professional/trade associations, religious or philosophical beliefs, sexual preferences, criminal history and health information Health information includes: • information or an opinion about the health or disability of an individual or a health service provided to, or to be provided to, an individual • other PI collected to provide, or in providing, a health service
  • 12. 11 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E COLLECTION
  • 13. 12 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E A C C E S S COLLECTION
  • 14. 13 COLLECT USE/DISCLOSE STORE Hospitals CDMP providers IT service providers Mail houses Ancillary providers D I S C L O S U R E A C C E S S COLLECTION
  • 15. 14 Privacy 101 – New laws  10 National Privacy Principles replaced with 13 Australian Privacy Principles  The Commissioner’s powers have been increased  New laws commence on 12 March 2014
  • 16. 15 The Golden Rules What you need to know to comply with the current and new laws
  • 18. 17
  • 19. 18 Do not collect PI unless you need it  You must not collect PI unless the information is necessary for one or more of your functions or activities  eg. Membership application form
  • 20. 19
  • 21. 20 Obtain consent before collecting sensitive information  An organisation must not collect SI about an individual unless (amongst other things) the individual has consented  eg. Information from a CDMP provider
  • 22. 21 Provide a collection statement before or at the time of collection
  • 23. 22 Collection statements – current requirements:  Your identity and how to contact you  The fact he/she can gain access to the information  The purposes for which the information is collected  The organisations (or types of organisations) to which you usually disclose information of that kind  Any law that requires or authorises the particular information to be collected  The main consequences (if any) for the individual if all or part of the information is not provided Collection statements – additional requirements:  Whether you collect PI about the individual from a third party and the circumstances of that collection  The fact that your privacy policy contains information about how the individual may:  access and correct PI  complain about a breach of the APPs and how you will deal with such a complaint  Whether you are likely to disclose PI overseas and, if so, the countries where such recipients are likely to be located
  • 24. 23 Are you properly providing collection statements and obtaining necessary consents? Members? Healthcare providers?
  • 25. 24
  • 26. 25 Collecting unsolicited information  Decide within a reasonable period whether you could have collected the PI if you had solicited it  If you could not have collected the PI, and it is not contained in a “Commonwealth record”, destroy or de- identify it  If you could have collected the PI, then the APPs apply
  • 28. 27 Use and disclosure  Do not use or disclose PI about an individual for a purpose (the secondary purpose) other than the primary purpose of collection without consent unless:  The secondary purpose is related to the primary purpose of collection (directly related in the case of SI)  The individual would reasonably expect you to use or disclose the information for the secondary purpose  eg. CDMP programs
  • 29. 28 Direct marketing New “prohibition” on direct marketing – APP 7.1 • information collected from individual • reasonably expect use or disclosure • opt out options • has not opted out • information collected from individual • not reasonably expect use or disclosure • impracticable to obtain consent • opt out options • prominent statement or draw attention to opt out • has not opted out • information collected from third party • consent or impracticable to obtain consent • opt out options • prominent statement or draw attention to opt out • has not opted out Actions – review collection notices and information collection methods unless APP 7.3 APP 7.3APP 7.2
  • 31. 30 Disclosure overseas (cont.) APP 8 – New accountability approach to cross border disclosure of personal information Overseas recipient subject to similar principles as APPs and enforcement action available Individual consents to disclosure after being expressly informed that APP 8.1 will not apply • Must take reasonable steps to ensure compliance of APPs by the overseas recipient – contractual obligation, audit • Sender is potentially liable for misuse by overseas recipient! Implication If: disclosure of personal information to overseas recipient
  • 32. 31 Disclosure overseas (cont.) Weak Medium Strong • Singapore – draft bill • China • Bangladesh • Pakistan • Sri Lanka • Nepal • Hong Kong • Macau • India • Philippines • Thailand • Vietnam • Malaysia – legislation still to come into force • South Korea • Taiwan • Japan Privacy in Asia – indicative examples
  • 34. 33
  • 35. 34 Storage and disposal  You must take reasonable steps to protect PI:  from misuse, interference and loss  unauthorised access, modification or disclosure  You must take reasonable steps to destroy or permanently de- identify PI if you do not need it  Take care of other obligations to retain information
  • 37. 36 Parent Co. ABC Health Insurance ABC Insurance ABC Life Insurance ABC General Insurance XYZ Health Insurance XYZ Healthcare XYZ Allied Health XYZ CDMP
  • 38. 37 You are not one big happy family!  Related bodies corporate exemption does not apply where:  SI is concerned  the related body corporate is overseas
  • 39. 38 You need to have robust privacy processes and policies  Standard operating procedures  Privacy policy
  • 40. 39 Privacy policy  The kinds of PI you collect and hold  How you collect and hold PI  The purposes for which you collect, hold, use and disclose PI  How an individual can access PI held by you and seek correction of such PI  How an individual can complain about a breach of the APPs and how you will deal with the complaint  Whether you are likely to disclose PI overseas and, if so, the countries in which such recipients are likely to be located
  • 42. 41 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 43. 42 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 44. 43 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 45. 44 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 46. 45 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 47. 46 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 48. 47 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 49. 48 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 50. 49 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 51. 50 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 52. 51 Implementation: What should you do? 1. Identify all relevant PI/SI flows now and after 12 March 2014 2. Prepare and confirm “information flows” document based on the above 3. Assess and report on privacy compliance 4. Prepare (or update) privacy policy and collection statements (incorporating consents) 5. How will you notify individuals of changes to your privacy policy and collection statements? 6. Implement transborder transfer agreements 7. Prepare a standard operating procedure 8. Train the privacy officer(s) and delegates 9. Train relevant staff 10. Refresher and induction training programs 11. Regular review and updating of privacy policy and collection statements (and consents)
  • 53. 52 Why bother?  Because you cannot afford not to!  What will adverse publicity do for your business?  New powers afforded to the Commissioner
  • 54. 53 Commissioner’s new powers Office of the Australian Information Commissioner Investigate complaints about interference with privacy Monitoring related functions – security and accuracy of credit reports Conduct on assessment relating to APPs Apply to Federal Court for civil penalty orders Request copy of privacy impact assessment from an agency Accept enforceable undertakings Undertake investigations and order actions
  • 55. 54 Questions Further information Vanessa Baic Senior Associate K&L Gates Phone: +61 9205 2046 vanessa.baic@klgates.com www.klgates.com