18.1 How do businesses typically respond to foreign e-discovery requests, or requests for disclosure from foreign law enforcement agencies? The APRA is responsible for regulating powers in accordance with CPS 231 and CPS 234. For an APRA-regulated institution, if in APRAs view, an offshoring agreement (including an offshoring agreement for the processing of data) involves risks that the APRA regulated institution is not managing appropriately, APRA may require the APRA-regulated institution to make other arrangements for the outsourced activity as soon as practicable.
7.5 What information must be included in the registration/notification (e.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes)? This includes messages that: The DNCR Act covers telephone calls and fax messages sent to an Australian number.
or its officer or employee. Describe how employers typically obtain consent or provide notice. This is defined as a number that is specified in the numbering scheme referred to in s. 454A of the Telecommunications Act 1997 (Cth) or in the numbering plan referred to in s. 455 of the Telecommunications Act 1997 (Cth) which is for use in connection with the supply of carriage services to the public in Australia. the overseas recipient is exempt from complying, or is authorised to not comply, with part, or all of the privacy or data protection law in the jurisdiction; or. an unincorporated association that has its central management and control in Australia or an external Territory. In this instance, ASIC instigated proceedings against an Australian Financial Service (AFS) licence holder on the basis that it failed to appropriately manage its cyber security risks. For government agencies, the Government Agencies APP Code requires an agency to keep the OAIC notified in writing of the contact details for the agencys privacy officer, or if an agency has more than one privacy officer, for one of its privacy officers. covers common issues including relevant legislation and competent authorities, territorial scope, key principles, individual rights, registration formalities, appointment of a data protection officer and processors. or can it be general (e.g., providing a broad description of the relevant processing activities)? 7.2 If such registration/notification is needed, must it be specific (e.g., listing all processing activities, categories of data, etc.) However, electronic messages by government bodies, political parties and charities may be exempt from this prohibition. a person whose continued presence in Australia is not subject to a time limitation imposed by law; a partnership formed in Australia or an external Territory; a trust created in Australia or an external Territory; a body corporate incorporated in Australia or an external Territory; or. In industries covered by the CDR scheme (see details under question 18.2 below), the CDR accreditation requirement is mandatory for all entities that receive consumer-specific data, including foreign legal entities that are subject to the Competition and Consumer Act 2010 (Cth). See also further discussion of other principles in the answers below. Right to complain to the relevant data protection authority(ies). 7.11 Is there a publicly available list of completed registrations/notifications? 17.3 Describe the data protection authoritys approach to exercising those powers, with examples of recent cases. The Privacy Act does not distinguish between data controllers and data processors. 7.10 Can the registration/notification be completed online? Individuals have the right to lodge privacy complaints with the OAIC if they are concerned that their personal information has been mishandled. The following exceptions apply to personal information (not sensitive information): Under the Spam Act, express or inferred consent is required for the sending of an electronic message (see section 16). See also further details in the last bullet point under question 5.1 above.
These agencies, as well as APP entities, must not use the personal information for a purpose other than that for which it was collected, unless certain exemptions apply, such as the individual having consented to the use of the information. In addition, some industries, such as buses and taxis, operate under industry specific laws that regulate their use of CCTV. the organisation or operator carries out business in Australia or an external Territory; and. If the entity determines that it could not have done so, then it should destroy or de-identify the information in accordance with APP 4. The monitoring of employees is regulated at the state level. The Corporations Act 2001 (Cth) (Corporations Act) provides protections for whistle-blowers who report misconduct or an improper state of affairs or circumstances in relation to a regulated entity(ies) (including companies, banks, insurers, etc.) 7.1 Is there a legal obligation on businesses to register with or notify the data protection authority (or any other governmental body) in respect of its processing activities? The judgment found that through its installation and/or management of cookies on devices of Australian users, Facebook was deemed to be carrying on business in Australia and therefore subject to Australian privacy law. However, this is not applicable to information held by a government agency that is required or authorised by law not to disclose the information, or where an organisation reasonably believes that the disclosure of such information would be a serious threat to the health or safety of others, or would cause detriment to ones privacy. Businesses are required to comply with APP 6 for any disclosure of personal information and APP 8 for cross-border disclosure of personal information.
Organisations should take care to destroy any personal information it collected with respect to COVID-19 once it is no longer needed for the purpose for which it was collected. the personal information has been directly collected from an individual in a manner reasonably expected to be used for direct marketing (APP 7.2); or, the personal information has been collected from a third party, or from an individual who would not reasonably expect their personal information to be used for direct marketing, and either the individual has consented to the direct marketing or it is impracticable to obtain that consent (APP 7.3); and. APP 11.3 requires an entity to take reasonable steps to destroy or de-identify personal information if it no longer needs the personal information for any purpose for which the information may be used or disclosed under the APPs. APP 1 requires an APP entity to have a clearly expressed privacy policy which must contain information on how an individual may (i) access personal information about the individual that is held by the entity and seek the correction of such information, and (ii) complain about a breach of the APP and how the entity will deal with such a complaint. It imposes an obligation on APP entities to implement practices, procedures and systems to ensure the organisation is APP compliant.
ASIC made use of historical forensic cybersecurity reports which raised significant gaps in the companys cybersecurity systems before the incident occurred, which may indicate a failure to remedy a known risk (and thus poor, if any, risk management). In addition, entities in industries covered by the CDR regime (with the first implementation being in the financial sector) also have accreditation obligations. The entity must do so as soon as practicable after completing the statement. The current maximum penalties as a result of court action for the infringement of the DNCR Act or the Spam Act, respectively, are AU$2.22 million per day for a body corporate and AU$444,000 per day for a person that is not a body corporate. an in-depth understanding of the Privacy Act and the Government Agencies APP Code, and the ability to translate these requirements into practice in the agency; and. However, an APP entity will need to establish (on a case-by-case basis) whether an individual under the age of 18 has the capacity to consent. The maximum penalty for data security breaches under the Privacy Act is currently AU$2.22 million for a body corporate. However, these considerations require further guidance from the EU and developments are being monitored by the OAIC. In respect to CDR accreditation under the CDR scheme is in respect of the receipt and holding of CDR data.
With respect to anonymous reports, ASIC has noted that they will not be able to follow up with anonymous whistle-blowers for further information or steps to be taken. The entity must prepare a statement that sets out the identity and contact details of the entity, a description of the eligible data breach, the kinds of information concerned, and recommendations of the steps that individuals should take in response. Yes, other general legislation that impacts data protection include the following: There is also the following legislation at the state and territory level: 1.3 Is there any sector-specific legislation that impacts data protection? CPS 231 sets out the minimum matters that must be addressed by the outsourcing agreement, including: 10.1 Please describe any legislative restrictions on the sending of electronic direct marketing (e.g., for marketing by email or SMS, is there a requirement to obtain prior opt-in consent of the recipient?).
Furthermore, in mid-2019, the OAIC accepted an undertaking for a company that was connected to Federal Parliament to use the information collected in relation to Parliament and subsequently contact those persons without their consent. The OAIC launched proceedings against Facebook Inc. in March 2020 in relation to the use and disclosure of personal information collected through the use of the This is Your Digital Life application. are sent by an individual or organisation who is physically present in Australia, or whose central management is in Australia, at the time of sending; have been accessed by a computer, server or device located in Australia; are connected to an account-holder that is present in Australia when the message is accessed; or. As a general rule, an individual under the age of 18 has the capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In the past 12 months, enforcement actions against entities who systemically and repeatedly breach legislative instruments that protect customer and public data have been on the rise. The phrase Data Subject is not used in the Privacy Act. There are no registration requirements in relation to the transfer of personal data. 9.2 If it is necessary to enter into an agreement, what are the formalities of that agreement (e.g., in writing, signed, etc.) However, it must comply with APP 7.3.
11.2 Do the applicable restrictions (if any) distinguish between different types of cookies? 8.4 Can a business appoint a single Data Protection Officer to cover multiple entities? 15.2 Is consent or notice required? APP 13 permits an individual to require an entity to correct their held personal information. Additionally, the CDR regime (discussed further under section 7 below) includes provisions regarding the definition of a CDR consumer where a person is identifiable (or reasonably identifiable) from data relating to the person because of the supply of a good or service to the person or one of the persons associates.
7.3 On what basis are registrations/notifications made (e.g., per legal entity, per processing purpose, per data category, per system or database)? APP 3.5 restricts APP entities to collect personal information only by lawful and fair means. for a body corporate, a maximum civil penalty amount being the greater of: if the relevant court can determine the value of the benefit obtained from the contravention, three times the value of that benefit; or, if the court cannot determine the value of that benefit, 10% of the body corporates annual turnover in the year preceding the contravention; or. There is no qualification generally required by law in Australia. In response to this, the OAIC made a submission on 11 December 2020 which included a recommendation to amend APP 1 to require entities to appoint a privacy officer(s) and ensure that privacy officer functions are undertaken. 8.1 Is the appointment of a Data Protection Officer mandatory or optional? Such secondary purpose should: APP 3 stipulates that personal information must not be collected unless it is reasonably necessary for: Furthermore, APP 11 requires personal information to be destroyed/de-identified where an entity no longer requires the information for any purpose for which the information may be used or disclosed under the APPs. Among other proposed changes, penalties and means of enforcement for breaches under the Privacy Act are set to increase as follows: Another hot topic which has been on the data protection regulators radar is the rise in data graveyards, including in relation to the redundant holding of sensitive information in light of the COVID-19 pandemic. S. 9 of the DNCR Act also expressly states that it extends to acts, omissions and matters outside Australia. APP 7.1 encompasses not only the regulation of personal information for direct marketing but also its disclosure for this purpose. While it is not a legislative requirement to enter into an agreement, doing so would be good practice to address the type of personal information being processed, the purpose for its disclosure, the complaints handling process, compliance with the APPs and the implementation of a data breach response plan. APP 2 provides that individuals must have the option of dealing anonymously or by pseudonym with an APP entity, unless the APP entity is otherwise required by law or it is impracticable for the APP entity to provide such option. This would permit a person in a specific position in a government agency to be designated as the privacy officer of multiple government agencies. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expect(s) voluntary breach reporting. Separately, in January 2020, a telecommunication provider was fined over AU$150,000 for breaching the DNCR Act by making telemarketing calls to numbers on the Do Not Call Register without consent and not ending the calls when immediately asked. Once an individual has withdrawn consent, an APP entity can no longer rely on that past consent for any future use or disclosure of the individuals personal information. See question 11.3 for more detail on this case. It further stipulates timeframes in which an entity must respond to an individuals request to access their data. If it is not clear whether the circumstances amount to an eligible data breach, the entity must carry out an assessment and take all reasonable steps to ensure that the assessment is completed within 30 days. 16.2 Is there a legal requirement to report data breaches to the relevant data protection authority(ies)? In respect to the CDR regime, accreditation through the ACCC is a pre-requisite to receiving or holding CDR data. The relevant concept is phrased as APP entity, which means an agency or organisation. The processing of personal information is restricted by APPs 3, 6, 7 and 8 as to the how and the purposes for which personal information is used and disclosed (including for any direct marketing or disclosure overseas). 13.2 Is anonymous reporting prohibited, strongly discouraged, or generally permitted? In respect to the CDR regime, under s. 56CE of the Competition and Consumer Act 2010 (Cth). ICLG - Data Protection Laws and Regulations - The SLACIP Act introduces a new obligation for responsible entities to create and maintain a critical infrastructure risk management programme. If so, what are the relevant factors? 11.1 Please describe any legislative restrictions on the use of cookies (or similar technologies). 10.3 Please describe any legislative restrictions on the sending of marketing via other means (e.g., for marketing by telephone, a national opt-out register must be checked in advance; for marketing by post, there are no consent or opt-out requirements, etc.). a process for reviewing the programme and keeping the programme up to date. The Privacy Act protects the personal information of individuals, which is defined to mean natural persons.
12.1 Please describe any restrictions on the transfer of personal data to other jurisdictions.
An eligible whistle-blower is protected under the Corporations Act if disclosure is made to the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority, a prescribed Commonwealth authority or eligible recipients including an officer, senior manager, auditor, actuary or any other person authorised by the regulated entity to receive such disclosures, or to a legal practitioner for the purpose of obtaining legal advice or representation relating to such protection. Stakeholders in the data space have taken note of a renewed interest in the use of director duties as a tool to hold accountable those at the highest level who fail to practise and implement proper cybersecurity measures. an understanding of any other legislation that governs the way the agency handles personal information. An individual has the right to withdraw their consent to the use of their personal information. Under APP 4, if an APP entity receives unsolicited personal information, the entity must determine whether it could have solicited and collected the information under APP 3. An organisation is defined in the Privacy Act as: that is not a small business operator, a registered political party, an agency, or an authority or prescribed instrumentality of a State or Territory. As part of the APP Guidelines, the OAIC has provided some guidance to businesses relating to disclosure to foreign law enforcement agencies in connection with APP 8. For APP 8.2(a), the APP Guidelines mention that an overseas recipient may not be subject to a law or binding scheme where, for example: For APP 8.1(b), the APP Guidelines set out that the APP entity should provide the individual with a clear written or oral statement explaining the potential consequences of providing consent to the cross-border disclosure. The passing of the SLACIP Act would constitute the second tranche of the Security of Critical Infrastructure laws (SOCI Laws). There is no requirement for works councils, trade unions or employee representatives to be notified or consulted. Anthony Borgese At the time of writing, the public listing of accredited data recipients is available here: (Hyperlink). There is no general requirement by law on the responsibilities of the Data Protection Officer. one or more of an organisations functions or activities. for a person other than a body corporate, imprisonment of five years and/or a maximum civil penalty amount of AU$500,000. Moving forward, Australian directors should take note of such developments and are encouraged to meet their obligations by having the board enquire as to and oversee their companys cybersecurity risk management framework and the measures in place.
the organisation provides a simple means by which the individual may easily opt out of such direct marketing in each direct marketing communication and the individual has not so opted out. In connection with how these requirements may be met, the. For actors in the infrastructure space, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) introduces a new obligation for responsible entities to create and maintain a critical infrastructure risk management programme (RMP). For instance, in the State of New South Wales, the operator of a bus or taxi service must ensure that signs are conspicuously placed within and on the outside of a bus or taxi advising persons that they may be under video surveillance. The primary judge granted the OAIC leave to serve Facebook Inc and Facebook Ireland overseas. Whistle-blowers are protected by the Corporations Act from civil, criminal or administrative liability, contractual or other remedy, contractual termination or victimisation. Yes; the Privacy Act requires the entity, if practicable to do so, to take reasonable steps to notify the contents of the statement described above to each individual to whom the information relates or who are at risk from the eligible date breach. In connection with government agencies, the OAIC published a Privacy Officer Toolkit in which it recommends a privacy officer to have: 8.6 What are the responsibilities of the Data Protection Officer as required by law or best practice?
Sitemap 21