Bowen Buchbinder Vilensky

Archive for the ‘Privacy Law’ Category

Privacy Law for Schools – Does your School Pass the 10 Point Data Security Checklist?
Wednesday, February 25th, 2015

lesb

By Les Buchbinder, Director at Bowen Buchbinder Vilensky Lawyers

25 February 2015

Changes to Australia’s Privacy Act in March 2014 have important implications for all government agencies, including schools, in the way that they collect, store and manage personal information.

Schools should consider the following 10 points relating to personal information and sensitive information which comes into their possession.

  1. Risk assessment – identifying the security risks to personal information held by the school and the consequences of a breach of security;
  2. Privacy impact assessments – evaluating in a systematic way, the degree to which proposed or existing information systems align with the good privacy practice align with good privacy practice and legal obligations;
  3. Policy development – developing a policy or a range of policies that implement measures, practices and procedures to reduce the identified risks to information security;
  4. Staff training – training staff and managers in security and fraud awareness;
  5. The appointment of a responsible person or position – creating a designated position within the school to deal with issues of data security and data security breaches as well as in relation to issues of confidentiality.   This position could have responsibility for establishing policy and procedures, staff training, audits and investigating and responding to alleged breaches or suspected breaches;
  6. Technology – implementing privacy and security technologies to ensure that personal information held by the school, or secured including through such measures as access control, copy protection, intrusion protection and robust encryption systems;
  7. Monitoring and review – monitoring compliance with the security policy, periodic assessment of new security risks and the adequacy of existing security measures and ensuring that effective complain handling procedures are in place;
  8. Appropriate contract management – conducting appropriate due diligence with services (especially data storage services) are contracted particularly in terms of IT Security policies and practices that a service provider has in place and their monitoring compliance with these policies through periodic audits;
  9. Notification as a reasonable security safeguard – this follows from the above measures, especially with regard to policy development and monitoring review.   Whilst it is not a requirement under the Act to notify anybody of a data breach, as part of the obligations to keep personal information secure, it would be prudent to do so.   In some instances it may even be a reasonable or necessary step in the protection of information against mis-use, loss, unauthorized access, modification or disclosure;
  10. Policies and protocols should be developed in relation to what information will be collected by the school from parents and students and possibly any other relevant third parties (such as doctors, hospitals etc) and set out how such information is to be stored and secured, who is to be provided access to it and in what circumstances.   Such policies should also prescribe forms to be completed by parents and guardians of students authorizing the school to release specific or necessary information in urgent or emergency circumstances (such as to a hospital or a doctor) and, where necessary, to provide any necessarily required personal or sensitive information to known third parties.  This will provide clarity to the school, school management and staff and parents as to what information is and is not able to be collected or released by the school and in what circumstances.

All privacy and confidentiality policies, protocols and documents should be carefully and regularly reviewed and updated as required.   Furthermore, there should be a reasonably robust enforcement process implement to ensure that the established policies and protocols are observed because failure to do so can prove extremely stressful and expensive.

The above list is general in nature.  For specific advice on how the Privacy Act may affect your school, contact Bowen Buchbinder Vilensky Lawyers at (08) 9325 9644 or email us at info@bbvlegal.com.au.

Leave a comment

If you’d like to receive more blogs on this and related legal matters, please click the red ‘Subscribe’ button at the top, left hand of your page now!

 

Key Amendments to the Privacy Act: How They Affect your Business
Friday, January 16th, 2015

lesb

By Les Buchbinder, Director at Bowen Buchbinder Vilensky

16 January 2015

Amendments to the Privacy Act were made in March 2014.  Even though some time has passed since then, I am still often approached by client companies and their advisers asking what the amendments mean to them.

If your organisation has a turnover of $3 million or more, or is a Government agency, it is an Australian Privacy Principle entity (APP) to which the amendments apply

I hope you find the following summary of key amendments helpful.

Storage

Personal information must be handled in an open and transparent way.  Your organisation must have an up to date policy outlining management of personal information such as the kinds of information you collect and hold; how you hold it; what you use it for; how an individual may access Personal Identifying Information; and other such matters.

You must provide individuals with the option of dealing with your organisation anonymously or using a pseudonym.

Sensitive information must only be collected with an individual’s consent and if the collection is reasonably necessary for one or more of your organisation’s functions or activities.  Examples of sensitive information are: race or ethnic origin; political opinions; religious beliefs or affiliations; sexual orientation; health record; biometric information; and others.

Personal Identifying Information cannot be used or disclosed for any purpose other than the reason for which it was gathered, without the consent of the individual.  A company cannot, for example, gather information purportedly for a health survey, then use it to market products to people.

Process

APP entities must notify individuals about the access, correction and complaints processes in their privacy policies.  These must include an opt-out mechanism in relation to direct marketing.

Individuals must be granted access to the personal information an organisation holds on them.  Where such information is incorrect, they should take reasonable steps to ensure it is accurate, up to date, complete, relevant and not misleading.

Protection

Organisations must take ‘reasonable steps’ to protect Personal Identifying Information from misuse, interference and loss and unauthorised access, modification or disclosure.  What are ‘reasonable steps’?  The kinds of issues that would be reviewed include how the information is stored (hard copy or electronically); the likely harm to the data subject if a breach occurred; and the size of an organisation.

Cloud computing

The increasing use of storage via cloud computing, often using providers based in foreign jurisdictions, also has implications for APP entities.  This is an important and highly relevant subject on which I’ve already published a blog earlier this week addressing this.

Summary

Changes to the Privacy Act have important implications for all Australian organisations which store personal information, and which have turnovers of more than $3 million, or  are Government agencies.  The information is this blog is necessarily general in nature.  For specific advice on how these amendments may affect your organisation, it is best to seek advice from a lawyer with specialist experience in this practice area.

Leave a comment

 

Cloud Storage – What is the Legal Position in Australia?
Tuesday, January 13th, 2015

lesb

By Leslie Buchbinder, Director at Bowen Buchbinder Vilensky Lawyers

13 January 2015

Many of us use cloud storage routinely these days as a quick and inexpensive way to keep and share photos and documents.  Increasingly, private and public sector organisations are using cloud storage too.  But it’s important to know that there are legal implications in the way that organisations store personal information.

Changes to the Privacy Act made in March 2014 are directly relevant to all Australian organisations with a turnover of $3 million or more, or which are Government agencies.  Such an organisation can be described as an Australian Privacy Principle  (APP) entity, to which the Privacy Act applies to the way that the organisation gathers, stores and uses personal information.

On the specific subject of using cloud facilities to store information, organisations should be aware of the following.

The Privacy Act applies to Cloud service providers whether they are located in Australia or overseas.  For example, a Cloud provider must give users access to their personal information upon request, must take reasonable steps to secure personal information from mis-use, interference  or unauthorised access, and must delete information that is no longer needed for the purpose for which it was originally collected.

People may be concerned that the offshore locations where data is stored may not have privacy laws similar to those in Australia.  Organisations who use such Cloud servers should be aware of amendment APP8 which regulates the disclosure or transfer of personal information to a different entity (including a parent entity) offshore.  APP8 requires that before disclosing personal information to an overseas recipient, an Australian organisation must:

  • Take reasonable steps to make sure that the overseas recipient will not breach the APPs and the Australian organisation will be accountable for such a breach; or
  • Make it known to the relevant individual(s) that his or her information will not be protected by APPs after the disclosure to the overseas recipient and obtain the individual’s consent to the disclosure OR form a reasonable belief that the overseas recipient is subject to laws substantially similar to the APPs.

What is a ‘reasonable belief’?  The obtaining of independent legal advice by an organisation in regards to foreign privacy protections will provide a strong basis for a ‘reasonable belief.’

Summary

If your organisation is an APP entity and you are thinking of using a cloud storage provider, be aware that you are responsible  for ensuring compliance with Australia’s Privacy Act.  If the cloud provider in question is based off-shore, you would be well-advised to seek legal advice to ensure that the provider is subject to laws substantially similar to those which operate in Australia.

Leave a comment

Keeping It Private – Are You Ready For The Privacy Law Changes?
Wednesday, February 19th, 2014

lesb

By Les Buchbinder, Director at Bowen Buchbinder Vilensky Lawyers

19 February 2014

We see more and more cases of unwanted  and unlawful access by third parties (hackers) to business computer systems and the personal and confidential  information held in them. This can result in significant harm to those individuals whose personal and confidential information held in the computer system is accessed and later misused. This can, for example, be where a hacker steals a person’s online identity and later accesses Bank accounts to steal money or incurs debt in the name of the victim or it may be less sinister in the form of the negligent disclosure of personal information to third parties.

The Federal Privacy Act addresses these issues and seeks to protect the public from such loss and harm. There  are a number of significant changes to the Federal privacy laws which will come into effect on 12 March, 2014. Significantly, these changes include (but are not limited to):

  1. The introduction of uniform privacy principles to regulate the handling of personal information by Australian government agencies and businesses. These will impact on most businesses  which will need to ensure they are compliant;
  2.  Increased enforcement  powers for the Privacy Commissioner to, among other things, accept enforceable undertakings, seek civil penalties of up to $340,000 for individuals and $1.7 million for companies in the case of serious or repeated breaches of privacy and  conduct  assessments of privacy performance for both Australian government agencies and businesses.
  3. The recognition of external dispute resolution schemes, changes to credit reporting laws and the introduction of codes of practice.

Businesses will need to ensure that they comply with the new regime by 12 March, 2014.

In doing so, businesses will need to consider whether they handle “personal information”  or “sensitive information” as defined in the new Act.  If they do, then they will need to ensure  that “reasonable steps”   are taken to implement the new practices, procedures and systems requirements.

These steps should  include:

  1. Reviewing and/ or updating the businesses  privacy policy;
  2. Updating the businesses privacy statement on any website that it operates;
  3. Reviewing  practices, procedures and systems for the collection, use, disclosure, updating, notification and storage of information
  4. Implementing  practices, procedures and systems to allow others  to interact with businesses  anonymously;
  5. Updating existing staff training and other business operation manuals to cater for the new practices, procedures and systems, and to identify and manage privacy risk
  6. Carefully reviewing and, if necessary, amending business contract and subcontract documentation to ensure compliance with the new regime;
  7. Reviewing and identifying if there are any risks to the directors and officers of the business for possible  breaches of the new laws. This should factor in the Privacy Commissioner’s increased powers and the penalties that may be imposed on those guilty of breaches of the new privacy laws as well as the fact that a breach of the new privacy laws; and
  8. Undertaking a review of the existing insurance cover of the business to identify any remedy gaps in cover.

These new changes (especially the penalties) will force businesses to be more attentive to data protection and to preventing the inadvertent release of electronic personal information of customers, third parties and even employees held on computer systems under their control.

Failure to do so could prove damaging to reputation and very expensive!

Leave a comment

 

Can I Record my Telephone Conversations for Use in Court?
Tuesday, February 11th, 2014

lesb

By Leslie Buchbinder, Director at Bowen Buchbinder Vilensky Lawyers

11 February 2014

A recording of a telephone conversation can be useful to help to resolve a dispute in Court.  Are there any restrictions on me doing so?

There are only a very limited number of occasions when a private telephone conversation can be secretly recorded lawfully .

An article in the West Australian Newspaper on February 11 2014 referring to criminal charges against Perth Lawyer Lloyd Rayney accusing Mr Rayney of aiding or abetting in interfering with his late wife’s telephone lines before her death highlights this question.

There are both Federal and State laws which control the recording of telephone conversations.

At a Federal level, recording a telephone conversation may contravene the Telecommunications (Interception and Access) Act 1979.  This Act expressly prohibits the interception, without the knowledge of the person making the communication, of a communication passing over a telecommunications system.

At  State level, in Western Australia the Surveillance Devices Act 1998   regulates the use of listening devices, optical surveillance devices and tracking devices. Under this Act it is an offence to use, install or maintain:

  •  listening devices to record or listen to a private conversation;
  • optical surveillance devices to record visually or observe a private activity; or
  • tracking devices to determine the geographical location of a person.

This Act does not prevent employers, for example,  from using surveillance devices in the workplace, as long as they are not being used to record private conversations or private activities.

A breach of the Federal or State laws may amount to an offence and result in prosecution action being taken against the person or persons recording the conversation (and those knowingly participating in doing so) by the relevant Federal or State authorities and the imposition of significant fines and the recording of a criminal conviction against the person.

Additionally, a breach of these laws may (depending on a variety of considerations including the particular Court jurisdiction concerned)  render the recording itself inadmissible into evidence and therefore unable to be relied upon in Court.

The temptation to secretly record telephone conversations for later use as evidence must be resisted. Failure to do so can not only result in the whole exercise becoming futile (because in the end the recording may be excluded for being considered by the Court) but it may well leave you exposed to being prosecuted and fined a significant sum for a breach of the Federal and/or State laws controlling the recording of telephone conversations.

Leave a comment