mdcc: privacy and trade practices - 29 october 2014
DESCRIPTION
Privacy and Trade Practices Presentation by Andrew Seaton at the Miranda and Districts Chamber of CommerceTRANSCRIPT
Privacy and Trade Practices Presentation Andrew Seaton 29 October 2014
Purpose of Session
To provide you with an understanding of key provisions of the Privacy Act, the Privacy reforms and the Australian Privacy Principles (APPs)
To assist you in identifying existing practices and procedures that may involve a breach of your privacy obligations
Today’s Program Privacy & NPP
1. Overview of the Privacy Act + Privacy reforms
2. The APPs (replacing the NPPs)
3. Complaints + enforcement
Trade Practices
4. Brief overview of the Competition and Consumer Protection legislation
5. Consumer Guarantees
6. Unfair Contracts
7. Powers of the ACCC
8. Compliance
Personal information Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable Questions to ask yourself: • Is the information or opinion about an individual? • Could a person identify the individual from the
information? • Could someone find out to whom the information refers? If ‘yes’ – it is personal information
Personal information Examples of personal information:
• Name
• Address
• Date of birth
• Phone number
• Financial details
• Skin type
Sensitive information Sensitive information is a subset of personal information and includes the following information about a person:
• racial or ethnic origin
• political opinions
• religious beliefs or affiliations
• sexual preferences or practices
• criminal record or health information about an individual
• genetic information that is not health information.
Employee record exemption
Section 7B(3): An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt… if the act or practice is directly related to: a) a current or former employment relationship
between the employer and the individual; and b) an employee record held by the organisation
and relating to the individual.
* Does not cover unsuccessful applicants
Privacy reforms • New Australian Privacy
Principles (APPs) replace the existing National Privacy Principles (NPPs)
• Complaints handling • Cross border protection • Consequences for privacy
breaches • + powers for privacy
commissioner
APPs
Managing personal
information (APP1-2)
Collecting personal
information (APP3-5)
Dealing with personal
information (APP6-9)
Integrity of personal
information (APP10-11)
Accessing and correcting personal
information (APP 12-13)
APP1 – Open and Transparent
Management of personal information
• You must take reasonable steps to implement practices, procedures and systems that will ensure it complies with the APPs and is able to deal with related inquiries and complaints.
• You must have a clearly expressed and up-to-date privacy policy about how it manages personal information.
• You must take reasonable steps to make the privacy policy available free of charge and in an appropriate form (usually on the website).
• You must, upon request, take reasonable steps to provide a person or body with a copy of its privacy policy in the particular form requested.
APP2 – Anonymity and Pseudonymity • APP 2 provides that individuals must have
the option of dealing anonymously or by pseudonym.
• You are not required to provide those options where: • when it is required or authorised by law or
a court to deal with identified individuals; or
• it is impracticable for you to deal with individuals who have not identified themselves.
APP3 – Collection of Solicited Personal
Information • You must not collect personal
information unless it is reasonably necessary for one or more business functions or activities.
• You must not collect sensitive information unless it is reasonably necessary for one or more business functions or activities and you get consent.
APP4 – Dealing with Unsolicited Personal
Information
• Unsolicited personal information: information received where you have taken no active step to collect it.
• If you receive unsolicited personal information which could not have been collected under APP 3 (i.e. not reasonably necessary for business activities), you must destroy or de-identify it as soon as practicable.
APP5 – Notification of the Collection of
Personal Information At or before the time (or otherwise as soon as practicable after) you collect personal information, you must take reasonable steps to notify the individual of:
• your identity and contact details;
• whether you collected the information from someone else and how
you collected it;
• the purposes for which you collect the information;
• the identity of any party to whom you disclose information; and
• whether you are likely to disclose the information to overseas
recipients and if yes, what are the countries where the information
will be sent.
APP6 – Use or Disclosure of Personal
Information
• You can only use or disclose personal information for the purpose you collected it (primary purpose).
• You can use / disclose information for a secondary purpose related to the primary purpose if: • the person would reasonably expect the secondary
purpose; or
• the person has consented to the secondary use or disclosure.
APP7 – Direct Marketing
• You must not use or disclose personal information for the purpose of direct marketing unless an exception applies.
• When you are permitted to use or disclose personal information for the purpose of direct marketing, it must always: • allow an individual to request not to receive direct marketing
communications (also known as ‘opting out’); and
• comply with that request.
• You must provide its source for an individual’s personal information, if requested to do so by the individual.
APP8 – Cross-Border Disclosure of
Personal Information
• When disclosing personal information to an overseas recipient, you must take reasonable steps to ensure that the overseas recipient does not breach the APPs unless: • the individual consents to the disclosure and
waives their rights; or
• you reasonably believe that the overseas recipient is subject to laws substantially similar to the APPs/Privacy Act (expensive to check and monitor).
APP8 – Cross-Border Disclosure of
Personal Information
• An act or practice engaged in by the overseas recipient would otherwise be taken to have been done or engaged in by you and it could be a breach of the APPs by you.
• Reduce risk + liability:
• obtain consents from individuals to disclosure; OR
• require overseas recipients to comply with APPs and provide an indemnity.
APP9 – Adoption, Use or Disclosure of
Government Related Identifiers
Adoption of government related identifiers 1. You must not adopt a government related
identifier of an individual as its own identifier. Use or disclosure of government related identifiers 2. The prohibition above does not apply if the use or
disclosure of the identifier: • is reasonably necessary for you to verify the identity of
the individual for the purposes of its activities or functions;
• is reasonably necessary for you to fulfil its obligations to an agency or a State or Territory authority; or
• is required / authorised by or under an Australian law or a court/tribunal order.
APP10 – Quality of Personal Information
• You must take reasonable steps to
ensure that the personal information it collects is accurate, up-to-date and complete.
• You must take reasonable steps to ensure that the personal information it uses and discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
2 Primary Obligations
APP11 – Security of Personal Information
1. If you holds personal information, it must take reasonable steps to protect the information: • from misuse, interference and loss; and • from unauthorised access, modification or disclosure.
2. You must take reasonable steps to destroy or de-identify the personal information held if: • you hold personal information about an individual and no
longer needs the information for the primary purpose; • the information is not contained in a Commonwealth record;
and • you are not required by or under an Australian law, or a
court/tribunal order, to retain the information.
APP12/13 – Access + Correction
1. You must, on request, allow a person to access and correct their personal information.
2. You do not need to grant access if:
• giving access would have an unreasonable impact on the privacy of other individuals;
• the request is frivolous or vexatious; or
• giving access would reveal evaluative information in connection with a commercially sensitive decision-making process.
APP12/13 – Access + Correction
3. Obligation to ensure personal information held is accurate, up-to-date, complete and not misleading.
4. You must respond to requests for access or correction within a reasonable period after the request is made.
5. If you refuse an access or correction request, you must give a written notice stating the reasons for the refusal (if reasonable) and the complaint mechanism available (The Privacy Commissioner).
Privacy complaints
1. The OAIC will not investigate privacy complaints if: • there is no breach of the Privacy Act;
• you have not been given 30 days to respond;
• the complainant has known about the events for >12 months; or
• the complaint lacks substance.
2. The OAIC will generally try to conciliate the matter.
3. The process may take 3 – 6 months to resolve.
4. The Commissioner may order you to apologise, pay compensation or change your practices.
Privacy enforcement
• The Commissioner also has a range of enforcement powers and other remedies available, including: • conducting investigations – investigating and
monitoring compliance with the Privacy Act an making assessments of privacy performance;
• accepting court enforceable undertakings – undertakings to take or refrain from taking specified actions; and
• seeking civil penalties – Federal Court orders in the case of serious or repeated breaches of privacy.
Enforcing the Privacy Act
What happens if you breach an APP?
• Where an act or practice occurs on or after 12 March 2014 and breaches an APP in relation to personal information about an individual, this is an interference with the privacy of the individual (s 13(1) of the Privacy Act).
New penalties
• The Federal Court will have the power to award significant civil penalties for serious or repeated breaches of privacy:
• up to $1.7m for body corporates; and
• up to $340k for individuals
APPs Summary A. Managing Personal information (APPs 1-2)
• APP1 – Open and transparent management of personal information • APP2 – Anonymity and pseudonymity
B. Collecting Personal Information (APPs 3-5) • APP3 – Collection of solicited personal information • APP4 – Dealing with unsolicited personal information • APP5 - Notification of the collection of personal information
C. Dealing with Personal Information (APPs 6-9) • APP6 – Use or disclosure of personal information • APP 7 – Direct marketing • APP8 – Cross-border disclosure of personal information • APP9 – Adoption, use or disclosure of government related identifiers
D. Integrity of Personal Information (APPs 10-11) • APP10 – Quality of personal information • APP11 – Security of personal information
E. Accessing and Correcting Personal Information (APPs 12-13) • APP12 – Access to personal information • APP13 – Correction of personal information
4. Australia’s Competition and Consumer
Protection Legislation
1 January 2011 – Competition and Consumer Act (CCA)
CCA replaces 17 existing national, state and territory laws – including the old Trade Practices Act
1 uniform consumer protection legislation across all States and Territories
4. Australia’s Competition and Consumer
Protection Legislation
New and revised provisions:
Consumer guarantees regime
Unfair contract regime
National product safety and enforcement system
National laws for sales practices
National rules for lay-by agreements
New powers of the ACCC
4. Reasons for Understanding CCA and
Australian Consumer Law (ACL)
• Professionalism
• Avoid costly problems
o Penalties and legal costs
o Compliance costs
• Avoid damage to brand
• Consumer safety
4. ACCC and Fines
The ACCC is active in its enforcement of the law. o Has powers to order
production of documents, emails, etc, to request executives and employees to answer questions and to enter premises (with a warrant) and seize documents
Fines for companies o Up to $10 million
Personal fines o Up to $500,000
5. Consumer Guarantees: Goods
CONSUMER GUARANTEE
GOODS
Acceptable quality Fit for
purpose
Match the description
Match the sample or
demonstration model
Repair and spare parts
available for reasonable
time
Service provided with due care and
skill
Express warranty of the
Manufacturer to be complied with by
the Supplier
Clear title
5. Consumer Guarantees - Goods
• Exist regardless of, and in addition to, any express warranty
• Fit for all purposes for which they are commonly used and any purposes which have been represented
5. Acceptable Quality
Acceptable Quality means: o Safe, durable and
free from defects
o Acceptable in appearance and finish
o Fit for purpose
5. Consumer Guarantees
This includes the Manufacturer’s
written warranties
A seller must honour any
warranties provided to the
Customer in writing at the
point of sale
5. What you cannot say about Consumer’s
Rights? • You cannot tell a
customer that a consumer guarantee: o does not exist o may be excluded o may not have a
particular effect
5. No Refund Signs
Unlawful signs:
“No refunds”
“No refund on sale items”
“Exchange or credit note only for return of sale
items”
Lawful signs:
“No refund will be given if you have simply
changed your mind”
5. Major Breach
• Goods would not have been acquired if customer was aware of the failure
• Significant departure from the description or sample
• The products are unsafe
• The products are substantially unfit for their normal purpose
• Defect cannot be fixed within a reasonable period
5. Major and Minor Breaches - Remedies
Major: Customer can choose a refund or replacement. You must collect the goods at your expense.
Minor: Customer can require you to rectify the failure or you can choose to refund or replace.
5. Consumer Guarantees - Services
CONSUMER GUARANTEE
SERVICES
Due Care and Skill
Provided within a Reasonable
Time
Must reasonably achieve the
desired result made known by the Customer to
supplier
5. Consumer Guarantees - Services
• Must use an acceptable level of skill or technical knowledge when providing the services
• Must be fit for any purpose specified by the customer
• Take all necessary care to avoid loss or damage when providing the services
5. Consumer Guarantees - Services
What services are covered?
> $40k
• Services that cost more than $40,000 that are for personal, domestic or household services
≤ $40k
• All other services that cost up to $40,000
Exception
• Services costing more than $40,000 which are for commercial/business use, are exempt from the ACL
6. Unfair Contract Terms
• Applies to contracts that are entered into on, or after, 1 July 2010, and to terms of existing contracts that are renewed or changed on or after 1 July 2010
6. Unfair Contract Terms
• A term in a standard form consumer contract is unfair if: o it would cause a significant imbalance in the
parties’ rights and obligations arising under the contract; and
o the term is not reasonably necessary to protect the legitimate interests of the party who would be advantaged by the term; and
o it would cause detriment (whether financial or otherwise) to a party if it were to be applied or relied on
6. Unfair Contract Terms - Examples
A term which allows you to avoid or limit performance of the contract
A term that allows you, but not the Consumer, to terminate the contract
A term that permits you to vary the terms
of the contract wherever it suits it to
do so
A term that permits you to increase the upfront price without the Consumer
having the right to terminate
Terms imposing penalties for trivial
breaches of a contract
6. Unfair Contract Terms – next steps
If you uses any standard form consumer contracts, it should, if it has not done so already,
comprehensively review the standard terms and conditions and make changes where necessary, to ensure compliance with the unfair contract terms provisions and the broader consumer protection
requirements in the ACL.
7. Enforcing the ACL
7. ACCC Powers
ACCC can issue:
• Substantial Notices
• Public Warning Notices
• Infringement Notices
7. ACCC
• Substantial Notice o 21 days to respond
• Public Warning Notice o can be issued if a Substantiation Notice has been ignored
• Infringement Notice o penalty amount will vary but likely to be $6,600 for a
corporation and $1,320 for an individual
o once paid ACCC can not commence court proceedings
7. ACCC
Via Enforceable Undertakings
Corrective advertising
Compensation to consumer
Mandatory reporting to ACCC
7. ACCC
Via the Court
Compensation orders for injured persons
Refund of monies
Varying contracts
7. Penalties and Breaches of the CCA
Pecuniary penalty per offence:
• Up to $10 million for companies
• Up to $500,000 for individuals
Personal fines imposed on officers of the company
7. Penalties and Breaches of the ACL
Pecuniary penalty per offence:
• Up to $1.1 million for companies
• Up to $220,000 for individuals
Injunctions to prevent prohibited conduct continuing or being repeated
8. Reasons for Compliance
• Good corporate citizenship
• Minimises potential for loss of life or injury
• High cost for non-compliance
• The ACCC is very active in ensuring businesses do not breach the Act
• Reputation of Brand
9. Encouraging Compliance
• Check out www.accc.gov.au
• Check out your state fair trading office
• Ask questions BEFORE going ahead with promotions and sales
• If in doubt, double check!
Questions