LexisNexis Practical Guidance®

In order to mitigate the risk of privacy issues, cyber security threats and achieve data resilience, it is important to take a proactive approach to privacy.

This means thinking critically about privacy during the planning and implementation stages of a project. As discussed in Implementing a privacy by design approach, privacy by design is essential to proactive management of privacy issues.

A privacy impact assessment (PIA) is an essential part of implementing new projects in order to achieve privacy by design.

A PIA is a systematic evaluation of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

See Conducting a privacy impact assessment.

For any new project where personal information is collected, it is vital to consider the issue of consent. Consent is relevant to the operation of a number of Australian Privacy Principles (APPs). In some APPs, consent is an exception to a general prohibition against personal information being handled in a particular way (for example, an APP entity can only collect “sensitive information” if an individual consents, unless an exception applies. In others, consent provides authority to handle personal information in a particular way (for example, sensitive information cannot be used for marketing with out express consent and obtaining express consent after disclosure that the relevant information will not be protected by APP1 allows disclosure of personal information overseas).

The Information Commissioner has made clear that consent is a particular regulatory focus. She has stated publicly that “The practical application of concepts of fairness and the role of consent will be central to the future of privacy in Australia. It is a key issue that unites my regulatory priorities and, accordingly, I also think it should be a key focus point for every organisation moving forward.”

Given these statements, consent, when relied on as a basis for complying with the Privacy Act needs to be carefully considered by organizations.

Separately, once an APP entity collects personal information from an individual, APP 5 — Notification of the collection of personal information requires that the individual be notified of certain mandatory issues.

See Obtaining consent to collect personal information.

In this subtopic, you will learn:

• •the key elements of a PIA (see Conducting a privacy impact assessment);
• •about planning and conducting a PIA (see Conducting a privacy impact assessment); and
• •key issues to consider regarding obtaining consent (see Obtaining consent to collect personal information).

This subtopic will be useful for in-house and external practitioners:

• •wanting to understand what a PIA is;
• •who are required to conduct and/or draft a PIA;
• •who are required to provide advice on privacy issues for new projects or changes within an organisation;
• •who need to assess issues regarding consent; and
• •who need to draft a collect statement which complies with APP 5 — Notification of the collection of personal information in respect of collecting personal information from individuals.

At the most basic level, direct marketing involves the use of personal information to promote goods and services.

Direct marketing can occur via many different channels and take on many different forms, from:

• • sophisticated targeted online campaigns;
• • promoting a new product range via electronic message; or
• • soliciting customer feedback (and gently spruiking a new service) via phone to good old-fashioned snail mail.

Whether you are advising a client on the launch of a new product range, or the organisation you work for is rolling out a global client feedback survey with an option to upgrade to the latest software service package, direct marketing is likely to be an issue you are going to have to tackle at some point.

The direct marketing landscape provided for under APP 7 — Direct marketing is very customer/consumer-focused. In fact, direct marketing is prohibited, unless an exception applies.

In addition, direct marketing has become more complex due to the engagement of third parties to execute direct marketing campaigns or facilitate back-end technical support (eg cloud-based solutions for an SMS marketing campaign).

In any case, engaging third party providers and entrusting them, in many cases, with your most valuable data (your customer or client lists) increases the cyber security risks. There is an increased risk of misuse, interference and loss, as well as unauthorised access, modification or disclosure of such personal information.

In addition, even if you do engage in direct marketing, the customer/consumer focus of APP 7 — Direct marketing has strict mandatory opt-out provisions.

If you breach APP 7 — Direct marketing because you have engaged in direct marketing when you did not have the right to, or you failed to include mandatory opt-outs or failed to implement an opt-out, not only could you be in breach of Australian privacy laws, but the risk of reputational damage and loss of customer base is significant.

In this subtopic you will learn:

• • when can an organisation engage in direct marketing (see Identifying sources of obligations for direct marketing and Engaging in direct marketing);
• • the application of the direct marketing regime and other related laws such as the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth) (see Engaging in direct marketing);
• • issues to consider when engaging third party contractors and how to mitigate cyber security risks (see Engaging in direct marketing); and
• • how to construct mandatory opt-outs across various direct marketing channels (see Constructing direct marketing messages and mandatory unsubscribe facilities).

Today, organisations have access to more data than ever before. “Big data” is the new normal as organisations collect data across a broad range of channels such as apps, email, and web browsing. That data is then harnessed to provide valuable business insight.

Online behavioural advertising describes a wide range of activities companies engage in to collect information about users’ online activity (such as webpages visited, links clicked and online transaction history) which is subsequently used to show more tailored or relevant content and advertisements.

See Identifying the form(s) of online behavioural advertising.

Sometimes the data collected is not personal information in the traditional sense (such as your name, phone and contact details), but rather generic information linked to an online identifier which is used to collect information unique to you (if you log-in), your browser (if you accept cookies) or to your devices (where device ID is tracked) then used to make inferences based on online activity (such as your age group and potential interests).

See Deciding what types of personal information are used.

Vast amounts of data can be collected and stored and information from various sources aggregated together to provide a picture of a person, their behaviour and their preferences. Where descriptive and/or predictive data is associated with a persistent identifier that relates to a unique individual, the individual is identified and the information is “personal information” and regulated by the Privacy Act 1988 (Cth).

See Cookies, online behavioural advertising, aggregate data and complying with the Privacy Act.

In this subtopic, you will learn about:

• •different forms of online behavioural advertising;
• •how to determine if personal information is being collected;
• •what to do if personal information is being collected; and
• •risks associated with trying to aggregate and de-identify personal information for data analytics.