HOW DO REFORMS TO THE PRIVACY ACT IMPACT

THE PHARMACEUTICAL INDUSTRY?

MADELEINE KEARNEY, SPECIAL COUNSEL

Privacy Law Update

Brief History

• The Privacy Amendment (Enhancing Privacy

Protection) Act 2012 commenced on 12 March

2014.

• Represents the end point of a law reform process

that started in 2004 when the A-G requested the

Privacy Commissioner to undertake a review of the

provisions of the Privacy Act 1998 applying to the

private sector.

Summary of Reforms

• Old National Privacy Principles and Information

Privacy Principles replaced by new Australian

Privacy Principles (APPs) which apply to both

private and public sector organisations.

• Enhanced investigation and enforcement powers

(including introduction of pecuniary penalties of up

to $1.1 million).

• Other changes not relevant to pharmaceutical

industry (eg, credit reporting).

“Personal information”

• Definition of “personal information” (section 6

Privacy Act 1988):

“information or an opinion about an identified individual, or

an individual who is reasonably identifiable”

• Examples of personal information collected/held by

pharmaceutical companies subject to Privacy Act:

‒ Customers (eg, patient support programs,

competitions/promotions for OTC products,

pharmacovigilance);

‒ Participants in clinical trials;

‒ Healthcare professionals.

APPs

• The more things change, the more they stay the

same….

‒ With some important exceptions (discussed later) the

new APPs largely echo the old National Privacy

Principles.

‒ Underlying principle of “informed consent” –

businesses are (and were) required to be open and

transparent regarding how they collect, use and

share individuals’ personal information.

‒ Does not expressly deal with challenges arising from

new technology.

APPs

• Privacy policies/statements

‒ APP 1 imposes more prescriptive requirements

regarding content of privacy policy, eg:

• Information regarding how an individual may complain

about a breach of the APPs and how the entity will deal

with the complaint;

• Whether the entity is likely to disclose personal

information to overseas recipients and if so, the

countries where such recipients are likely to be located

(if practicable).

‒ APP 5 imposes additional requirements regarding

content of disclosures to be made when collecting

personal information.

APPs

• Privacy policies (cont.)

‒ Companies must take reasonable steps to make its

privacy policy available free of charge in an

appropriate form or in the form requested by an

individual – in most cases it will need to be made

available on the company’s website.

‒ ACTION

• Review privacy policy against requirements of APPs

and ensure available on website.

• Identify other privacy disclosure documents (eg,

informed consent documents for clinical trials) to

ensure compliance with disclosure obligations.

APPs

• Unsolicited personal information

‒ APP 4 introduces new requirements regarding

unsolicited personal information.

‒ General principle is that unsolicited personal

information must be afforded same privacy protection

as solicited personal information.

‒ ACTION

• Analyse potential sources of unsolicited personal

information:

› Eg letters, emails, social media.

• Develop policies and procedures for dealing with

unsolicited personal information.

APPs

• Direct marketing:

‒ New APP 7 deals exclusively with direct marketing

• Previous approach was that direct marketing activities

were dealt with as exceptions (general and specific) to

the general requirement that personal information can

only be used for primary purpose of collection in NPP 2

• In practice, however, despite increased emphasis on

direct marketing, little change in substance particularly

when provisions of Spam Act 2003 taken into account:

› Now, in all cases where personal information used for

direct marketing, companies must provide a simple

means by which an individual can request not to receive

direct marketing.

APPs

• Direct marketing (cont.)

‒ ACTION

• Review direct marketing practices to ensure that they

comply with APPs

• Note “direct marketing” is not defined in Privacy Act but

likely includes both consumer directed marketing

practices (OTC products) and marketing activities

directed at healthcare professionals (prescription

products).

APPs

• Transborder data flows:

‒ Very significant change.

‒ Previous position was that transfer of personal

information to a foreign country permissible where

(among other things):

“the organisation reasonably believes that the recipient of

the information is subject to a law, binding scheme or

contract which effectively upholds principles for fair handling

of the information that are substantially similar to the

National Privacy Principles”.

‒ Previously any issues could be overcome by entering

into a contract with overseas recipient requiring

recipient to comply with the National Privacy Principles.

APPs

• Transborder data flows (cont):

‒ Not so easy any more! New approach under APP 8:

• APP 8.1 provides that before disclosing information to

an overseas recipient the entity must take “such steps

that are reasonable” to ensure that the recipient does

not breach the APPs.

› HOWEVER – even when an organisation takes

reasonable steps to ensure the recipient complies with

APPs, under the deeming provisions of section 16C may

be liable for any breach by the recipient.

• Very limited exceptions to deeming provisions, the

most significant of which is informed consent to the

transfer.

APPs

• Transborder data flows (cont):

‒ “Reasonable belief” exception now only available

where:

“the entity reasonably believes that… the recipient of the

information is subject to a law, or binding scheme, that has

the effect of protecting the information in a way that, overall,

is at least substantially similar to the way in which the

Australian Privacy Principles protect the information; and ….

there are mechanisms that the individual can access to take

action to enforce that protection of the law or binding

scheme”.

‒ Is “disclosing” different to “transferring”?

• Could impact where information hosted in Australia but

accessed overseas

APPs

• Transborder data flows (cont):

‒ ACTIONS

• Carefully review circumstances where information may

be “disclosed” overseas and revise privacy consents

accordingly.

• Existing information:

› Unlikely to be practical to retrospectively seek consent:

» Consider whether purpose can be achieved using de-

identified data

» Review data storage and offshoring arrangements to

ensure complies with new requirements:

• Status of encrypted data?

Enforcement

• Introduction of civil penalty of up to $1.1 million

where:

‒ the entity does an act, or engages in a practice, that

is a serious interference with the privacy of an

individual; or

‒ the entity repeatedly does an act, or engages in a

practice, that is an interference with the privacy of

one or more individuals.

• Breach of an APP amounts to an interference with

privacy.

Enforcement

• Other enhancements to Commissioner’s

enforcement powers include:

‒ Audit powers.

‒ Ability to accept enforceable undertakings.

‒ Binding privacy codes - power to request that entities

develop and register an APP code, or the

Commissioner can develop and register the code

him/herself.

Data breach notification requirement?

• Currently no mandatory requirement for businesses

to notify affected individuals/government of data

security breaches, however, this may change in

short to medium term.

• ALRC has recommended that a mandatory data

security breach notification be introduced – rationale

is that notification requirement will allow affected

individuals to take steps to limit adverse impacts of

breach (eg, by changing passwords).

• Privacy Amendment (Privacy Alerts) Bill 2014 was

introduced on 20 March 2014 – reintroduction of

previously lapsed 2013 bill.

Data breach notification requirement?

• Not clear whether the Bill will pass in its current form

(or at all) however the concept of a mandatory data

breach notification does appear to have bipartisan

support.

• If passed will impose a reporting requirement where

a serious data breach occurs:

‒ Both government and significantly affected

individuals will need to be notified.

• Watch this space!

Questions?

Madeleine Kearney

Special Counsel, Sydney

T +61 2 9931 4801

E madeleine.kearney@gadens.com