madeleine kearney, gadens lawyers - privacy law update – how do reforms to the privacy act impact...
DESCRIPTION
Madeleine Kearney delivered the presentation at 2014 Pharmaceutical Law Conference. The Pharmaceutical Law Conference is the foremost meeting place and networking hub of the pharmaceutical law industry, and the only pharmaceutical law event in the Asia-Pacific region. The 2014 event highlights included pharma law reform, IP, competitive strategies, industry transparency, sustainable drug pricing and patenting life sciences and more. For more information about the event, please visit: http://www.informa.com.au/pharmalawevent14TRANSCRIPT
HOW DO REFORMS TO THE PRIVACY ACT IMPACT
THE PHARMACEUTICAL INDUSTRY?
MADELEINE KEARNEY, SPECIAL COUNSEL
Privacy Law Update
Brief History
• The Privacy Amendment (Enhancing Privacy
Protection) Act 2012 commenced on 12 March
2014.
• Represents the end point of a law reform process
that started in 2004 when the A-G requested the
Privacy Commissioner to undertake a review of the
provisions of the Privacy Act 1998 applying to the
private sector.
Summary of Reforms
• Old National Privacy Principles and Information
Privacy Principles replaced by new Australian
Privacy Principles (APPs) which apply to both
private and public sector organisations.
• Enhanced investigation and enforcement powers
(including introduction of pecuniary penalties of up
to $1.1 million).
• Other changes not relevant to pharmaceutical
industry (eg, credit reporting).
“Personal information”
• Definition of “personal information” (section 6
Privacy Act 1988):
“information or an opinion about an identified individual, or
an individual who is reasonably identifiable”
• Examples of personal information collected/held by
pharmaceutical companies subject to Privacy Act:
‒ Customers (eg, patient support programs,
competitions/promotions for OTC products,
pharmacovigilance);
‒ Participants in clinical trials;
‒ Healthcare professionals.
APPs
• The more things change, the more they stay the
same….
‒ With some important exceptions (discussed later) the
new APPs largely echo the old National Privacy
Principles.
‒ Underlying principle of “informed consent” –
businesses are (and were) required to be open and
transparent regarding how they collect, use and
share individuals’ personal information.
‒ Does not expressly deal with challenges arising from
new technology.
APPs
• Privacy policies/statements
‒ APP 1 imposes more prescriptive requirements
regarding content of privacy policy, eg:
• Information regarding how an individual may complain
about a breach of the APPs and how the entity will deal
with the complaint;
• Whether the entity is likely to disclose personal
information to overseas recipients and if so, the
countries where such recipients are likely to be located
(if practicable).
‒ APP 5 imposes additional requirements regarding
content of disclosures to be made when collecting
personal information.
APPs
• Privacy policies (cont.)
‒ Companies must take reasonable steps to make its
privacy policy available free of charge in an
appropriate form or in the form requested by an
individual – in most cases it will need to be made
available on the company’s website.
‒ ACTION
• Review privacy policy against requirements of APPs
and ensure available on website.
• Identify other privacy disclosure documents (eg,
informed consent documents for clinical trials) to
ensure compliance with disclosure obligations.
APPs
• Unsolicited personal information
‒ APP 4 introduces new requirements regarding
unsolicited personal information.
‒ General principle is that unsolicited personal
information must be afforded same privacy protection
as solicited personal information.
‒ ACTION
• Analyse potential sources of unsolicited personal
information:
› Eg letters, emails, social media.
• Develop policies and procedures for dealing with
unsolicited personal information.
APPs
• Direct marketing:
‒ New APP 7 deals exclusively with direct marketing
• Previous approach was that direct marketing activities
were dealt with as exceptions (general and specific) to
the general requirement that personal information can
only be used for primary purpose of collection in NPP 2
• In practice, however, despite increased emphasis on
direct marketing, little change in substance particularly
when provisions of Spam Act 2003 taken into account:
› Now, in all cases where personal information used for
direct marketing, companies must provide a simple
means by which an individual can request not to receive
direct marketing.
APPs
• Direct marketing (cont.)
‒ ACTION
• Review direct marketing practices to ensure that they
comply with APPs
• Note “direct marketing” is not defined in Privacy Act but
likely includes both consumer directed marketing
practices (OTC products) and marketing activities
directed at healthcare professionals (prescription
products).
APPs
• Transborder data flows:
‒ Very significant change.
‒ Previous position was that transfer of personal
information to a foreign country permissible where
(among other things):
“the organisation reasonably believes that the recipient of
the information is subject to a law, binding scheme or
contract which effectively upholds principles for fair handling
of the information that are substantially similar to the
National Privacy Principles”.
‒ Previously any issues could be overcome by entering
into a contract with overseas recipient requiring
recipient to comply with the National Privacy Principles.
APPs
• Transborder data flows (cont):
‒ Not so easy any more! New approach under APP 8:
• APP 8.1 provides that before disclosing information to
an overseas recipient the entity must take “such steps
that are reasonable” to ensure that the recipient does
not breach the APPs.
› HOWEVER – even when an organisation takes
reasonable steps to ensure the recipient complies with
APPs, under the deeming provisions of section 16C may
be liable for any breach by the recipient.
• Very limited exceptions to deeming provisions, the
most significant of which is informed consent to the
transfer.
APPs
• Transborder data flows (cont):
‒ “Reasonable belief” exception now only available
where:
“the entity reasonably believes that… the recipient of the
information is subject to a law, or binding scheme, that has
the effect of protecting the information in a way that, overall,
is at least substantially similar to the way in which the
Australian Privacy Principles protect the information; and ….
there are mechanisms that the individual can access to take
action to enforce that protection of the law or binding
scheme”.
‒ Is “disclosing” different to “transferring”?
• Could impact where information hosted in Australia but
accessed overseas
APPs
• Transborder data flows (cont):
‒ ACTIONS
• Carefully review circumstances where information may
be “disclosed” overseas and revise privacy consents
accordingly.
• Existing information:
› Unlikely to be practical to retrospectively seek consent:
» Consider whether purpose can be achieved using de-
identified data
» Review data storage and offshoring arrangements to
ensure complies with new requirements:
• Status of encrypted data?
Enforcement
• Introduction of civil penalty of up to $1.1 million
where:
‒ the entity does an act, or engages in a practice, that
is a serious interference with the privacy of an
individual; or
‒ the entity repeatedly does an act, or engages in a
practice, that is an interference with the privacy of
one or more individuals.
• Breach of an APP amounts to an interference with
privacy.
Enforcement
• Other enhancements to Commissioner’s
enforcement powers include:
‒ Audit powers.
‒ Ability to accept enforceable undertakings.
‒ Binding privacy codes - power to request that entities
develop and register an APP code, or the
Commissioner can develop and register the code
him/herself.
Data breach notification requirement?
• Currently no mandatory requirement for businesses
to notify affected individuals/government of data
security breaches, however, this may change in
short to medium term.
• ALRC has recommended that a mandatory data
security breach notification be introduced – rationale
is that notification requirement will allow affected
individuals to take steps to limit adverse impacts of
breach (eg, by changing passwords).
• Privacy Amendment (Privacy Alerts) Bill 2014 was
introduced on 20 March 2014 – reintroduction of
previously lapsed 2013 bill.
Data breach notification requirement?
• Not clear whether the Bill will pass in its current form
(or at all) however the concept of a mandatory data
breach notification does appear to have bipartisan
support.
• If passed will impose a reporting requirement where
a serious data breach occurs:
‒ Both government and significantly affected
individuals will need to be notified.
• Watch this space!