Please join Mike Up with Michael Dalichau. A conversation with expert business leaders. Michael has a conversation with leaders via his podcast, providing another channel for connection during the complex changes facing the Australian Aged Care Industry. Michael believes the inner pull to change and the external need for change are linked. Based on the data we analyse at Mirus Australia and meetings with business leaders, it’s our experience that many are feeling overwhelmed by the noise and current demands across the entire aged care system. Mike Up provides continued education and bite-sized information that is easy to digest and challenges people to keep asking questions, discover more and consider what needs to be changed.
Michael has a conversation with Alec Christie, Partner & Asia Pacific Digital Law Leader at EY
What is the Australian Privacy Law?
“The Australian Privacy Principles are not a set of guidelines or nice to have, they are law. The Australian Privacy Principles, which are attached to the Privacy Act (1988), have 13 overarching principles in terms of managing people’s personal information. There are three (3) key ‘Cannots’ to consider when thinking about the Australian Privacy Principles:
- You cannot collect any personal information that you want. The information has to be tied to a business purpose, your reason for being.
- You cannot do what you want with personal information once you have collected it. You have to tell me what you are collecting and how you will be using my information (within the legal context of item 1).
- You cannot keep personal information for as long as you want. Once used for its notified purpose for collection, if there is no legal replacement to keep it, it must be deleted or de-identified.
Any information that can reasonably identify a person, whether a fact or an opinion, is subject to the Privacy Act. Health or sensitive information has an even higher threshold and you require consent in order to collect and use such. For example, “Can I collect this information from you, this is what I am going to do with your information, and this is how I am going to use it. Do you consent to this”
What are other industries doing to adhere to the Australian Privacy Principles and the Privacy Act?
“Industry comparisons can be both interesting and a little bit scary, depending on how mature your industry is. For example, Financial Services have a compliance culture and generally are reasonably good at privacy compliance. Organisations that are involved in the online environment are generally good as well. However, in my experience, there are many small to medium size organisations that require assistance. They may not fully understand what the APPs require or are finding them difficult to implement and they have many other things to invest in, so why bother with privacy? Unfortunately, privacy management in Australia is a little “patchy” but with a $2.1m fine and mandatory data breach notification, there is nowhere to hide anymore.”
Alec, you attended the Global Privacy Summit in Washington, DC in 2017 and said that only about 50% of businesses would be ready for the data breach notification change in 2018. It’s 2019, how are we doing?
“I am sad to report it’s only reached about 55-60% of Australian businesses which are compliant. Perhaps a good 80% of financial services, but everyone else is behind because notifiable data breaches have caused so much confusion. Unfortunately, Aged Care and Health Care are generally as low as 40% compliant because it has not been a priority in these sectors. The Tertiary Education space, as an example, has jumped ahead due to a couple of nasty incidents which have forced changes on them. Unfortunately, human services related businesses, apart from a couple of exceptions, are way behind.”
And what are some of the macro trends you are seeing?
“Locally, the inability to manage Notifiable Data Breaches is a macro trend. It has been over a year now and there hasn’t been that much improvement. The introduction of the General Data Protection Regulation (GDPR) in Europe is the ‘highwater’ mark of privacy with really aggressive principles and obligations. It’s like a pebble causing ripples in a pond and we all look to Europe in terms of privacy, except for the US, our lineage comes from European law. This ripple has impacted regulators’ aggressiveness and it has filtered into the interpretation of our privacy law. So, European law may not apply to us today but, ultimately, over the next 2 – 5 years it will. Meanwhile due to the extraterritoriality of GDPR, if you are caught by GDPR, it’s a privacy tidal wave in terms of privacy requirements. Or Australian privacy law on steroids, a quantum leap from where we are now. On average companies in the US that are caught by GDPR are spending between 1 – 2 million dollars just to get ready for it.”
Thank you for joining us, Alec. Please join us for Privacy at First Sight (Part 2) How do providers gain compliance with Alec Christie.
Alec Christie is the Asia Pacific Digital Law Leader at EY, which includes data privacy, IP and IT and has been recognised as a “Leading Lawyer” in each of these areas since 1998. Alec has been awarded by Best Lawyers Australia as one of Australia’s best (i) Outsourcing lawyers and (ii) Data Privacy & Security lawyers. He has also been recognised as Who’s Who Legal as one of Australia’s best Information Technology lawyers, specifically known for privacy. Alec has particular expertise in providing Digital Law solutions in the financial services, health/life sciences, online media and entertainment sectors and Government across the Asia Pacific region. If you’d like us to talk about a specific topic with an expert business leader, please request a podcast here!