display:none
12 Common Issues with Privacy Policies

12 Common Issues with Privacy Policies

12 Common Issues with Privacy Policies

1. Thinking a simple privacy policy template will do the job

For many small business owners, protecting the privacy of personal information just isn’t a priority. There are lots of reasons for that.

  • Not placing any value in a privacy policy or the protection of personal information
  • Not knowing what makes up personal information
  • Not realising when the business is collecting personal information
  • Not understanding what the business is doing with personal data after its collected
  • Thinking that publicly accessible data, like through Facebook or a website, means its ok to collect it
  • Not understanding the difference between privacy and confidentiality, or the importance of privacy
  • Having competing priorities – like the need to make money – that mean privacy always sits on the back burner

A template might work. It might not. If you never read it or attempt to understand it, it probably won’t help your business meet its legal obligations.

I have heard of a company that copied and pasted their privacy policy from a crematorium, without having read it. One of their customers pointed out to them that it was a little weird to read about burial when that wasn’t their business.

Are you prepared to put your credibility at risk?

If you don’t know what your obligations are, how do you know a simple template will protect your business?

2. Copying and pasting a policy from somewhere else

It is easy to check out a friend’s website or a competitor’s website and decide to simply copy and paste what they have done. A friend might even offer it. The problem with getting help from friends like that is that they probably don’t understand their own privacy policy or the legal impact it can have on your business.

I’ve even come across a business spruiking a service of theirs offering advertising through Facebook that simply linked the privacy policy of a random website they did not have any control over, not having read it, understood it or worried about the promises they were making by using that privacy policy and simply seeing it as a ‘hurdle’ to overcome to get their adds showing in as many feeds as possible.  That is potentially misleading and deceptive conduct offending both privacy law and consumer law.

If you haven’t read it or don’t understand it or are looking at a website from outside your country, don’t put your business at risk by copying and pasting a privacy policy from someone else’s website.

3. Thinking a cookie policy covers privacy obligations

Having a cookie policy or a cookie choice pop up on your website doesn’t meet your obligations to protect the privacy of personal information.

Cookies may not be classified as personal information but cookies can be functional (you won’t get full use of the website without them), performance focused (like analytics), focused on personalisation (like advertising based on your search history), or marketing focused.

Internet cookies are little data packets that store enough information to identify you when you return to a site for the purpose of say, pre-filling your username or password, or adjusting the display of a website, or advertising to better reflect your preferences. Cookies have to be matched with other data before they can be used to identify you and the information stored is not generally available for inspection. Cookie data may be collated to create a picture of who you are.

There was a ‘horror’ story that went around some years ago about a pregnant teenager being discovered by her family because her search history meant her parents got served advertising for pregnancy help.  The cookies didn’t identify her, but enable her parents to put two and two together.

Personal information is information about an individual which by itself identifies that individual, or with other information can be used to identify an individual. Types of personal information can include:

  • photo
  • name or alias
  • postal, street or electronic address
  • enrolment in a course
  • testimonial
  • biological samples
  • genetic data

So, a cookie pop up by itself just won’t cut it.

4. Never reading your own privacy policy

If you don’t know what your privacy policy says, how can you possibly be implementing the protections necessary to protect the personal information you are collecting?

How many businesses do you know have a blank page when you click on the privacy policy link in the footer of their website? Clearly they missed checking what was supposed to be written on that page. Your web developer or tech person is not responsible for you meeting your privacy obligations. They probably know marginally more than you do about your privacy obligations, are not lawyers and shouldn’t be uploading just anything for you.

5. Not understanding your own privacy policy

Privacy obligations only apply to information about real people – whether in their personal or business capacity – but do not apply to companies or other entities. Depending on where you are in the world, privacy obligation may also be limited to people who are still alive, and not the deceased.

So, what do you do with the personal information you collect? Unless you use integrated technology, you probably have data about your clients and supplies in a variety of places:

  • your CRM
  • your finance software
  • your email marketing software
  • your email management system
  • a project management tool
  • other software used in your business

Whilst the problem of keeping information consistent across databases is widely acknowledged, the type of protections each of those systems offer, and how you use them, probably isn’t.

For many types of businesses, your privacy obligations mean that you can’t send data overseas without the consent of the person providing it. This is particularly so for financial or health data. Personal trainers, life coaches, psycho-therapy providers all collect health data and probably don’t realise that every email they send pushes personal information overseas.  

I’ve also gone to privacy policy links on websites that don’t cover privacy at all, and in fact display the e-commerce terms of that business instead, which perhaps a throwaway line saying “we respect your privacy and will never sell your personal information.” That is not a privacy policy.

6. Not considering any procedures to support your policy

When you run a small business, the people who work with you, employees or contractors, need to understand your priorities around personal information and what can and cannot be done with it.

Do you allow contractors to keep contact details on their mobile devices outside your systems?

What controls or oversight do you have over what they are doing with their mobile device each day?

How many times have you seen parents hand a mobile device to their child to keep them quiet or entertained? Do you know the personal data of others isn’t being accessed?

For businesses in Australia which are obliged to comply with the Privacy Act 1988, there are now also mandatory data reporting obligations so that if any data is lost or accessed, it needs to be reported. Leaving a device on public transport can be a reportable event if that device cannot be remotely locked and contains any personal information that is supposed to be controlled by your business.

7. Not knowing where you are collecting data or what you are doing it

We’ve spoken with many small business owners who simply don’t realise how often or in what way they are collecting data.

  • a form filled through a website
  • an email received
  • a video conference recorded
  • a note made of a telephone conversation
  • a voicemail received
  • video feedback recorded and sent by a client
  • patient notes written and yet to be filed

All these examples involve the collection of personal information. Does your business have protocols in place for the destruction of information that is no longer required for the purpose of your business? Privacy law generally requires that you only collect what is necessary, and destroy it after it is no longer required. Interestingly, many large organisations, like banks, appear to keep your information indefinitely.

The GDPR (regarding information about EU residents) now requires that you monitor what you collect, how you collect it, and how long you keep it.

We can help you put together policies to assist people in your workplace to manage how information is collected, stored, used and destroyed.

8. Not updated to match data practices

Laws are changing all the time. If you haven’t looked at your privacy policy for more than two years, it is probably time you did.

Not only that, but if you’ve changed the software or technology you are using recently, that should also prompt a review of not only your privacy policy, but also the privacy policy of your new software or technology provider.

You might be offering a new product or service that means you collect additional information from your clients, more than you did previously.

You might have started working with another business in a joint venture, which means they now have access to some of your personal information, and vice versa.

Take time to review your practices and procedures for managing personal information and privacy, as well as checking that you are legally compliant with your obligations.

9. Doesn’t address all the different people affected – customers, partners, developers, general users

You may or may not treat personal information from different relationships in the same way. By relationships, consider the different people you interact with in your business – your clients and customers, your suppliers, your employees and contractors, volunteers, etc.

Consider: if you still have a business that uses paper forms, you might have collected similar or only slightly different data on different forms. You might scan that information and store it electronically, but then what happens to the paper copy? Is it securely destroyed? Is it stuck in a filing cabinet somewhere? Is that filing cabinet locked? Is any member of staff able to access that filing cabinet?

Do you have forms to be filed sitting on someone’s desk without any security or privacy around that information?

Do you have phone numbers written on a white board that can be seen from outside your office? This happened on a morning TV cross to a bank financial data room.

You might have a list of supplier details stuck on a wall, or a piece of paper near the computer.

If you treat the personal information you collect about different groups of people differently, all those scenarios need to be covered.

10. Hiding the terms

When your business has privacy obligations, you should share how you meet those obligations with the people whose data you collect. So, if you have employees, you should have an employment policy around how you manage their personal information.

With regard to your customers, you should have a policy about how you manage their personal information and what you do with it.

The easiest way to share a privacy policy with customers and suppliers is through your website and the convention is to have a link to that policy in your website footer.

A link to a blank page is not helpful.

11. Wrong laws or no laws

A contract came across my desk the other day between two Queensland, Australia based small businesses. Goodness knows where they got it. The agreement was four years old and mentioned the laws of Ontario, Canada as the governing law. No, no, no, no. Not helpful at all!

If you copy and past a privacy policy from someone else there is a risk that you have inadvertently referred to laws that don’t even apply to your business. Like COPPA, the Children’s Online Privacy Protection Act which is law in the United States. Reference to that law in another country is likely to be inaccurate and potentially misleading, or create obligations in your business that never actually existed until you voluntarily assumed them.

If you’ve copied something from overseas, it is also possible that you’ve not complied with the laws that do apply to your business, putting your business at risk.

Although there are certainly some similarities in obligations in different countries, law is not universal and there are often inconsistencies within countries, particularly federated countries, as well as between countries.

Make sure you are undertaking to comply with the laws that apply to your business.

12. Hard to read – legalese or no whitespace

Lastly, don’t make your privacy policy so hard to understand that people don’t or won’t read it. If you write for the comprehension level of a child of around 12, then most people who read your privacy policy, whether customers, suppliers or staff, will understand it.

You shouldn’t need a post-graduate degree to make sense of what has been written. It doesn’t help your business or anyone else you deal with. Back in 2019 The New York Times did an article about readability and found that Facebook’s then privacy policy was more difficult to read than Stephen Hawking’s ‘A Brief History of Time’. Don’t be that business.

Simply headings like:

  • How we collect your personal information
  • What we do with your personal information
  • Where we store your personal information
  • Your rights regarding the personal information we have collected about you

All make it easier for someone reading your privacy policy to make sense of what it is you do to help protect them. Short sentences, simple words, easy to follow headings, pleading of white space, all aid understanding.

If you are not sure, get a child you know to read your privacy policy out loud and ask questions about anything they don’t understand. If they stumble over a sentence, or have loads of questions, go back to the drawing board.

How can Onyx Legal help you?

If you’d like help reviewing or updating your privacy policy, or perhaps having one tailored to fit your business and your business processes, make an appointment with a link to your policy (if you have one) and let us know what you’d like to achieve.

Your Quick Legal and Cyber Check on Your Website

Your Quick Legal and Cyber Check on Your Website

Your Quick Legal and Cyber Check on Your Website

Start by completing our quick audit questionnaire to work out what are some legal issues when creating a website. Then read below…

Domain Name Legal Issues

Your domain name is like a post office box. You lease it, you don’t own it. Your registrar is like the post office. They will only talk the person who is authorised as the registrant of the domain name. That might not be you!

If you don’t know where your website is registered – GoDaddy is a commonly known registrant – this could be a problem if you want to sell your online business and cannot transfer the domain name. If you don’t ensure your registration fees are paid regularly, then you could lose your domain name and it is not easy to get them back.

When agencies first started building websites for businesses, a lot of companies registered the domain names to their agency rather than you, their client. This became a problem for people when their small web designer gave up their business, or their web designer held them to ransom, requiring a payment equivalent to purchase before releasing the domain name.

We’ve had a prospective client come to us running a business using a specific domain name, and no part of that domain name was protected by trade mark or copyright. For whatever reason, they let their registration lapse. Of course, the domain name was sold to someone else. That someone else happened to be a local competitor to them. They came to use 2 years after the domain name had lapsed and their competitor was using it and asked us to help them get it back. We told them we couldn’t help. There was no basis for them to claim exclusive ownership, it took them two years to take any action and the time, money and effort required to even attempt to get it back was more than they were willing to invest.

Trade marks are almost the only thing that can give you superior rights to anyone else for registration of a domain name, and even that won’t stop someone using the same domain name in a different industry from using your name. Just try searching ‘Onyx Australia’. We might be the only legal firm with that name, but we are not the only business with that name in the country.

ACTIONS:

  • Identify your registrar and make sure you have login details
  • Confirm the registrant name (hopefully not a company you since closed – it has happened)
  • Make sure you have auto-renewal and up-to-date payment details in place

Our team at Onyx Legal can help you find out who the registrant is and make sure you have control over your domain name.

Hosting & Backup Legal Issues

All of the information that people can watch and read on your website is stored and then accessed via the internet. You pay a hosting provider to store that content and make sure it is available when people look for it online. If you don’t know who your hosting provider is, who can you talk to if your website is ‘down’ and not visible? You might be working through an agency and contact them.

There is a lot of factors that can impact your website hosting including whether your website is on a shared server or an individual server. On a shared server, one website with malware can have every website on the server temporarily shut down. If you site is impacted by malware and taken down, it can impact your results in advertising or search results when clients are looking for you. The responsibility for those things may sit with you, or your agency, or your hosting provider. Check your terms and conditions of hosting.

The type and local of your hosting provider can also impact the speed of data upload to or download from your website. If you don’t have automatic payments set up on your hosting, you might find your website is down and if you don’t know where your website is hosted, any information you collect through your website, like personal data, may be going around the world before it comes to you – which could be an issue in managing your privacy obligations.

Backups are important in reducing your cyber risks.

There are lots of products that enable you to backup your website to the server where it is hosted. This might not be effective if you get hit with ransomware. If you have a separate backup on a system that you know works and can be reinstated quickly, then you have a better chance of a quick recovery from a ransomware attack. Always check that your backups work and your site can be quickly reinstated. Backup regularly.

Like backups, password protection and sensible username application can also make a huge difference in managing the cyber risks to your website and your business.

The team at Onyx Legal can help you find out who your hosting provider is and how to protect your content.

Website relationships and the terms and conditions to manage them

In a high street shop front, everyone is trained in the rules of what is considered appropriate behaviour in stores from a young age, so much so that we take it for granted. Things like – if you break something, you pay for it, if the shop is closed then you can’t come in, you have to pay for what you buy before you leave the store and so on. The common courtesies like don’t disturb other shoppers, if you are asked to leave then leave, and don’t steal are also taken for granted.

Online, you sometimes need to remind people of the rules. You can also set some rules to control your own online space.  Think about the big sites like eBay, Craigslist, Facebook, and Google. If you don’t follow their rules, they can stop you from using their services and there is almost nothing you can do about it.

You have the same ability to control how other people access and use your website and the information you provide. Every different interaction available on your website creates a different relationship that you may need to manage through terms and conditions.

You will normally find a link to terms of use in a website footer. Following that, convention is sensible if you want to argue that your terms and conditions are binding on your website visitors or users.

We’ve had a client who neglected to have terms and conditions on their website and had to pay a $125,000 claim for defective products because they failed to disclose that they were just the importing agent for the manufacturer and set any contractual terms around their supply.

If you are working in any sort of industry that is regulated, either by government or a professional organisation, a disclaimer may help limit the risks to your business. Disclaimers can also provide a great opportunity to remind your clients of their responsibilities

Onyx Legal can help you tailor terms and conditions that fit your business, your industry, and make sense to your customers.

Legal Issues with Website Content

What you publish on your website, whether you put it there or someone else did, is your responsibility. If you have been creative with the truth, copied something from someone else, used a form of software that allows you to ‘snip and spin’ other people’s content and publish it as your own (We were horrified! It was so obviously copyright infringement, and the client thought it was perfectly fine because they paid for the software and assumed the developer was doing the right thing around copyright. Wrong! It slowed their website development down a bit) then that’s on your head – no one elses.

You need to be aware of any regulations applicable to your industry (for example – health services in Australia can’t use testimonials about the health service), stay within the bounds of consumer protection legislation, not infringe the intellectual rights (trademark, copyright etc) of others and protect the privacy of visitors to your website.

Onyx Legal can help assess your level of compliance, where you might have risks and make some recommendations around improving your website from a legal perspective.

How can Onyx Legal help you?

If you scored badly on the website legal and cyber self-audit and would like us to carry out a more comprehensive audit and make some recommendations, make an appointment with the Onyx Legal team now..

Privacy Policy: Collecting and Managing Personal Information

Privacy Policy: Collecting and Managing Personal Information

Privacy Policy: Collecting and Managing Personal Information

Privacy Policy: Collecting and managing personal information

As a business owner, how many times a day do people give you their personal information? Do you think about protecting it, or do you just assume that the systems you have in place will do that? 

Or maybe you don’t think about it at all. 

Does a small business need a privacy policy?

You must comply with Australian privacy laws unless you run a small business with $3 million or less annual turnover. However, you will still be bound by privacy law if your small business does any one of the following:

  • are a credit reporting body (e.g. Equifax, Illion) or
  • are a contracted service provider under a contract with the federal government; or
  • provide a health service or otherwise hold health information (e.g. health practitioners, life coaches, personal trainers, childcare centres); or
  • collect or disclose personal information for a benefit, service or advantage (e.g. operating a lead generation website where you sell the leads).

If you have any customers or suppliers overseas and you collect their personal information, you may now also have to comply with what are called ‘extra-territorial’ provisions of laws from overseas. For example, if you have customers in the European Union, you are required to comply with the General Data Protection Regulation (GDPR), regardless of the size of business. If you have a medium enterprise with customers in California, you now must consider the California Consumer Privacy Act (CCPA).

Some other countries with privacy laws that have an extraterritorial scope include New Zealand, Brazil, Thailand, the Philippines, and Canada.

 

From a practical perspective, can not having a privacy policy really make a difference?

Apart from the legal obligations, there are practical consequences of not having a privacy policy too.

If you want to advertise on social media, or through Google Ads or other platforms, you are required to provide a link to a privacy policy before your advertising can go live.

A lot of international service providers include in their terms and conditions that you must comply with privacy laws to use their services, and they have the right to end your ability to use their services if you don’t.

For example, if you use PayPal you agree with the following terms of the PayPal User Agreement:

You must comply with all your obligations under applicable Australian consumer law, including as a seller by publishing a refunds and returns policy as well as a privacy policy, where required by law.

… you must not: Infringe PayPal’s or any third party’s copyright, patent, trademark, trade secret or other intellectual property rights, or rights of publicity or privacy.

…To the extent that you (as a seller) process any personal data about a PayPal customer pursuant to this agreement, you agree to comply with the requirements of any applicable data protection laws. You have your own, independently determined privacy policy, notices and procedures for any such personal data that you hold as a data controller, including a record of your activities related to processing of personal data under this agreement.”

What difference would it make to your business if you couldn’t process payments through PayPal?

 

So, what is the point of a privacy policy?

One of your many obligations under Australian privacy laws is that every time you collect personal information from an individual, that person must be able to find out why you are collecting it, and what you are going to do with it.

Posting a privacy policy that you understand and know you can apply, on your website where it is easy to access, is by far the easiest way to share with people what you are doing with their personal information.

 

So, what is personal information?

Under the Privacy Act 1988, personal information means any information or opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

And what does that really mean?

Well, for a start, it doesn’t cover information about people who have died, which is interesting considering the legacy profiles some social media platforms are now making available for the families of the deceased, but that is not the topic for today.

It does cover information you collect about your employees and contractors. Many businesses only think about customer information and forget that you also have to protect the privacy of employees, contractors and suppliers.

But what about a practical example:

Imagine a gym where someone is leaving and their trainer turns to another trainer and says something like “She’s never going to lose weight, you should see her mum, she just has fat genes”.

The comment is verbal, it’s an opinion, it refers to a person who can be identified visually, and whose name and other details could be found by looking at the trainer’s schedule. That makes it personal information.

Is there a risk of violating privacy law – Yes. Is it likely to be a big risk to your business? – No. Why not? – Because it probably wasn’t recorded and is therefore difficult to prove, but if another patron overheard it, or the trainer repeated it to someone else, it does start a chain of infringement.

Imagine the same gym has list of all their trainers with their phone numbers on a clip board, and that clipboard gets left on the front reception desk, where anyone coming in could take a quick photo with their phone.

Is there a risk of violating privacy law – Yes. Is it likely to be a big risk to your business? – Possibly. Why? – Because once that information is recorded in a different form, like a photo, your business has disclosed personal information without permission.

Can you see why it is important to understand what you are doing in the process of collecting personal information?

 

When are you ‘collecting’ personal information?

You collect personal information in your business all of the time.

Any time you confirm someone’s name over the phone, whether or not you write it down.  Every time someone fills in a contact form on your website. Every time you add someone’s details to a database. Every time you prepare a proposal for someone or take payment details. Every testimonial. These are all examples of collecting personal information.

This is a broad concept.

It includes getting personal information from any source and by any means, such as the people themselves, social media profiles, other businesses, or even surveillance cameras. In practice, all personal information that you hold will generally be considered information that was collected by you.

Bear in mind that if you generate personal information from some other data you hold, collection may also take place. For example, if you generate a sub-set of information from your database for promotional purposes, you’re effectively collecting that information again. And the practical consequence? – Your privacy policy and procedures should be broad enough to include that kind of activity in what you do with personal information.

 

How should you manage personal information?

This is where a lot of people get lost and think that having a privacy policy by itself is a cure for all ills. It isn’t.

You are required to manage the personal information you collect in an open and transparent way. What this means is that you must take reasonable steps to establish and maintain internal practices, procedures and systems for your business to ensure its compliance with privacy laws.

Do you have any sort of privacy checklist for small business to help your team navigate what they can and can’t do with personal information? If not, that is a good place to start. What is considered as reasonable would depend on your business.

Think about what type of personal information your business holds, how much information you collect, how your customers might be affected if their personal information was not handled properly, the size of your business, and the time and cost involved in implementing appropriate procedures.

What you are required to do in Australia is comply with privacy law to a degree that is commercially proportionate to your business. So, if you run an online marketing agency with a team of four people, your procedures are not likely to be as complex as a business supplying services to the defence force.

Here are some examples what you could consider implementing:

  • understand what privacy obligations you have as a business;
  • work out when you collect personal information, and why (avoid collecting more than you need for your business);
  • work out what you will do if someone wants to be anonymous, and if you can still deliver products or services if you allow that;
  • work out where you store personal information, and how you use it (do you use a commercial database, or excel, or your phone contacts list?);
  • work out if you share personal information (eg. with a distributor or courier service);
  • decide whether the systems and procedures you use in your business protect, or put personal information at risk of being disclosed, lost or stolen (eg. leaving a mobile phone in an Uber);
  • check that you have faith in the online systems you use and there is limited risk of unintentional access by someone outside your business (eg. information on a white board visible when you are on Zoom, unintentional disclosure of a Google form);
  • work out what you will do if you get a complaint from a customer about the use of their personal information;
  • work out what you will do if someone asks you for a copy of their personal information, or a change to that personal information (eg. change of name or address);
  • include privacy training as part of your induction process for new staff; and
  • annually review and audit your business’s privacy practices, procedures and systems.

 

How do you write an effective privacy policy?

Your next step then is to write a clear and up-to-date Privacy Policy about how your business manages personal information, or get us to prepare it for you. At a minimum, it must contain the following:

  • the type of personal information that you collect and store (eg. contact details, educational qualifications);
  • how you collect and securely store personal information (eg. collect directly from your customer and their public social media accounts, then add to a CRM);
  • the purpose for collecting, keeping, using and disclosing personal information;
  • how your customers can access and correct any their personal information and who to contact in your business;
  • how your customers make a complaint about a breach of privacy laws, and what happens when they do; and
  • whether you are likely to disclose personal information to overseas recipients, and if yes, the likely countries.

Your Privacy Policy will be more comprehensive depending on the complexity of your business and should be tailored to match your internal systems and procedures. A well-written, easy-to-understand Privacy Policy can add to your credibility and help build rapport with your customers.

If your Privacy Policy is made available online, you can provide a condensed version to outline key information, but a direct link to the full policy must be provided.

 

What if you get it wrong?

Privacy law is regulated by the Office of the Australian Information Commissioner (OAIC). The Commissioner can require your business to put in place systems, procedures or training, pay compensation, or apply to the court for fines to be made against your business.

Compensation is usually ordered where information has been disclosed, or where a person has requested access to their information, and it hasn’t been provided in a timely manner.

 

Protect your customers and your business

Having the right systems and procedures in place with a clear and comprehensive Privacy Policy is your opportunity to reassure your customers that you can be trusted, that you are aware of and care about their privacy and information security. In doing so, you are not only complying with your legal obligations but are also working towards building a reputable business. Make an appointment and see how we can create a privacy policy that suits your business.

 

GDPR and the impact of a ‘no deal’ Brexit

GDPR and the impact of a ‘no deal’ Brexit

GDPR and the impact of a ‘no deal’ Brexit

The UK is scheduled to exit from the EU on 29 March 2019

There are substantial negotiations underway for transitioning of legal, trade and other relations between the UK and the EU after Brexit happens. At this stage, many of the negotiations have been unsuccessful either within the UK’s own parliamentary system or between the UK and the EU. Without agreements for transitioning and new agreements for interacting with the EU, the UK faces numerous disruptions to trade, security, medicine availability, travel, workplace regulations and citizenship of UK citizens in other parts of the EU.

There are a few options between now and 29 March 2019.

The first is that a deal will be put together for transitioning. This would be the most favourable outcome for continuity of business transactions and commerce. The second is, if no deal can be agreed upon, the date of Brexit may be extended by agreement to allow more time for negotiations. The third scenario is what is being called a ‘no deal Brexit’.

What does a ‘no deal Brexit’ mean?

If no agreement for transitioning can be reached and the exit date is not extended, the UK exit from the EU will happen on 29 March 2019 and there will be a degree of chaos attached.

For the many laws and rules currently intertwining the UK within the EU, there will be no deals in place for transitioning and planning. This will affect many laws and current practices, however for the purpose of this article, we are only looking at the management of data under the GDPR.

Why is a ‘no deal exit’ important for privacy legislation and who would this effect?

Under the GDPR (General Data Protection Regulations), the UK is currently part of the EU however from 29 March 2019 (or later date if this is extended), the UK will be an independent country.

If a no deal exit happens, the transfer of data between the EU and the UK will be restricted under the GDPR from 29 March 2019. It is possible that the UK will be granted adequacy status (yes, that is a technical term), but this cannot be assessed until after the exit has happened (and will likely take several months). In the meantime, the transfer of personal information from the EU into the UK must be completed using a standard contractual clause (‘SCC’) in the format approved by the EU.

Sounds complicated? Let’s break it down and look at the implications: 

Location of business receiving personal data Scenarios and action required prior to 29 March 2019
Head office of business within the UK and collecting data from any person within the EU or monitoring the behaviour of any person within the EU

Examples:

  1. You operate any kind of online membership subscription service that has EU resident subscribers.
  2. You have an online retail store that is open for EU residents to make a purchase.
  3. You provide advisory services and have clients resident in the EU.
ACTION: Review your privacy policy, make sure SCC’s are in place with businesses within the EU that you deal with eg hosting, cloud storage.
If you process data of EU citizens and transfer this data to the US under the US privacy shield, you will need to look at your agreements with the US to ensure a SCC is added into each of these agreements as the US Privacy Shield will not work with the UK anymore.
Unless you have an office in the EU, you will need to appoint a privacy representative in the EU.
Head office of business within the EU (but not in the UK)Look carefully at where your data goes. There will no longer be a free flow of data from EU to UK. Do you transfer data to the UK? Data subjects will have to be told.

Head office of business outside of the UK and EU and collecting data from any person within the EU or monitoring the behaviour of any person within the EU

Not much changes here, you should already have in place a compliant GDPR privacy policy and SCC’s protecting the flow of data of EU citizens. A review of your privacy policy will be required if you rely on the US Privacy Shield for the transfer of data of UK citizens
Any business relying on the US Privacy Shield for the transfer of data in or out of the UKThere is a particular paragraph that needs to be added to the privacy policy of the US entity (yes, the wording is specific) to ensure that the privacy shield takes effect.

 

How can Onyx Legal help you?

We can help you work out if you have to comply with GDPR and prepare appropriate privacy and cookie policies to comply with GDPR requirements. Book a time to talk to one of our team to find out more.

GDPR for business outside Europe

GDPR for business outside Europe

GDPR for business outside Europe

If your business is not in Europe, should you be worried about GDPR?

GDPR has the potential to impact any business that might be doing business with a European resident, whether the business is online or not. This article covers some of the most frequently asked questions we have received from clients, to help you decide what level of action you need to take to protect your business, and how soon.

For those of you who haven’t heard anything about it yet, GDPR is the General Data Protection Regulation introduced by the European Parliament back in April 2016, and came into effect on 25 May 2018.

What is GDPR?

GDPR is the General Data Protection Regulation (GDPR) is an European Union law which came into effect on 25 May 2018 across all European Union nations including the UK. The GDPR is designed to strengthen privacy rules and requirements around how information relating to individuals can be collected and used and updates and unifies data protection laws across Europe.

How does GDPR apply to Australian business?

Australian businesses may need to comply with the GDPR if:

  • they have an office in the EU (regardless of where they actually process personal data); or
  • they offer goods or services to individuals of the EU (these services can be free or for money); or
  • they monitor the behaviour of individuals in the EU.

A business will be considered to offer goods or services if they have actual clients or members who live in the EU or if their business could be used by and is intended to be used by individuals in the EU eg. you sell goods online and have a shopping cart that displays as an option the purchase amount in Euros.

How is GDPR different from current Australian Privacy Laws?

The good news is that both the Australian Privacy Act 1988 (Cth) and the GDPR have similar requirements. This means many businesses will have already started the process required to be GDPR compliant. The GDPR does however have additional requirements. It introduces higher standards for the manner and basis on which data is collected and gives more rights to an individual to control their data.

We have European customers, does GDPR affect us?

Short answer – yes. The intent of the legislation is to protect personal data of data subjects in the European Union. If you already have that data, you should comply.

On the other hand, if you don’t already have that data, the legislation appears to consider your intent about collecting it.

Does your business ‘envisage offering services’ to people in Europe?

If you have random purchases from European residents, or surprise inquiries from European residents, then you might not actually have planned to do business in Europe, it could merely be coincidental. The recitals for GDPR (the 173 introductory paragraphs before the Regulation provisions) talk about whether a business ‘envisages offering services’ to people in Europe and infers that there must be an intent to do business in Europe, not merely happenstance.

Just because people in Europe can find your website, or contact details, that is not enough to demonstrate that you plan to do business in Europe. On the other hand, if you’ve designed your business so that it can be translated, or has pages in languages most commonly used in Europe, enables people to pay with Euros and is otherwise targetting European customers in some way, you are demonstrating an intent to do business with EU residents and must comply with GDPR. 

It is all very up in the air at the moment as to what some of the regulations actually mean, and there will be a period of settling in, as well as prosecutions of non-compliant companies, before we have a clear idea about how GDPR will be enforced. 

EXAMPLE:

Australian business not affected by GDPR

You have a website that displays pretty pictures about growing fruit in Queensland, Australia. When individuals go onto your site, cookies collect information about them and google advertising gets this information and uses it to target advertising to that individual about fruit trees.

In this example it is not clear if a goods or services are being offered as there is no actual connection between individuals viewing the site and the site owner. Potentially there is a service of information being offered but really it is not clear. Then you would go and use the next part of the article to determine if in fact the site owner does envisage offering goods or services in EU – you would look at the text languages on offer, currency (although not selling anything) and would conclude, no, they are not providing goods or services to individuals in EU.

example:

Non-European business affected by GDPR

An accountant in the United States does tax work for a client in the United Kingdom for money and keeps personal information of the client on file. Does the accountant offer goods or services to an individual in the EU – yes. We don’t think you then have to look any further at the business intentions etc. to decide if GDPR applies.

To avoid HAVING TO BE GDPR COMPLIANT, should I go through my client list and just delete anyone who is in Europe?

GDPR is certainly an opportunity to clear out those old email lists. I know of one person who never deletes their unsubscribed people and then ends up with them back on his list every time he changes auto-responder systems. Really annoying! Not to mention completely disrespectful of the people who’s information he holds. This is part of the reason for GDPR – encouraging business to be more aware of the value of the personal data they have collected, and giving individuals greater control over what happens to it. 

There are lots of businesses that are taking action delete EU residents from their lists, and block EU access to their websites. If Europe isn’t your target market and you don’t want another regulatory burden, this is certainly an option. If other countries decide to adopt any of the GDPR provisions however, you may still face greater compliance burdens in future. 

How do we let people know we don’t want personal information from people in Europe?

If you really don’t want to deal with European residents, one option is to include a notice in your privacy policy, which could read something like this:
EU – GDPR
We do not promote our business in the European Union and aim not to collect personal information about EU residents. We have not taken action to comply with the General Data Protection Regulation (GDPR). We have taken reasonable action to block access to our services from EU residents.

Who is GDPR intended to protect?

Although the GDPR will have worldwide impact on business, it is only designed to protect the use of personal information for people in the EU. 

There is no time limit on how long a person has to be in Europe for their collected data to be protected. The GDPR cover information collected about natural persons in The European Union, or their behaviour in the EU.

If you think about travelers to Europe, local business that they collect personal data will have to comply with the protection of information about anyone in Europe, however temporarily. The collection must relate to the offer of goods or services to data subjects. So a tour operator who takes you name and passport number for a one day stopover will have to comply with GDPR.

What is a ‘data subject’ under GDPR?

A data subject for GDPR is a natural person whose personal information has been collected.

A tourist coming through any European Union airport or seaport who is captured on surveillance video, even if they only transit through Europe, will be a ‘data subject’ because their personal information (image) has been captured on the way through.

For business, a data subject is any natural person whose personal information you have collected, however briefly.

What data does GDPR cover? What data does GDPR not cover?

GDPR covers personal data about natural persons. Personal data is any information relating to a natural person that identifies that person, or can be used to identify that person. Some examples are set out under the next question below.

You don’t have to worry about the birthday diary you keep (for those who don’t rely on social media reminders), because information collected by a natural person for purely personal or household activity is specifically excluded.

What is Personal Data for GDPR?

Personal data is , in general, any information relating to an individual. It can identify the person either directly (eg their name) or indirectly, in combination with other data (eg a location marker in combination with other information known about the individual may identify them).

Personal data includes obvious information such as an individual’s name, address and contact details however it also includes things such as online identifications like IP addresses and location data.

There is a special category of Sensitive Personal Data that includes information on racial or ethnic background, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, physical or mental health and sexuality or sexual orientation. The rules regarding Sensitive Personal Data are much stricter.

Should I keep personal data about European Union residents separate from data about my customers in other parts of the world? 

You could put in place systems to separate the information you hold about people in different countries, but consider which is the highest cost and most difficult for your business – having one set of policies you comply with, with different systems, or multiple policies and systems?

What are the GDPR principles?

There are 6 key principles. Data must be:

  • Processed lawfully, fairly and transparently.
  • Collected for specific and allowable purposes and only used for these purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and kept up to date.
  • Only kept for as long as necessary for the purpose it was obtained.
  • Processed in a manner which ensures appropriate security.

What does processing of personal data mean?

Processing is anything that is done with personal information whether by electronic means or otherwise. The term is very wide and includes everything from collection through to storage, use, manipulation and destruction.

What is the difference between a data controller and a data processor?

Basically, the data controller is the person or entity that determines the purpose and means of the processing ie. they control why the information is collected and what it is used for.

The data processor stores or manipulates the data at the request of the controller.

Both the controller and the processor have significant obligations under the GDPR and your business may be a data controller, a data processor or both.

What are some examples of personal data under GDPR?

Some personal information typically collected by businesses are:

• name and contact details – phone, email, social media profile link
• role or title, school, occupation, employer, qualifications
• age, date of birth, gender, ethnicity
• residential address, business address, postal address, location
• photograph, likeness, identification number
• allergies, health conditions, dietary requirements
• finger print, facial recognition, DNA scan
• opinions and beliefs collected via surveys and questionnaires

What risk to my business if I don’t apply an EU geo-blocker to my website?

It’s not worth me being in breach of the GDPR

If you have a small business, located outside Europe, that is not intentionally aimed at European residents, your risk of prosecution under GDPR is likely to be very low.

It is likely that the EU regulators have already identified target companies for audit and potential prosecution to test the enforce-ability of their new provisions. As with all government regulators, they will only have limited funding available and will be looking to make an impact that gets picked up and shared in popular media. As with any new laws, there is usually a settling in period while everyone gets used to the new regime. Lots of regulators look for cooperation rather than prosecution, simply because it is cheaper and less time consuming. 

On what basis can I collect personal data under GDPR?

The allowable reasons that data may be collected/processed are:

  • By consent of the individual giving the data
  • Because it is necessary to take steps to enter into a contract with the individual or for the performance of a contract with the individual.
  • It is necessary for compliance with a legal obligation.
  • It is necessary to protect the vital interests of the individual or another person (eg. in an emergency you access a data base you wouldn’t otherwise have access to, to check for allergies and call 000/ 411/ 911 or the applicable emergency number to save the individual’s life)
  • It is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority.
  • It is necessary for the legitimate interest of the controller (so long as this doesn’t harm the interests, rights or freedoms of the individual)

The allowable reasons for Sensitive Personal Data are even narrower and are quite specific. 

how does GDPR affect google analytics?

If you use Google Analytics you should have received an email recently suggesting you check and update your account settings. If you don’t your historical data will disappear. It is worth reading through the email from Google to better understand the impact on your account. 

Do I need to collect consent from my database again for GDPR?

There are competing schools of thought here.

There are a bunch of Articles (commentary to the GDPR) that absolve you of liability if you have consent, so for the risk averse, consent is what you want. However, there are also a bunch of Articles that say provisions don’t apply if…

One of the ‘ifs’ is if the processing of information is necessary for the performance of a contract the individual is party to, which is what a lot of organisations appear to be relying on to avoid seeking consent. You already have an existing contract for services in place, and to be able to continue to provide those services, you do so under contract. If you are happy to ‘hang your hat’ on that provision, then you can do what a lot of other organisations are doing and just give notice of update.

The benefit of recording consent again is you then have a record of it…

Some businesses are actually including in their policy update notices that users can change their settings and opt out at any time, rather than asking for renewed consent.

Does GDPR mean websites must first ask for consent before placing cookies?

The GDPR is set out in the Articles (rather than the recitals), which make no mention of cookies.

GDPR doesn’t actually address cookie usage it deals only with personal information. Most cookies don’t collect personal information – session cookies and those used to remember login details are likely to collect personal information. GDPR works alongside cookie legislation.

What is and is not consent is discussed in the recitals rather than the articles. For example recital 42 refers to ‘For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’

That is not dealing with cookies necessarily, but addresses the use of personal information. So, if a person wants to have their login details remembered for next time, they need to be asked if they want them remembered (which is already what usually happens) rather than the details automatically being retained without their knowledge. 

Should I appoint a Data Protection Officer?

No! Well, not unless you have to.

The GDPR is very specific on the qualifications and experience required of a data protection officer and you are only required to appoint one as a government entity or if you are processing sensitive personal data on a large scale.

However, you can opt-in and it is easy to do so. If you call someone in your business a Data Protection Officer, you opt-in. The trouble there is that you then have to meet all the obligations around the qualifications and experience that person must have and can be in breach of the Regulation if you don’t. You can appoint someone external who is qualified and these businesses are now popping up around the world. 

How can Onyx Legal help you?

If you are not sure whether you have to comply with GDPR, or know you do, and need your policies brought up to appropriate compliance standards.

What is a Mandatory Data Breach Notification for Privacy? – FAQs

What is a Mandatory Data Breach Notification for Privacy? – FAQs

What is a Mandatory Data Breach Notification for Privacy? – FAQs

Do mandatory data breach notifications apply to you?

 

If you are in Australia and collect personal information from clients, customers, suppliers, partners or anyone else for that matter, then maybe they do.  But a compliance perspective, these laws don’t affect you unless you are already required to comply with Australian Privacy law. Which means, you must comply if:

  • you operate a public, private or not for profit organisation with more than $3m turnover per year
  • you are a health service provider (not just doctors, this can include gyms, childcare centres, life coaches and schools), regardless of turnover
  • you are part of a federal government agency
  • you are part of a credit reporting agency
  • your business buys or sells personal information

What are mandatory data breach notifications about?

Data breach falls within Australian privacy laws and is all about cyber security.

The objective of the new law is to give individuals (those who care) confidence that their privacy is being protected. The laws apply regardless of technology, and encourage transparency and accountability.

What does it mean if you have an eligible data breach?

Mandatory data breach notifications only related to personal information. Personal information is defined in the Privacy Act as:

Personal information is –

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

– whether the information or opinion is true or not; and– whether the information or opinion is recorded in a material form or not.

So if your business is hacked and you lose commercial information, that is irrelevant to this law.

The key components of a data breach are:

  • it involves personal information
  • it does not have to be bulk data, personal information about one person may be enough
  • the data has been accessed or disclosed
  • the data has been lost in circumstances where it is likely to be accessed or disclosed (like when NASA employees left a laptop containing access codes to the space station in a cab…)
  • there is a likely risk of serious harm to the people who have had their personal information accessed, disclosed or lost

What does ‘Serious Harm’ mean for a data breach?

Serious harm is a broad concept including physical, psychological, emotional, economic, financial or reputational harm (like when Ashley Madison got hacked and all those people cheating on their partners risked being exposed…)

What is serious harm is likely to be different for each organisation and probably associated with the reason why data has been collected. Customers of a financial institution might risk economic loss, and customers of a medical clinic might risk psychological, emotional or reputation damage.

Think about what is important to your customers, or the people who’s personal information and data you collect.

What should you have in place to handle mandatory data breach notifications?

Not surprisingly, a large proportion of small businesses have adhoc systems in place and no real understanding of what they collect, or how they control their data. This is particularly the case when using third party systems that also store data, like Eventbrite.

IT, management and communications teams will need to work together for data breach notifications.

The top 10 things to consider are:

  1. Every organisation covered by these laws should have a clear understanding of how their data is collected, stored and used and the vulnerabilities of those systems.
  2. Identify ‘who’ in the organisation is responsible for managing data.
  3. Identify the likelihood and consequence of an eligible data breach.
  4. Put in place staff training and security measures to reduce the chance of an eligible data breach.
  5. Understand what ‘serious harm’ could arise if there was a breach.
  6. Work out what would need to happen to avoid ‘serious harm’ and how quickly that could be implemented if there was a breach.
  7. Put in place a recovery plan in case of a breach.
  8. Put in place a communications plan that includes (as a minimum) the communication to those affected, a press release to reduce reputational damage, and the notification to the Privacy Commissioner.
  9. Check the business cyber insurance to see that it covers data breaches and the consequences.
  10. Test a data breach scenario to ensure your business has the ability to manage an eligible data breach.

And lastly…

Remember that data breach laws are technology neutral.

Just because you still operate with a largely paper based system does not mean that this law will not apply.

As someone pointed out to me, most filing cabinets can be unlocked with a paperclip.

How can Onyx Legal help you?

If you need help identifying risks to disclosure of personal information in your business and procedures to manage those risks, or need support developing policies and procedures for managing personal information, then make an appointment to find out how we can help you.