JUDGMENTS

VCAT absolves university of privacy infringement.

On 28 April 2020, the Victorian Civil and Administrative Tribunal ruled that a university had not infringed the Privacy and Data Protection Act 2014 (Vic) when it collected images with sexual content from an employee's computer, resulting in a disciplinary process leading to the employee's dismissal: Kerig v Victoria University [2020] VCAT 469. The images were discovered by the university during an investigation into technical issues with the computer. The complainant alleged breaches by the university of Information Privacy Principles 1 (Collection), 2 (Use and Disclosure), 3 (Data Quality), 4 (Data Security), 5 (Openness) and 10 (Sensitive Information). The Tribunal considered that the collection of the images by the university was necessary in order to ensure that the operator was complying with university policies. The complainant was aware of the university's policies in relation to personal use of computers. The investigation fell within the scope of the university's IT Audit Policy which permitted an investigation of alleged breaches by a staff member, provided the investigation was fair and reasonable, and compliant with all relevant law, including the Privacy and Data Protection Act.

ACMA rules on IPND Scheme breach

On 13 May 2020, the Australian Communications and Media Authority (ACMA) issued a formal warning to Localseach Operations Pty Ltd, a digital marketer, in relation to the publication of an unlisted silent telephone number in one of its directories. ACMA found that Localsearch had breached the conditions of its use of the Integrated Public Number Database (IPND) under the Telecommunications Integrated Public Database Scheme 2017. ACMA further found that Localseach had failed to destroy the number and associated data within 10 business days of being notified by the user that the number had been changed from listed to unlisted. An ACMA spokesperson reported that this was the first time a formal warning had been handed down over a beach of the IPND Scheme.

NSWCAT absolves NSW Police of privacy infringement.

On 23 June 2020, the New South Wales Civil and Administrative Tribunal ruled that the NSW Police Force had not infringed the Privacy and Personal Information Act 1998 (NSW) when it notified a school that certain students in school uniform had been observed stealing various food items from a store: EFR v Commissioner of Police [2020] NSWCATAD 159. The applicant contended that the disclosure to the school was unnecessary, and that the Police had therefore, inter alia, breached section 17 of the Act which prohibits the use of personal information for reasons other than for the original purpose of collection. The Tribunal dismissed the claim on the basis that the disclosure fell within an exemption in section 27 of the Act. Section 27(1) provides that the NSW Police Force is not required to comply with the Information Privacy Principles, whilst section 27(2) provides that this exemption does not extend to "administrative functions". The Tribunal rejected the applicant's submission that the actions of the Police amounted to the exercise of "administrative functions" only. It considered that "administrative functions" contemplated the provision of administrative support for the conduct of core responsibilities. In this instance, the reporting of the students' activities to their school fell within a core role of the Police in maintaining a safe and secure school environment.

NEW LEGISLATION AND GUIDELINES

Consultation paper issued by ACMA regarding Broadcasting Declaration

On 5 May 2020, ACMA issued a consultation paper titled Proposal to Remake the Broadcasting Services (Primary Commercial Television Broadcasting Service) Declaration 2010. The Declaration, made under Schedule 4 of the Broadcasting Services Act 1992, provides a mechanism for specifying that a multi-channelled commercial television broadcasting service provided by a commercial television broadcasting licensee for a licence area is the licensee's primary commercial television broadcasting service in that licence area. The existing Declaration is subject to a 10-year sunset clause which takes effect on 1 October 2020. ACMA is of the view that the existing Declaration is functioning effectively and efficiently, and recommends that it be remade with minor changes. ACMA acknowledges, however, that the government is considering policy reforms arising out of the ACCC's Digital Platforms Inquiry, which we have referenced in an earlier update, and notes that the outcomes of that process may indicate a need to consider varying or revoking the new Declaration before the next 10-year sunset date.

Temporary rules introduced for electronic signing and electronic witnessing.

With many Australian and international businesses having shifted to remote working arrangements in light of the government's COVID-19 response, companies and individuals have been confronted with the need to sign documents without easy access to hard copies or a printer. Temporary legislative measures have been introduced by the Commonwealth and other Australian jurisdictions, and these are discussed in an article on our website. Similarly, the witnessing of documents in an electronic environment poses unique issues, and some Australian jurisdictions have introduced measures to permit remote witnessing in respect of documents such as deeds, mortgages, statutory declarations, wills and powers of attorney – these measures are discussed in another article on our website.

CDR enforcement policy jointly issued by ACCC and OAIC

On 8 May 2020, the ACCC and the Office of the Australian Information Commissioner (OAIC) jointly released the Compliance and Enforcement Policy for the Consumer Data Right (CDR). The CDR is a data portability mechanism for enabling individual and business consumers to access information about themselves and about their service providers' products, and to direct their existing service provider to share that information with other service providers. It is initially be confined to the banking sector, with telecommunications providers and energy companies to follow. As previously reported, the CDR was originally intended to be launched and implemented in February 2020 but on 20 December 2019, the ACCC announced that the timeline for launching certain aspects had been deferred until 1 July 2020. The Policy outlines the approach which the ACCC and the OIAC have adopted to encourage compliance with, and address breaches of, the CDR. The Policy identifies five guiding principles: Accountability, Efficiency, Fairness, Proportionality and Transparency. Enforcement options will include administrative resolutions (e.g. accepting a voluntary written commitment from a business), infringement notices (issued by the ACCC), court-enforceable undertakings and revocation of accreditation.

ACCC launches CDR Accreditation Platform and Accreditation Guidelines

On 26 May 2020, the ACCC launched the Consumer Data Rights Register and Accreditation Platform (referred to as "RAAP") which will enable businesses to apply to become Accredited Data Recipients under the new Consumer Data Right (CDR) scheme. The CDR is a data portability mechanism for enabling individual and business consumers to access information about themselves and about their service providers' products, and to direct their existing service provider to share that information with other service providers. It is initially be confined to the banking sector, with telecommunications providers and energy companies to follow. The RAAP will have two main functions, namely, to create a trusted data environment where encrypted data is only shared between approved participants, and to provide a portal where businesses can apply to be registered. The ACCC simultaneously published Consumer Data Right Accreditation Guidelines to assist applicants with the accreditation process – accreditation means that a person may receive a consumer's data from a data holder at the request and consent of the consumer. The scheme will commence on 1 July 2020, confined initially to the banking sector.

NSW private member's bill seeks to expand NSW privacy legislation

On 18 June 2020, the New South Wales Shadow Attorney-General, P.G Lynch MP, tabled a private member's bill in the New South Wales Legislative Assembly. The object of the Privacy and Personal Information Protection Amendment (Service Providers) Bill 2020 is to amend the Privacy and Personal Information Protection Act 1998 (NSW) to extend its application to a person or body which provides services for or on behalf of a public sector agency, or which receives funding from a public sector agency in connection with providing services, if that person is prescribed by the regulations under the Act. At present, the Act extends to private sector entities only if they provide "data services" (that is, services "relating to the collection, processing, disclosure or use of personal information"). The Bill will lapse in accordance with standing Orders on 17 December 2020.

Consumer Data right to be extended to the energy sector

On 30 June 2020, the Commonwealth government took further steps to extend the proposed new CDR to the energy sector. Pursuant to the Consumer Data Right (Energy Sector) Designation 2020, made by the Treasurer pursuant to section 56AC(2) of the Competition and Consumer Act 2010, the energy sector was formally brought within the scheme, thus enabling rules and technical standards to be made to govern how the right will operate in relation to energy data. The Designation also applies the CDR to generic product information involving generic gas offerings (but not customer and usage data for gas offerings which relate to specific customers, except to the extent that this information may be incidental to electricity offerings). The Designation sets out the classes of information that are subject to the CDR regime, the persons who hold this information and who will be required or authorised to transfer the information under the regime, the gateway for certain classes of information and the earliest date that the information being held is subject to the CDR. The government's stated objective is to "allow consumers and businesses to more easily compare and switch between electricity plan and providers, encouraging more competition, lower prices and more innovative products and services".

Consumer Data Right in relation to banks comes into effect

On 1 July 2020, the government launched the CDR in relation to the four major banks. The CDR is a data portability mechanism for enabling individual and business consumers to access information about themselves and about their service providers' products, and to direct their existing service provider to share that information with other service providers. As explained by the ACCC, the launch of the CDR is intended to provide bank customers with "more personalised financial products and services". The right applies initially in respect of the four major banks, with other authorised deposit-taking institutions to join the scheme over the coming year. From 1 July, individual consumers can request their bank to share their data for deposit and transaction accounts, and credit and debit cards; and from 1 November 2020, consumers will be able to share their data relating to home loans, investment loans, personal loan and joint accounts. At launch, there were two accredited data recipients which had completed the necessary steps to securely receive data, and a further 39 have reportedly begun the process to become accredited data recipients. Known as "open banking", the scheme was described by Australian Treasurer Josh Frydenberg as a "game changing reform" and by the Australian Banking Association as a "watershed moment".

POLICIES, REPORTS AND ENQUIRIES

ACCC and TIO sign MOU regarding information exchange

On 22 April 2020, a Memorandum of Understanding between the ACCC and the Telecommunications Industry Ombudsman (TIO) regarding the exchange of information and other forms of collaboration came into effect. The parties have agreed to exchange information relevant to the discharge of their respective responsibilities, subject to prevailing privacy and confidentiality obligations, each party's statutory obligations and the TIO Constitution. Information exchanges will relate to matters such as compliance trends, industry code non-compliance, systemic and emerging issues, regulatory issues relevant to the telecommunications section, and Australian Consumer Law compliance. The parties intend to avoid duplication of effort, with the ACCC directing consumers to the TIO in relation to matters falling within the TIO's jurisdiction, and vice versa. The parties have also agreed to collaborate in identifying and addressing illegal phoenixing activity within the telecommunications industry.

Report on International Production Orders Bill due

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is due to report on the findings of its review into the effectiveness of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020. The Bill was introduced into the House of Representatives on 5 March 2020. The Bill was referred to the PJCIS for review by the Hon Peter Dutton MP, Minister for Home Affairs. The Minister extended the initial reporting date to 26 June 2020 but the report is yet to be handed down. The Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 to provide a framework for Australian agencies to obtain independently authorised international production orders for interception, stored communications and telecommunications data directly to designated communications providers in foreign countries with which Australia has a designated international agreement. It provides for a legislative framework enabling Australia to give effect to future bilateral and multilateral agreements for cross-border access to electronic information and communications data, such as that being negotiated with the United States for the purposes of the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The Bill has been criticised for the perceived inadequacy of safeguards and an over-reliance on individual executive agreements.

HEALTH PRIVACY ISSUES

Legal framework for rollout of the COVIDSafe app.

As reported in the last TMT Update, the Federal Government's contact tracing app, COVIDSafe, was launched on 26 April 2020. The app was initially underpinned by the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020 ("Biosecurity Determination"), together with a COVIDSafe Privacy Policy. The Biosecurity Determination was issued on 25 April 2020 pursuant to an earlier declaration, the Biosecurity (Human Biosecurity Emergency)(Human Coronavirus with Pandemic Potential) Declaration ("Biosecurity Declaration"), which was made on 18 March under section 475 of the Biosecurity Act 2015. The Biosecurity Declaration created a 3-month "human biosecurity emergency period", during which the Health Minister could determine emergency requirements. As the Commonwealth Parliament was not sitting at the time, there was no other legislative basis to support the app and to entrench the Government's reassurances as to the limited use to which the data would be put. The Privacy Amendment (Public Health Contact information) Act 2020 was subsequently passed on 14 May 2020, replacing the Biosecurity Determination and introducing a new Part VIIIA (Public Health Contact Information) into the Privacy Act. To complete the process, on 15 May the Secretary of the Health Department issued the Privacy Amendment (Public Health Contact Information)(Data Store Administrator) Determination 2020 under the new section 94Z of the Privacy Act, declaring the Digital Transformation Agency to be the "data store administrator" for the purposes of the new Part VIIIA. A detailed discussion of the new legislation appears here on our website.

COVID-19 raises numerous legal issues

The COVID-19 pandemic has given rise to numerous legal issues, not all of which are strictly confined to health matters. Davies Collison Cave Law has established a COVID-19 Resource Centre containing articles on a range of pertinent subjects, including privacy, electronic signatures, copyright, innovation, court procedures, medical inventions, commercial tenancies, tax, competition, contractual rights and consumer rights. The resource centre can be accessed here.

Originally published 10th July 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.