Skip to content.

Home

Allens

Legislative developments

Privacy - it does concern you

Consider these scenarios:

You are a merchant bank and have just announced an initial public offering for securities in XYZ Ltd. The prospectus has been issued and investors are clamouring for a piece of the action. Investors send you their application forms to subscribe for the shares and you enter their details onto a database, for efficiency and to use later to promote new products to these clients.

Stop!

You have employed a new person to work the trading floors. During the interview you found out that the he has some spare cash and would like to use it. You note this on his file. As underwriter in the IPO, you suggest to XYZ Ltd that they send a copy of the prospectus to the new employee.

Stop!

Your employee is surfing the net during their lunch break. They visit various sites which reveal their personal interests. Your computer network records and stores this activity. You pass this information onto a direct marketing firm.

Stop!

You are now in the territory of the new privacy legislation

From 21 December 2001, private sector organisations including merchant banks and financial institutions will be subject to a new privacy regime. There are serious implications for the way your business collects, keeps and uses personal information.

The national privacy principles

The new regime, created by the Privacy Amendment (Private Sector) Act 2000, introduces the National Privacy Principles (NPPs). The NPPs are high level principles which will be the minimum standard for information handling.

The Federal Privacy Commissioner will issue guidelines which spell out the details of how the NPPs will apply. Draft guidelines on the NPPs were released for comment on 7 May 2001.

The 10 NPPs outline how organisations, must treat personal information. Personal information is information or opinion, true or not, about an individual whose identity is apparent, or can reasonably ascertained, from the information or opinion.

The NPPs cover:

  • collection
  • data quality
  • openness ie, having a published policy on information handling
  • prohibitions on using identifiers eg, Medicare numbers or TFNs
  • regulating transborder data flows
  • use and disclosure
  • data security
  • access and correction by individuals
  • providing individuals with the option of anonymity
  • prohibitions on collecting sensitive information eg, information concerning race, health or political views

There are penalties for failure to comply.

Return to top
Develop your own code?

Investment banks will be required to conform to the NPPs or develop and have the Federal Privacy Commissioner approve their own privacy code. A privacy code should be based on and complies with the NPPs, as a minimum.

The new regime does provide some exceptions and exemptions. These include an exemption for:

  • sharing information between related bodies corporate; and
  • employers in certain circumstances.

The related body corporate exemption allows a merchant bank which collects personal information about an individual to pass this information onto a subsidiary without breaching the Act. However, this exemption does not extend beyond sharing the information or to sensitive information.

The employer exemption allows an employer to handle information in a current or former employee's records where this is directly related to the employment relationship. Relying on this exemption a merchant can send information about an employee's taxation to a third party such as the Australian Taxation Office without breaching the Act. However, it could not pass this information onto a direct marketing company or use it for commercial benefit.

How are financial institutions and banks affected?

Investment and retail banks will be affected in varying degrees. Some banks (ie those which are credit providers) are already subject to privacy regulation. These banks are likely to already have systems in place to deal with privacy issues.

However, after 21 December they will have to comply with both the existing regulation and the new regime and the requirements of the two don't always match. It is critical that you don't assume that because you meet current standards, you'll meet the requirements of the NPPs.

Use of customer information

Customer information is one of the most strategic assets for any organisation. Most organisations today want to maximise information sharing across corporate groups and maximise opportunities to cross-sell products. The new regime will impact on issues including:

  • use of client relationship management software and databases; 
  • external lists or databases;
  • direct marketing; and 
  • the transfer of personal information to countries outside Australia.
So what will investment banks and financial institutions need to do in lead up to December?

Ultimately, the new regime will force merchant banks and other organisations to reconsider how they do business.

There are several steps to take.

  • Consider appointing a staff member to act as a privacy officer and:
     - udit existing systems
     - establish and monitor systems to comply with the new legislation
  • Audit your systems

  • create a Privacy Compliance Manual to minimise your exposure to privacy compliance risks. 

We'd recommend a three step process:

  • Plan - identify privacy compliance issues. Your lawyers and senior management should take responsibility for planning.
  • Implement - educate your staff about their responsibilities regarding security and information management.
  • Maintain - update the contents of the manual according to changes in law, regulation and industry codes and practices. Retrain and refresh your staff in relation to their responsibilities.

This is only a general overview of the new privacy obligations. It should not be relied on without obtaining prior legal advice.

In addition, our privacy website (http://www.aar.com.au/privacy/index.htm)  may assist you with any preliminary questions which you may have.

Foot in the door - corporations law referral

The NSW Corporations (Commonwealth Powers) Bill 2001 has been passed by both Houses of State Parliament and received assent on 29 March 2001.