Compliance

Privacy Legislation

Contents

BACKGROUND

In response to international and national public concerns about privacy in the new economy the Federal government has enacted the Privacy Amendment (Private Sector) Act 2000 (Cth.) (the Act). From December 21, 2001 all enterprises with a turnover of over $3 million (some exceptions) will be affected by this new legislation, including TOWER. It will change the way you collect, use, store, disclose and dispose of personal information. It will apply to you and your business. Also, under the terms of your Agency Agreement, you are obliged to comply with all legislation that applies to you as it relates to you acting as an agent of TOWER. In addition, as TOWER’s agent, TOWER has responsibilities to ensure that you are complying with the National Privacy Principles.

REQUIREMENTS

The Act impacts on the collection, distribution and retention of personal information in areas such as marketing; human resources; operations and finance. All functional areas of TOWER will be required to:

    • maintain completeness & accuracy of personal information;
    • ensure the safety from loss or misuse of personal information;
    • allow access by an individual to their personal information

btn_top

10 NATIONAL PRIVACY PRINCIPLES (NPPs)

  1. Collection requires TOWER to disclose the purpose for which personal information is being collected
  2. Disclosure only for the purpose it was collected for, and an opt out option must be made available for direct marketing
  3. Data quality – complete and accurate
  4. Protect data from loss and misuse
  5. Public disclosure on manner of handling personal information
  6. Access and capacity to correct inaccurate personal information
  7. Commonwealth identifiers not available and not to be used – i.e. TFNs
  8. Anonymity where possible
  9. Data must be protected in foreign data transfers
  10. Sensitive personal information must be treated with greater care

(More detailed information on these National Privacy Principles was mailed to all advisers last month. If you require a further copy you can contact your Business Development Manager or go to the Privacy Commissioner’s website on www.privacy.gov.au).

btn_top

3 KEY AREAS FOR ADVISERS

National Privacy Principle (NPP)

NPP. No. 2 An organisation may only use or disclose personal information for the purpose for which it was collected (the primary purpose). In particular, an organisation which collects personal information must disclose the purposes for which it is collected.
NPP No. 4 An organisation must take reasonable steps to protect personal information from misuse, loss or unauthorised access, unauthorised modification or disclosure.
NPP No. 6 A person generally has a right of access to personal information held by an organisation about them. There will need to be a co-ordinated response to the clients request for access to their information.

btn_top

PRIVACY DISCLOSURE STATEMENTS AND OPT OUTS

Our Customer Information Brochures and Applications/Personal Statements are being reprinted and they will incorporate Privacy Disclosure Statements and Opt Out clauses. These will be available from 17th December. The Privacy Disclosure Statement discloses to the customer to whom we may disclose their personal information. In the Application we seek the customer’s declaration that they have read and understood the Privacy Disclosure Statement. The Opt Out clause gives the customer the opportunity to request to Opt Out of any future direct marketing campaigns that do not relate to the primary purpose for which they have provided their personal information.

btn_top

COMPLIANCE REGISTER

We have amended our Compliance Register to incorporate reference to Privacy and these are available from Regional Offices. The reprinted versions should continue to be used by you to record any general enquiries from customers. It should be used to record requests from customers to change personal information, requests to view their files and requests to Opt Out. It is important that you forward any such requests on to TOWER, in writing, as a priority. A specific form has been developed for requests to access data and this will be available from the Customer Service Centre and on our website.

btn_top

QUESTIONS & ANSWERS

From the adviser seminars that TOWER held with Deloitte during October we asked them to review for us the most frequently asked questions as these may still provide answers to issues you have.

  1. What do I need to do before I buy or sell a register or list before or after 21 December 2001?

    A: If you acquire or sell a list or register prior to 21 December 2001, there is no change to existing industry practices. However, after December 21 2001, as a general rule, an advisor should:
    1. Let the clients on the register know of the proposed change of advisors before he or she sells the register. The vendor should provide clients on the register with a reasonable time frame and opportunity to communicate any issues to the vendor about their personal information being disclosed to the new advisor.
    2. If acquiring a register, you should check that the vendor has undertaken the step outlined above and evaluate the process undertaken and the results obtained
  2. As an advisor, am I subject to the new amended Privacy law?

     A: Generally, advisors are likely to be subject to the Act. This is because advisors frequently collect and store personal information such as when assisting clients to obtain life cover or when facilitating clients’ claims.

    In the event that an advisor business does not handle personal information AND their business has an annual turnover less than $3m, the advisor may be excluded from the Act in the 12 months up to 21 December 2002.
  3. Is claims information exempt?

    A: No. Claims information is generally subject to the new privacy legislation. This means that clients may be able ask to see information retained by advisors about a claim.

    It also means that advisors need to take care to whom they release claims information, and how they store and dispose of claims information. Particular care needs to be taken with the health related information included in a claim.
  4. Are there fines involved?

    A: Yes, there are fines in the existing privacy legislation for certain breaches. However, a more likely ‘penalty’ is the loss or damage to an advisor’s reputation in the event of a breach to your client’s privacy being publicised.
  5. Can I review my agent file?

    A: Generally yes. There will be some situations, however, when this may not be possible.
  6. What client records do I need to keep and what happens when a client requests their file?

    A: Generally, an advisor can maintain client records reasonably necessary for the advisor to deliver the services or product requested. For example, this means that, after 21 December 2001, advisors must be cautious of the extent of personal information they collect and its relevance to the provision of a product or service.

    An advisor must generally provide a client with access to the information held on the client. A reasonable fee can be charged to the client as long as it is not excessive. Advisors are obliged to ensure they check the clients’ identity prior to releasing the client file to them. There are a number of exceptions to this ‘access’ requirement - some key ones being that access is not available to clients:

    if providing access would prejudice an investigation of possible unlawful activity or
    where the advisor will incur unreasonable administrative burden or expense to provide access.

More information is available at http://www.privacy.gov.au/publications/IS4_01.doc.

The questions and answers outlined above have been prepared as a general guide to some of the issues that may arise from the amended Commonwealth Privacy Act and should not be viewed as a substitute for a detailed understanding of the Privacy Act, the supporting guidelines & fact sheets located at http://www.privacy.gov.au/business/index.html. In addition, the questions and answers above are not intended as comprehensive advice on Australian privacy legislation and readers should consult their own professional advisors in relation to their own specific circumstances prior to taking actions. Neither any member of the Tower Group or Deloitte Touche Tohmatsu shall be liable for decisions or actions whatsoever taken as a result of using the information outlined above.

btn_top

WHAT DO YOU NEED TO DO NOW?

The changes should prompt an audit of business practices to ensure processes comply with the Act. Consider how information is collected, who has access and how the information is stored and distributed. You will need to understand the type of information you collect and develop a Privacy Policy. You will need to ensure documents have been amended to reflect the consent that will be required to collect personal information. At the seminars held in each State we received positive feedback from attendees as to what they will all do differently. And as you will read, this is along the lines of what was stated above in the actions you need to take.

  • ‘Clean up old records/be less inclusive of ‘opinions’ in future’
  • ‘More attention to file notes’
  • ‘Written consent by client, more security’
  • ‘Disclosure purpose of data collected’
  • ‘Create fire wall for computer system’
  • ‘Become Data Privacy Management compliant and update processes’
  • ‘Be vigilant in protecting my customers’ information’
  • ‘Implement a privacy strategy on our database’
  • ‘Advise customers about privacy registers and how we will handle them’
  • ‘Better inform clients of my processes’
  • ‘Educate other staff members in my office’

btn_top

The information on this website is for Australian residents only and is subject to change. It is general information and does not take into account your financial objectives, circumstances or needs. You should not rely solely on this information to make a decision. TAL strongly recommends that you read the relevant Product Disclosure Statement (available from TAL) and you seek professional advice based on your personal requirements before deciding whether the product or service is suitable for you. To the extent permissible by law, TAL specifically disclaims any liability that may arise for any direct, indirect, incidental, consequential or special damages that may arise from the access to or use of this website. No liability is accepted by TAL for errors and omissions or for loss or damage suffered as a result of reliance on any information or document available on this website.

© TAL Life Limited ABN 70 050 109 450, AFSL 237848