Presentation by Anna Johnston of Salinger Privacy to ARDC's 'GDPR and NDB scheme: Intersection with the Australian research sector' webinar on 13 September 2018

1. The Privacy Law Landscape:
Issues for the research community
ARDC webinar
13 September 2018
Presentation by Anna Johnston
www.salingerprivacy.com.au

2. This webinar
• the regulatory landscape for researchers
• common privacy issues for researchers:
consent and de-identification
• new developments: GDPR and notifiable
data breaches
• what’s coming next

3. Use & disclosure for research

4. APP 6
APP 6 allows use or disclosure of personal
information if it is …
• for the primary purpose of collection
• for a directly related secondary purpose within
reasonable expectations, or
• required/authorised by another law, or
• with consent, or
• under a public interest exemption – e.g. law
enforcement, or research.

5. Defining de-identification
GDPR test:
• Recital 26 says the GDPR does not apply to anonymous data
• Anonymous data means data “which does not relate to an
identified or identifiable natural person”, or “personal data
rendered anonymous in such a manner that the data subject
is… no longer identifiable”
Australian test:
• Law says “personal information is de-identified if the
information is no longer about an identifiable individual or an
individual who is reasonably identifiable”
• So ‘de-identified’ data has a low risk, but not zero risk, of re-
identification. It is not necessarily ‘anonymous’ data.

6. Our approach
• To de-identify (or to anonymise or to
confidentialise) is to do something to data to try
and break the identifiability aspect
• De-identification is a set of processes /
methodologies, not a description of the end-state
• So ‘de-identified data’ means data to which a de-
identification process has been applied, but is not
necessarily a statement that the data is
‘anonymous’
• Anonymous data is very difficult to achieve

7. When deID is useful
• to make data perfectly ‘anonymous’ such that
privacy/data protection laws no longer apply at all
• as a tool to minimise data security risks (which in
turn lessens the need to notify data breaches)
• as a ‘Privacy by Design’ feature
• to enable processing for secondary purposes
• ‘legitimate interest’ test may be easier to meet
• research: ethics approval may require deID to
be at least attempted

8. Consent
To be valid under privacy law, ‘consent’ must
be voluntary, informed, specific, current, and
given by a person with capacity.
It must be proactive (opt-in). It must be as
easy to withdraw consent as to give it. It
cannot be a condition of doing business with
you.

9. When can we proceed in the
absence of consent?
When relying on a research exemption that says “it is
impracticable to seek consent” – e.g. Privacy Act
s.16B(3).
The fact that seeking consent is inconvenient or would
involve some effort or expense is not of itself sufficient to
warrant it impracticable.
It needs to be at least ‘very difficult’ to track down the
individuals.
Note: There are a number of additional hoops to jump
through for the research exemption.

10. New developments
• mandatory notification of data breaches
under the Privacy Act 1988 (Cth)
• the General Data Protection Regulation
(GDPR), a European privacy law with extra-
territorial reach into Australia

11. Data breach notification

12. Breach notification: scope
• All orgs holding TFNs : re TFNs
• Credit providers and credit reporting
bodies : re credit info
• ‘APP entities’ : re personal information

13. APP entities
• Australian government agencies
• Businesses and non-profits with a
turnover of more than $3M pa
• Health service providers
• Contracted service providers to the
Commonwealth
• Orgs covered by AML-CTF rules

14. What is required
• data breach = loss, unauthorised
access, unauthorised disclosure
• ‘notifiable’ if ‘likely to result in serious
harm’ to 1+ individuals
• notification ASAP to OAIC and affected
individuals
• $2.1M fines for non-compliance

15. GDPR

16. (Don’t believe) the hype
• GDPR is a revolutionary new law
• we have to treat European citizens
differently
• argh, we need consent for everything!!
• oh yay, we can get consent via T&Cs!
• the right to erasure is going to ruin
everything

17. GDPR overview
• updated and harmonised privacy laws
in 28 EU Member States
• significant penalties €20M or 4%
• extended reach outside Europe: if you
offer goods or services (including free
services) to, or monitor the behaviour of,
people in the EU

18. GDPR rules
• 7 Data Protection Principles
• 7 Data Subject Rights
• 6 Lawful grounds for processing (one
of which is consent)
• PIAs, Privacy by Design, data breach
notification

19. Research under the GDPR
• Data can be ‘processed’ for research if it is
anonymous data, or on the basis of consent.
• For data processed under one of the other five lawful
grounds, “compatible purposes” will also be allowed,
including research in the public interest.
• Anonymisation or pseudonymisation should be the
default for protecting privacy during research.
• ‘Right to erasure’ does not apply to research data.
• ‘Right to object’ applies to research unless public
interest proven.

20. The next big thing(s)
• Data Sharing & Release Bill
• National Data Custodian Commissioner
• Consumer Data Right (data portability)

21. Tools to assist
The Salinger Privacy Comprehensive Compliance Kit includes:
• eBooks including Demystifying De-identification
• Online privacy awareness training & advanced modules
• The Privacy Officer’s Handbook
• Checklists such as 10 Steps Towards GDPR Compliance
• Template privacy-related policies & procedures (to meet both AU
and EU requirements) including:
– Privacy Policy
– Data Breach Response Plan
– Collection notices, Consent forms, Contract clauses
– PIA Framework & Questionnaire
www.salingerprivacy.com.au/compliancekits

22. Thank you
Anna Johnston
Director Salinger Privacy
We know privacy inside out.
We consult, train, publish, blog and tweet on all things privacy.
Find out more or sign up for our email newsletter at
www.salingerprivacy.com.au