First of all, some definitions.  Personal information is, in essence, information that identifies a person or could reasonably identify a person; data breach means unauthorised access to, or disclosure of, personal information; and serious data breach means a data breach where there is a real risk of serious harm (including reputational, economic and financial harm) to the affected individual.

We will all agree that a data breach, especially if it is serious, can severely adversely impact on the individual’s whose personal information has been compromised.  For example, the affected individual can be exposed to the risk of fraud and identity theft.  Prompt notifications will allow individuals to take action to protect themselves.

Data breach notification has been in the spot light for some years now.  Those of us who have been following Australia’s privacy reforms will recall that in its 2008 privacy report, the Australian Law Reform Commission (ALRC) noted that there was an increasing risk that the huge volume of personal information collected by government agencies and large corporations could become subject to data breaches.  At the time, the ALRC already recommended mandatory data breach reporting.

Late last week, we saw the Privacy Amendment (Privacy Alerts) Bill 2014 being re-introduced into the Federal Parliament (on 20 March 2014).  The Second Reading Speech pointed out that the re-introduction of this Bill is the next key step in the major reform of Australia's privacy laws.  The Bill provides that when a government agency or an organisation has suffered a serious data breach, it must notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).

Currently, there is no requirement for agencies and organisations to notify affected individuals or the OAIC when they have suffered a data breach.  The OAIC has voluntary guidelines encouraging notification, but is concerned that many data breaches remained unreported.  It is intended that the Bill, when it becomes law, will see the long overdue measure recommended by the ALRC go live, stop the gap in Australia's privacy laws and position Australia as a global leader in privacy protection.

This post first appeared on CPD Interactive's "Legal Natter's Blog".

We can help you understand the Privacy Act (by way of privacy training, for example) and, importantly, we can provide you with a privacy policy and privacy compliance plan tailored to your needs and in compliance with the law - just contact us for assistance.

We all know that the Privacy Act is the law which regulates the handing of personal information about individuals.  But do you know that the most significant development in privacy law reform since the Privacy Act was first introduced in 1988 is about to commence?

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 is a part of the privacy law reform process that began in 2004.  It introduces many significant changes to the Privacy Act which will commence shortly on 12 March 2014.  The Australian Privacy Principles (often abbreviated to the “APPs”) takes centre-stage in the reform, and they replace the National Privacy Principles and Information Privacy Principles.  Many of the APPs are different from the existing principles, including the APPs relating to use of personal information for direct marketing and cross-border disclosure of personal information.

A new mandatory Credit Reporting Code of Conduct will also take effect on 12 March.  The Code operates alongside the Privacy Act, and it regulates the exchange of information between “credit providers” and “credit reporting bodies”.  “Credit providers” and “credit reporting bodies” both have special meaning as defined by the Privacy Act.

The first step to Privacy Act compliance is to understand the APPs.  The Office of the Australian Information Commissioner (OAIC) has issued APP guidelines, and both the APPs and the APP guidelines are available on the OAIC’s website.  Sound APP knowledge is essential to lawyers regardless of which area they practice in.  This is because not only they are often required to advice clients on privacy matters, but often they themselves will also need to comply with privacy legislation.

This post first appeared on CPD Interactive's "Legal Natter's Blog".

We can help you understand the APPs (by way of privacy training, for example) and, importantly, we can provide you with a privacy policy and privacy compliance plan tailored to your needs and in compliance with the law - just contact us for assistance.

On 28 January 2014, ASIC announced that it has released a report (REP382) outlining decisions on relief applications between June and September 2013 from provisions of the Corporations Act 2001 (Cth), National Consumer Credit Protection Act 2009 (Cth) or the National Consumer Credit Protection (Transitional and Consequential Provisions) Act 2009 (Cth). Among other things, the report contains examples of situations where ASIC has provided no-action letters.

A no-action letter states to the applicant of the letter that ASIC does not intend to take regulatory action over a particular state of affairs or a particular conduct. It is not a legal opinion and it does not constitute legal advice, and, importantly, it can be withdrawn at any time. While a no-action letter is not a guarantee that ASIC will not take regulatory action in the future, it does provide some conform and a degree of certainty that ASIC is not expecting to take regulatory action in relation to the state of affairs or conduct in question.  

ASIC's Regulatory Guide 108 (RG108) is the "go to" guide for those who wish to apply to ASIC for a no-action letter. It explains how to make an application and sets out the factors ASIC considers when dealing with a request for a no-action letter (such as the contravention was due to inadvertence and that the adverse effects on third parties are minimal).

In REP382, under the heading "credit licensing", ASIC reported that it has provided a no-action letter in relation to the potential contravention for engaging in credit activities outside credit license authorisation. ASIC also reported that it has provided a no-action letter for early debit or payment of interest charges under a credit contract. For both scenarios, ASIC explained its reasons for providing a no-action letter.

If you experienced an unintended contravention of the relevant legislation as a result of conduct that is not inconsistent with the spirit and policy of the legislation, and you wish to apply to ASIC for a no-action letter, carefully considering REP382 in conjunction with RG108 will certainly assist you in preparing your case and presenting it to ASIC.

The Personal Property Securities Act 2009 (Cth) (PPSA) created a new comprehensive national regime for personal property securities in Australia.  The definition of security interest under the PPSA covers “traditional” security interests such as fixed and floating charges over the assets of companies (now known as general security interests) to interests which were not considered security interests in the pre-PPSA era.  An example here would be retention of title arrangements.

Under the PPSA, transitional security interests (TSIs) are those created under a security agreement which was entered into before 30 January 2012.  TSIs enjoy a two-year honeymoon period where they are “temporarily perfected”, which means that a TSI maintains its pre-PPSA priority as against post-PPSA perfected security interests.  30 January 2014 marks the end of this honeymoon period, and secured parties who have TSIs should consider registering them on the Personal Property Securities Register (PPSR) before 30 January 2014 so as to preserve the priority of the TSI.  A number of fees apply to using the PPSR, but registration of a TSI on does not attract any fee.  The Registrar gave examples of transactions which may have created TSIs.  They include leasing and hiring arrangements, retention of title supplies, and certain commercial consignment arrangements.

If you are a secured party with a TSI or your client falls under this description, now is the time to review the security interest in question and to take any necessary action to protect and preserve its priority.

This post first appeared on CPD Interactive's "Legal Natter's Blog".

FoFA reform – what is it?

The Australian Government has placed a great deal of information relating to the Future of Financial Advice (FoFA) reforms on a dedicated website. The Government stated that FoFA reforms focus on two things, firstly, improving the quality of financial advice, and secondly, expanding the availability of more affordable forms of advice. The ultimate goal of the reforms is to improve investor protection and instil confidence in the financial advice industry.

Overall benefits of FoFA

According to the Government, the overall benefits of the reforms for consumers are:

What - better quality advice
Why - consumeers can trust that the advice they receive is not influenced by product commissions

What - a more competitive advice market
Why - greater fee transparency means advisers will have to compete for clients on cos

What - a reduction in product fee
Why - product manufacturers have to compete on cost as they cannot pay advisers to sell their products

What - greater availability of low-cost advice on single issues
How - through the expansion of scaled advice

What - less rogue advisers in the industry
Why - ASIC has greater powers to remove licensees and individual advisers from the industry

The “best interest duty” for retail clients starts 1 July 2013

The “best interest duty” is a key FoFA measure commencing on day one of the new 2013/14 financial year. Essentially, when providing advice to retail clients, financial advisers now have a statutory duty to act in the clients’ best interests and place the interests of the client ahead of their own interests. 

A SME can be a retail client

“Retail client” is defined in section 761G of the Corporations Act 2001 (Cth) and Chapter 7, Part 7.1, Division 2 of the Corporations Regulations 2001 (Cth). The statutory definition of “retail client” is not the easiest to understand, but the recent ASIC Regulatory Guide 139 (June 2013) provides some helpful commentary:

“RG 139.82 - The definition of retail client varies depending on whether the relevant financial product is a general insurance product, a superannuation product, a retirement savings account product (within the meaning of the Retirement Savings Accounts Act 1997), or any other type of financial product.

RG 139.83 A small business may be a retail client. A ‘small business’ is defined in s761G as a business employing fewer than (a) 100 people (if the business manufactures goods or includes the manufacture of goods); or (b) 20 people (otherwise).”

There are other criteria for a SME to qualify as a retail client. It is wise for SMEs to seek confirmation from their financial advisers regarding whether they are being treated as retail clients.

SMEs and FoFA

Many SMEs can expect to reap some benefits of FoFA reform. For example, the reforms should provide greater protection for SMEs who are consumers of financial products and services. These can include commercial lending products and business insurance products. But a potential down side of this is that the providers of financial advice have more compliance matters to deal with, so unless these providers choose to absorb any increase in costs due to regulatory compliance, such costs may well be passed onto the consumer of the advice. 

Are you a small business borrower? You should know about this new ASIC report on EDR schemes. The ASIC report was released on 13 June following public consultation which highlighted that:

1. simpler and lower value small business lending disputes can he handled by the lender's external dispute resolution (EDR) schemes, but
   
2. more complex and high value small business lending disputes are more appropriately addressed in court.

What is EDR? Basically it is an alternative to going to court. Using ASIC's own definition, an EDR scheme is a free, independent dispute resolution service that can help borrowers if they have a complaint or dispute with one of its members (for example, a credit provider or broker), or if borrowers are having difficulties repaying their loan. It should be noted here that, before an EDR scheme can consider a complaint or dispute, (using the above example) the credit provider or broker must be given an opportunity to resolve the dispute with the borrower directly.

The new ASIC report, together with updated regulatory guidance, refined the rules for access to EDR schemes for small business borrowers. Here are the key points of ASIC's release (extracted from ASIC's website):

1. Small business borrowers will continue to be able to take disputes with their lender to the lender's EDR scheme.
   
2. Even where the lender has already commenced court proceedings against them, if the credit contract is $2 million or less, the small business borrower will continue to be able to take the matter to the EDR scheme.
   
3. Where the loan exceeds $2 million and the lender has already commenced proceedings in a court, the small business borrower will not have access to EDR. This restriction commences from 1 January 2014.
   

It is wise to have some knowledge of how EDR schemes work. Click here to read more about EDR schemes and here to read more about ASIC's latest release.

Do you know you can access a free copy of the PPS Act online? Today, the Australian Government’s ComLaw released the latest PPS Act as amended, taking into account amendments up to Federal Circuit Court of Australia (Consequential Amendments) Act 2013 (which is an Act devoted largely to the renaming of “Federal Magistrates Court” to “Federal Circuit Court”).

You can access the updated PPS Act here.

You may be thinking "why would I want to read the PPS Act?" Whether you are a lawyer or not, if you want to understand some popular PPS terms (for example, the definition of "security interest"), find a summary of key PPS concepts (for example, what “registration” really entails), or find examples to aid your understanding of the law, a quick search of the Act may just give you the answer you want. Here are some tips to get you started:

1. look at section 10 for definitions, 
   
2. go to the beginning of each part of the Act for a guide to that part (usually in the form of a summary), or
3. search the word "example" to locate various examples provided by the drafters of the legislation (for example, in section 3 there are examples of what the term "personal property" includes).

The PPS Act is not a simple piece of legislation to master, but some PPS answers are easier to find than others. For in-depth PPS analysis or expert legal advice, definitely consult an expert!  (And Legal Know-How can help you.)

The Office of the Australian Information Commissioner (OAIC) has advised Government agencies and businesses to start preparing now for the changes to the Privacy Act. But these changes will not commence till March 2014, so why do you need to prepare a full year in advance? This is simply because the changes are extensive. A few of them are highlighted below.

APPs replace IPPs and NPPs

Currently, the Information Privacy Principles (IPPs) apply to the public sector and the National Privacy Principles (NPPs) apply to the private sector. From March 2014, a new set of privacy principles called the Australian Privacy Principles (APPs) will replace both the IPPs and the NPPs.

Of the 13 new APPs, some are significantly different from the existing principles. The OAIC gave these three examples on its privacy law reform page:

1. APP 1 on the open and transparent management of personal information;
   
2. APP 7 on the use and disclosure of personal information for direct marketing, and 
   
3. APP 8 on cross-border disclosure of personal information.

The Commissioner has more power

The Commissioner will have the ability to accept enforceable undertaking and seek civil penalties in the case of serious or repeated breaches of privacy.

Changes to credit reporting laws

There will be many changes to credit reporting laws, including the introduction of more comprehensive credit reporting.

So it is time to review, and amend as necessary, templates such as collection notices, privacy clauses and confidentiality clauses, and policies and procedures such as those relating to cross border data flow.

Exactly one year ago, on 30 January 2012, Australia’s new Personal Property Securities (PPS) regime commenced. On the same day, the PPS Register began its life as a national, 24/7, online noticeboard for the recording of security interests in personal property.

The far-reaching PPS reform was welcomed by most, especially those who take a longer term view, focusing on cost savings and other business benefits. In 2012, the Productivity Commission assessed the reform as follows:

1. It is estimated that PPS reform will involve one-off transition costs to businesses of around $150 million, but will then reduce business costs by around $70 million per year. That is, it will take less than three years for net benefits to exceed transition costs for businesses.
   
2. It is estimated the net one-off transition cost to the Commonwealth Government was $55 million. However, the new national system is expected to result in a net cost saving across all governments of around $1 million per year in total.
   
3. It is noted that PPS reform creates the necessary infrastructure for businesses to develop new financial products that cover a wider range of personal property. This may in turn reduce the cost of finance to small and medium sized businesses - a further prospective benefit of the reform.

It remains to be seen as to whether the Productivity Commission’s assessment is accurate.