New privacy rules to bite wraps and aggregators

Fund managers and account aggregators should brace themselves. The new Privacy Principles, which come into effect on December 21, will increase both their legal obligations and their costs.

As well, companies will need to critically review their relationships with their contractors to ensure compliance, including rewriting contracts to insert specific privacy clauses.

The Federal Privacy Commissioner, Malcolm Crompton, may have delivered the private sector an easier to understand set of guidelines last month, but he in no way diminished their effect.

And Australia's growing financial services sector, with its complex web of commercial and contractual relationships, is particularly exposed.

The problem for industry practitioners is that the National Privacy Principles (NPP) do not yet deal with specifics. However, where they touch upon the day-to-day minutiae of client management, third party relationships and electronic transactions, they impose binding obligations.

The lack of specifics is owed in part to the fact that when the NPP were first released, industry groups complained that they were too specific and too prescriptive. The guidelines released last month are much more general.

Underpinning these broader principles, however, are a set of information sheets which the Federal Privacy Commission is suggesting companies should use as a general guide in determining some of their more specific obligations.

A spokesperson for the Commission last week confirmed that more work remained to be done on the specifics of financial products, such as wrap accounts.

The Commission would be moving to deal with those specifics in due course and, in the interim, financial services companies needed to ensure maximum compliance by December 21.

"We intend working with the industry to deal with the specifics as we move forward, but until then, we're expecting compliance with the broader principles," the spokesperson says.

The Commission would seek to adopt a facilitative approach, but where complaints were received, the Commission would act.

However, the Commission would be charting new territory if its policing of the principles led to significant litigation or the exacting of heavy fines.

The Commission spokesperson says that, to date, most privacy breaches had been handled via a disputes resolution process based on conciliation and only two complaints had ever required formal determination.

In coming to terms with their specific obligations under the NPPs, companies will need to be conscious of the role the Commission has already played in broader regulatory policy development.

When the Australian Securities and Investments Commission (ASIC) earlier this year released its cautionary paper on the use of account aggregators, it relied on the help of the Privacy Commission in developing its approach.

Thus, there is likely to be a dovetailing of the NPPs and the approach ultimately adopted by ASIC.

To date, however, there has been much more work done by the Commission with respect to account aggregators than on wrap accounts. As a result, the Commission's information papers speak much more clearly of the obligations touching aggregators than wrap providers.

However, what everyone agrees upon is that the common denominator for all financial services players is that they will need to ensure the highest levels of information security by December 21, along with the drafting of some tight legal disclaimers.

According to Deloittes partner Mark Sercombe, the NPPs represent a particular challenge to those providing account aggregation services and fund managers dealing with wrap accounts and other similar products.

He believes that one of the first and most obvious manifestations of the NPPs will be the inclusion of lengthy disclaimer clauses within documents provided to clients.

This would be particularly the case for those offering account aggregation services who would need to make clear to clients that their services, by definition, involved access to third parties.

"Aggregators need to ensure that their clients understand and have permitted their activities. They want to avoid any come backs if something is perceived to have gone wrong," Sercombe says.

He acknowledges, however, that the implementation of the NPPs were likely to raise points of conflict between aggregators and third parties such as banks. This was because the banks were required to keep data secure and, by definition, aggregators were accessing that data, albeit with the client's permission.

"But from the point of view of the aggregator, privacy and trust are everything," Sercombe says.

"If an aggregator is perceived as not being trustworthy, then he has lost the fundamental underpinning of his business."

Sercombe says Deloittes have been urging a cautious approach to their clients in the financial services sector with a watch and wait approach.

"We're making it clear that they need to be ready and to ensure that their clients' information is protected, but we're also urging them to gauge the approach of the Privacy Commissioner post-December 21," he says.

The Privacy Commissioner, Peter Crompton, has been doing the rounds of business organisations and industry groups ensuring they understand the Commission's approach, and has made clear the Commission will be adopting a facilitative approach.

But as a starting point, companies will need to understand the basics with respect to securing client information and data security, with the Commission making clear that all reasonable steps need to be taken to ensure data security.

And, in a clear-cut reference to the costs associated with compliance, the Commission says with respect to the security of personal information that: "The cost of any security systems also need to be considered in relation to the risks faced by the organisation."

"In the case of an organisation holding non-sensitive information, with a low level of unauthorised access and little likelihood of serious consequences to the individual, then basic security measures may well be adequate," it says.

"However, for a large organisation with vast amounts of personal information and the risk of significant detriment from improper access, higher levels of security could be expected.”

Although the level of specific work carried out by the Commission with respect to wrap accounts appears at this point to be limited, there is at least some guidance provided by its information sheet dealing with contractors.

This is because in dealing with contractors, the Commission makes the point that: "if a business handles personal information under a contract with an organisation it may, in some circumstances, be regarded as either collecting or disclosing personal information for a benefit, service or advantage and so fall within the definition of an organisation."

The Commission goes on to say that where an organisation and a contractor are separate entities under the Privacy Act, an organisation that gives personal information to a contractor is disclosing information and the contractor is collecting the information.

In practical terms, this means that the organisation may need to have clauses in the contract for the protection of personal information the organisation discloses to the contractor, in order to meet its obligations under the NPPs.

The managers of wrap accounts also need to be conscious of the NPPs as they apply to trans-border data flows, with the Commission stating that: "an organisation that contracts out functions and activities involving disclosure of personal information to an organisation overseas would need to ensure it complies with National Privacy Principle Number 9 before it transfers the information."

Getting the individual's consent to the transfer is one option under NPP 9. Another option would be to include in the contract provisions that give the personal information protection similar to those the person would have under the NPPs if the information were in Australia.

The lack of too many specifics about the status of wrap accounts was reflected in the response of BT Funds Management, which said it was still working its way through the new guidelines but hadn't finalised its position.

"What we can say, however, is that nothing has jumped out at us," a spokesperson says.

As the Australian finance industry sets about getting its house in order for the NPP implementation deadline of December 21, there are a couple of issues worth considering.

The first is that the industry is currently held in reasonably high regard by Australians where the protection of privacy is concerned. The finance industry currently rates second behind government institutions in terms of public trust and respect.

The second thing to consider is that the survey revealed finance/insurance and health/education as being most concerned about the impact of a breach of customer privacy on their organisation's public profile and customer relations.

About 90 per cent of respondents in each of these two industry groups stated that the success of their business was highly dependent on their ability to protect and responsibly use their customers' personal information.

It seems that the finance industry knows it has a vested interest in getting the privacy settings right.