Privacy Law Q&A Featuring Ashleigh Ooi
What are some common privacy compliance risks that organisations face?
A fair amount of an organisation’s risk in the privacy space comes from a lack of understanding of what its privacy obligations are – and also, crucially, a lack of understanding as to what personal information it collects, how it uses that information, where and for how long it stores that information, and who it shares that information with.
Privacy literacy at all levels of an organisation is key to compliance. This includes key decision makers as well as the people who are collecting and using personal information on the ground. Training, policies and technical safeguards should be in place to ensure that all personnel who deal with information understand their organisation’s legal obligations regarding that information, and aren’t able to access, use or share information other than as needed to perform their role.
It is important to remember that any privacy compliance measures that are put in place will only be effective if they accurately reflect the information an organisation collects, how it uses that information, and who/where it is disclosed to.
Risks can also arise where organisations share personal information with third party service providers. In addition to the practical risks in trusting outside service providers with company data, Privacy Act obligations might be triggered by the disclosure of information to third parties.
How can staying informed about Privacy Law and emerging issues, such as AI, give an organisation a competitive edge?
Taking a proactive approach to privacy compliance can bring downstream cost savings, as it is typically more expensive to implement measures reactively – it is certainly much more expensive and stressful to do so in response to a complaint or regulatory investigation!
Staying informed about upcoming changes is also valuable if an organisation is investing in a new business tool or service that is heavily data driven. A savvy organisation might look to build in technical features or contractual terms now that anticipate future legal requirements, to give it a competitive advantage should those requirements come into force.
Organisations that are looking for outside investment or acquisition, or are simply wanting to maintain a positive reputation in the market, might also find that investors, purchasers and customers alike are increasingly keen to scrutinise data handling practices and privacy compliance measures. Plugging any gaps now can mitigate the risk of privacy concerns holding up future business opportunities.
How do you foresee AI impacting Privacy Law in the near future, and what should organisations do to prepare for these changes?
For now, we’re not likely to see any AI-specific privacy laws, as the Privacy Commissioner and Government have taken the view that the use of AI can be appropriately regulated under existing privacy laws. While AI laws have been enacted overseas, many of these deal with the design and delivery of AI models and applications, rather than the use of those models and applications by customers.
Despite the lack of specific legal requirements, the Privacy Act will be triggered by the use of AI tools in almost every case, and all organisations should be assessing how those tools impact their privacy compliance. This might include carefully reviewing the terms of use for those tools, and ensuring that there are policies, technical safeguards and (if required) training in place to ensure personnel understand how to use those tools (and the information generated from them) in a privacy-compliant manner.
In many respects, the considerations that apply to the use of AI are the same as those that apply to the use of any technology. However, there are some unique features of AI tools (specifically, generative AI tools) that give rise to new or increased privacy risks. So, while the law may not be changing any time soon, if an organisation is using AI then its privacy risk profile has likely already changed, and a fresh assessment of data handling practices against Privacy Act obligations would be worthwhile.
Disclaimer: The statements, analyses, opinions and conclusions in Legalwise Insights are those of the respective authors and not of Legalwise Seminars Pty Ltd which acts only in the capacity as editorial co- ordinator of the content in Legalwise Insights. No part of any article can be regarded as legal or financial advice. Although all care has been taken in the preparation of all articles, readers must not alter their position or refrain from doing so in reliance on any information contained therein. Neither the respective authors nor Legalwise Seminars Pty Ltd accept or undertake any duty of care relating to any part of Legalwise Insights
Liability limited by a scheme approved under the Professional Standards Legislation
|
Ashleigh is a senior commercial lawyer with expertise in data protection and cybersecurity. She has experience both private practice and in-house, and in New Zealand and the United Kingdom. Ashleigh regularly advises clients on the application and enforcement of the Privacy Act 2020 and related privacy codes, including the Health Information Privacy Code. In particular, she advises on the privacy implications of new products services and commercial relationships, as well as more contentious matters such as data breaches, data subject access requests and complaints. Ashleigh’s wider practice captures a broad range of commercial matters with a focus on technology, including SaaS/XaaS, IT outsourcing, media and telecommunications, intellectual property and consumer protection, and she also advises clients on the application of privacy law to each of these areas. Ashleigh works with a wide range of local and global clients ranging from start-ups and SMEs, to listed companies and government agencies. Her clients span multiple industry sectors including IT and software, financial services, media, construction and manufacturing, health services and FMCG. |