WPP AUNZ Policy Book

Our Data Code of Conduct states:

“WPP AUNZ, its companies and its people are committed to responsible collection, management, use and protection of data.”

How you use data and personal information not only reflects on you as an individual but also on us as an organisation. This policy applies to all employees, freelancers and contractors of WPP AUNZ who handle data and personal information or use WPP AUNZ’s information systems.

18E1 What is Personal information?

Personal information is information or an opinion about an identifiable individual. This includes name, address, telephone number, email address (including work email address), tax file numbers or other such identifiers. This definition is consistent with international standards and precedents. The Privacy Act 1988 (Cth) applies to protect personal information in Australia. In New Zealand the Privacy Act 1993 (NZ) applies.

Information does not have to be explicitly recognised as personal information to constitute personal information under either Privacy Act. The types of information that are personal information are unlimited and can vary widely.

The sources of personal information also vary considerably and include:

  • email and attachments;
  • databases and/or online systems containing personal information, social media or other mass communication tools, etc;
  • websites – online employee directories, online survey data collection, etc;
  • CCTV and physical access to sites – data stored on electronic key cards, location tracking, etc;
  • paper documents – employee and client contracts, letters, memo’s, reports, etc; and
  • photographs – office badges, security passes, employee records, etc.

Also, be aware that some client contracts may include a definition of personal information relating to that client that is broader than the legal definition and WPP AUNZ Group Companies (“Group Companies”) must work closely with clients to ensure that personal information is handled and protected in a way that is consistent with the contract.

18E2 What is Data Privacy?

Data Privacy is:

  • protection of personal information – restricted access and security of data;
  • the expectation that personal information collected and sent will be protected and used in a way that the local and regional laws allow;
  • a system of reasonable processes to prevent release, use of or access to personal information without a lawful basis. This is usually but not always an individual’s consent; and
  • a balancing act between sharing information while protecting individual information and identities.
  • In Australia there are also a range of laws, other than the Privacy Act, at the Federal and State/ Territory level dealing with data protection:
    • State and Territory privacy legislation which regulates personal information held by government agencies and private sector contractors to Government agencies;
    • Spam Act 2003 (Cth) which regulates the sending of unsolicited commercial electronic messages, including emails and SMS;
    • Do Not Call Register Act 2006 (Cth) which regulates unsolicited commercial calling to telephone numbers listed on the national Do Not Call Register;
    • Telecommunications laws in relation to interception and the use of listening devices and workplace surveillance and/or unauthorised video surveillance at both the federal and state/territory level;
    • Criminal laws dealing with unauthorised access to computer systems at both the federal and state/territory level.

2.1 Why is it important?

Legal compliance – We need to be compliant with applicable privacy and data protection laws, regulations and treaties (“Applicable Laws”). Group Companies cannot be compliant in one region, but do business and be non-compliant in another. If we are found not to have complied with Applicable Laws, this can have serious consequences for WPP AUNZ and WPP, such as harm to our reputation and financial penalties.

Clients – More multi-national clients are including data protection and privacy terms and requirements in the contracts we sign. Our Group Companies need to understand what these terms mean and how they impact on our existing technology infrastructures. We also need to understand the implications of these terms when proposing new research techniques, marketing, digital applications or other products to clients that involve personal information.

Consumers – We need to make sure that we always communicate with consumers in an appropriate manner. What is appropriate will vary by country and you should be aware of the legal requirements where you do business. “Appropriate” may mean informing consumers in a timely manner where their information is stored, who can access it and how it is used. Group Companies should communicate with consumers transparently. In some cases Applicable Laws may require Group Companies to obtain specific types of consent from consumers and it is the responsibility of each Group Company to ensure it can comply with its legal obligations.

Data Management – To run our Group Companies more efficiently, we are consolidating greater amounts of personal information on behalf of our employees (e.g. centralized HR systems) and our clients (e.g. access to customer relationship management systems and /or consumer data collected for direct marketing, call centres or market research). This means that data privacy is more relevant than ever to our Group Companies.

18E3 Policy and Awareness

3.1 Australia

Group Companies should implement fair and reasonable privacy and procedure policies in accordance with the Australian Privacy Principles under the Privacy Act and action them. There are 13 Australian Privacy Principles (“APP”) and a good privacy policy will explain to the public what each Group Company does in respect of each principle and not just state the principle. Group Companies should refer to their Privacy Policy. They are:

APP 1 — Open and transparent management of personal information- Ensures that companies manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

APP 2 — Anonymity and pseudonymity- Requires companies to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 — Collection of solicited personal information- Outlines when an company can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

APP 4 — Dealing with unsolicited personal information- Outlines how companies must deal with unsolicited personal information.

APP 5 — Notification of the collection of personal information- Outlines when and in what circumstances a company that collects personal information must notify an individual of certain matters.

APP 6 — Use or disclosure of personal information- An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 7 — Direct marketing- An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 8 — Cross-border disclosure of personal information- Outlines the steps a company must take to protect personal information before it is disclosed overseas.

APP 9 — Adoption, use or disclosure of government related identifiers- Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 — Quality of personal information- A company must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 — Security of personal information- A company must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 — Access to personal information- Outlines a company’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

APP 13 — Correction of personal information- Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

You can find a training webinar on the obligations under the APP’s at:
https://www.oaic.gov.au/agencies-and-organisations/training-resources/introduction-tothe-apps-and-the-oaic-s-regulatory-approach

You can also find guidance on building a privacy policy at:
https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-developing-anapp-privacy-policy

3.2 New Zealand

Group Companies should implement fair and reasonable privacy and procedures policies in accordance with the New Zealand Privacy Principles under the New Zealand Privacy Act 1993 (NZ) (“NZ Privacy Act”) and action them. There are 12 New Zealand Privacy Principles (“Principle”). Each Group Company should explain what each Principle does and not just state the Principle. Each Group Company should refer to their Privacy Policy. They are:

Principle 1, Principle 2, Principle 3 and Principle 4- govern the collection of personal information. This includes the reasons why personal information may be collected, where it may be collected from, and how it is collected.

Principle 5- governs the way personal information is stored. It is designed to protect personal information from unauthorised use or disclosure.

Principle 6- gives individuals the right to access information about themselves.

Principle 7- gives individuals the right to correct information about themselves.

Principle 8 and Principle 9, Principle 10 and Principle 11- place restrictions on how people and organisations can use or disclose personal information. These include ensuring information is accurate and up-to-date, and that it isn’t improperly disclosed.

Principle 12 governs how “unique identifiers” – such as IRD numbers, bank client numbers, driver’s licence and passport numbers – can be used.

You can find help to plan how you will comply with the information privacy principles at:
https://privacy.org.nz/privacy-for-agencies/getting-started/

You can also find a privacy policy statement generator at:
https://privacy.org.nz/furtherresources/privacy-statement-generator/

18E4 Best practice guidance for Group Company privacy policies is:

  • Group Companies should place your company privacy policy on your website with a link so you can link it to emails, contracts or other documents by reference to an IP address.
  • Generally speaking just have the one privacy policy for the Group Company that can also be displayed on your Group Company website.
  • Group Company websites should also contain appropriate information and disclosures for website users and where appropriate seek consent from users of the website.
  • Group Companies should periodically make sure that their privacy policy is up-to-date.
  • Group Companies should have a privacy officer who is contactable via at least email (and a default privacy officer in the event that the person is unavailable) to answer queries, allow access and correct individual information that the Group Companies is holding.

A privacy policy is usually located on the bottom of a home page via a link and sits next to the terms and conditions of use of the website. If you are responsible for a website (including on behalf a client) you should ensure that you are aware of the cookies and other tracking technologies that operate on that website. A cookie (also called web cookie, internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. Cookies were designed to be a mechanism for websites to remember information (such as items added in the shopping cart in an online store) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.

Clients will have their own privacy policy. In Australia they will follow the same principles as are set out in the Privacy Act 1988 (Cth) and tailor them to their own specific requirements in relation to the data that they collect. There will usually be a clause in the contract that they have with us in relation to compliance with either their privacy policy or the Privacy Act in general. If they refer to their privacy policy you will need to check it so you have an understanding of what your obligations are before the contract is entered into and have an understanding of what you are agreeing to abide to.

In relation to client’s outside of Australia and New Zealand we must be aware of the Applicable Laws, including those relating to government contracts, and implement the required procedures. The Applicable Laws should be considered in contract reviews and internal business processes and systems and may need to be referred to a WPP AUNZ panel lawyer in the jurisdiction where the contract is being formed.

18E6 Security

Group Companies should have in place reasonable, appropriate controls to prevent unauthorised access to WPP AUNZ Group sites and systems.

Group Companies should comply with the WPP AUNZ Information Security Policy (“Information Security Policy”) and take reasonable and practical steps to ensure the confidentiality, integrity and availability of personal information. This is because if you mishandle the personal information of your client’s, it can cause a financial or reputational loss to them. In turn, this can also lead to a loss of trust and considerable harm to the WPP AUNZ and WPP reputations. A significant breach may result in a loss of customers or business partners and revenue.

If personal information that is essential to a Group Company function or activity is lost or altered, it can have a serious impact on your ability to undertake business as usual. The benefits of applying personal information security to a Group Company business practice can include more efficient processes. It also reduces the risk of privacy breaches and the time and resources involved in addressing any breaches that do occur.

You should consider the following protections:

  • appropriate restriction and protection (including encryption) of personal information stored on mobile computing devices and equipment including but not limited to laptops, blackberries, PDAs, memory sticks, CD-ROMs and mobile phones;
  • prevention of unauthorised remote and local access to systems storing personal information, documenting where applicable, use of firewalls, anti-virus software, patching and user account management;
  • prevention of unauthorised physical access to systems storing personal information, documenting, where applicable, access controls pertaining to server rooms, HR and finance files, client files and physical site access; and
  • prevention of the transfer of personal information to unauthorised individuals or groups, including client and intra-company data transfers, and especially covering transfers of personal information across national borders.
    1. prevention of the transfer of personal information to unauthorised individuals or groups, including client and intra-company data transfers In respect of transfers of personal information to:
      1. unauthorised individuals or groups- you should make sure policies are followed in relation to destruction or de-identifying personal information.
      2. client – your contract should have enforceable contractual clauses covering compliance with the applicable Privacy Act, confidentiality clauses and procedures for complaint handling.
      3. intra-company data transfers-you should make sure you are familiar with secure transfers of data and you should liaise with IT for any associated file access for clearance and for implementation.
    2. prevention of the transfers of personal information across national borders

    In respect of transfers of personal information across national borders your contract should have enforceable contractual clauses with the overseas recipient requiring the recipient to handle the personal information in accordance with the applicable Privacy Act.
    The types of contractual clauses may include:

      1. identifying the types of personal information to be disclosed and the purpose of disclosure in the contract.
      2. a contractual obligation requiring that the overseas recipient complies with the relevant Privacy Act in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information. This should also require the overseas recipient to enter a similar contractual arrangement with any third parties to whom it discloses the personal information (for example, a subcontractor).
      3. a contractual obligation to have a complaint handling process for privacy complaints.
      4. a contractual obligation that the recipient implement a data breach response plan which includes a mechanism for notifying the Group Company where there are reasonable grounds to suspect a data breach and outlines appropriate remedial action (based on the type of personal information to be handled under the contract).

If you have any questions regarding data security please contact WPP AUNZ’s Group Chief Information Officer, WPP AUNZ Management, Eduardo Dowd CIO Eduardo.Dowd@wppaunz.com.

If a Group Company encounters any loss of any personal information or any attempt is made to gain access to Group Company computer systems the Group Company must inform the WPP AUNZ CIO immediately (in accordance with WPP’s Incident Management & Reporting procedures). See sec 6 of 18C Information Security Policy.

Any loss of information or hacking that is detected must be reported immediately to the WPP AUNZ CIO and WPP AUNZ General Counsel

18E7 Retention of Personal Information

All personal information must be retained in accordance with Information Security Policy. There is no legal minimum period in Australia. You should also refer to data retention terms in client contracts that may have a requirement for specific retention times (this may be longer than the legal minimum in certain jurisdictions).

18E9 Disposal of Personal Information

Any personal information that is no longer needed and/or required to be kept by Applicable Laws may be disposed of in a secure and confidential manner. Group Companies must follow the guidelines outlined in the Information Security Policy for disposing of personal information securely.

18E10 Transfer of Personal Information

Human Resources and client-related personal information is transferred periodically across Group Companies and to WPP offices in London and New York. Data is also frequently shared with vendors to provide services to clients and employees.

Group Companies should ensure that transfers are necessary for legitimate business purposes, such as the delivery of group wide benefits or in performance of a specified client contract.

Appropriate methods and protocols should be in place to transfer personal information securely. Adequate security helps to reduce breaches, loss, and access by unauthorized parties.

18E11 Questions

The following WPP AUNZ representatives are available to answer questions on data protection and privacy.

Legal Advisory: Cheryl Isles & Lisa Panucci, WPP AUNZ Legal – Cheryl.Isles@wppaunz.com & Lisa.panucci@wppaunz.com

Technology Security: Eduardo Dowd WPP AUNZ Group Chief Information Officer, Management, – Eduardo.Dowd@wppaunz.com & Tom Ceglarek, WPP AUNZ Chief Information Officer – Tom.Ceglarek@wppaunz.com.