Do you have a plan to walk your business through privacy law reforms? The Office of the Information Commissioner (OAIC) recommends businesses and government agencies who have obligations under the Privacy Act 1988 (Cth) should start planning now for the implementation of privacy law reform in March 2014. We provide you with guidance and links to the many significant aspects governing new obligations and responsibilities as a business which handles the personal information of individuals to assist you with the changes coming your way next year.
Currently, businesses covered by the Privacy Act are subject to the 10 National Privacy Principles (NPPs), while most Australian, ACT and Norfolk Island government agencies must comply with 11 Information Privacy Principles (IPPs). Under the new privacy law the IPPs and NPPs will be replaced by the new, unified, Australian Privacy Principles (APPs). This is just one of the many significant changes to the Privacy Act.
The OAIC has outlined some questions you can ask yourself to see what your requirements may be within the new privacy laws:
• Does your business or agency handle personal information? There are some changes to what constitutes personal information under the Privacy Act
• Do you need to review your business or agency’s outsourcing arrangements? You will need to do this particularly if you are sending personal information overseas.
• Do you use direct marketing to reach your customers? If you do, you will need to provide an easy way for people to opt-out of receiving these communications. There are some new rules in the area of direct marketing.
• Does your business or agency receive unsolicited personal information. There are some new rules on how to handle this information.
• Do your information security systems need to be reviewed and updated?
We recommend you download the OAIC’s Guide to Information Security (PDF) – an essential document for any business or agency which establishes a requirement to protect the personal information of individuals.
If you are directly handling personal information, see also below the OAIC’S privacy factsheet 7 on ‘Ten Steps to protect other people’s personal information’ below:
The aim of this 10 step guide is to help your organisation or agency protect other people’s personal information.
Personal information is defined in s 6 of the Privacy Act 1988 (Cth) (Privacy Act) and means information that identifies or could reasonably identify an individual. There are some obvious examples of personal information, such as a person’s name and address. Personal information can also include medical records, bank account details, photos, videos, and even information about what an individual likes, their opinions and where they work.
The 10 step guide gives a snapshot of some of the privacy rights for individuals, and obligations that organisations and Australian, ACT and Norfolk Island Government agencies have under the Privacy Act.
The OAIC website has more information for organisations and agencies. You can also call our Enquiries Line on 1300 363 992.
1. Only collect information you need
Make sure individuals know what personal information your organisation or agency collects and why. Also ensure that: each piece of information is necessary for any of the functions or activities of the organisation or agency, and the information is required in the circumstances. Sometimes, activities can be carried out without collecting personal information. This allows individuals to interact anonymously with your organisation or agency.
2. Don’t collect personal information about an individual just because you think that information may come in handy later.
Only collect information that is necessary at the time of collection, not because it may become necessary or useful at a later date. If you need it later, collect the information then.
3. Tell people how you are going to handle the personal information you collect about them.
Have a publicly available policy that tells people how you handle personal information. Also, when you collect personal information, always let people know why you need to collect the information, how you plan to use it, who you are going to give it to. Make sure they know your contact details and, if they want to, how they can get access to their personal information.
4. Think about using personal information for a particular purpose.
Generally, organisations should not use personal information for a secondary purpose unrelated to the main purpose for which they collected the information. Unless your organisation has consent from the individual concerned or authorisation under law, it should generally only use personal information if it is: related to the purpose your organisation collected it for, and within the reasonable expectations of the individual.
Similarly, agencies must: only use personal information for a relevant purpose, and take reasonable steps to ensure that personal information is accurate, up to date and complete before using it.
The OAIC website has more information on the obligations organisations and agencies have under the Privacy Act.
5. Think before disclosing personal information
The Privacy Act allows organisations and agencies to disclose personal information in some circumstances. Sometimes, organisations and agencies disclose personal information when they don’t need to, or without considering whether the disclosure is authorised under the Privacy Act. Always think about whether a purpose can be achieved without disclosing personal information. Good practice: Get consent from the individual if you want to disclose their personal information for a reason that is different from the reason you collected it.
6. If people ask, give them access to the personal information you hold about them
Organisations and agencies have a general duty to give individuals access to their personal information. Here are some things to consider: Be as open as possible by giving individuals access to their personal information in the form they request. If you deny access to personal information, give the reason — consistent with the Privacy Act — to the individual as soon as you can. An individual also has an alternative path when seeking information from an agency. If an individual seeks access under the Freedom of Information Act 1982 ((Cth)) (FOI Act), the agency is obliged to consider the request under the FOI Act rather than the Privacy Act. Access under the FOI Act may be subject to specific exemptions. This alternative applies only to agencies, not organisations. The OAIC website has more information for agencies regarding the FOI Act.
7. Keep personal information secure
It is important that you keep personal information safe and secure from unauthorised access, modification or disclosure and also against misuse and loss. How you do this depends on the sensitivity of the information you hold, and the circumstances of your organisation or agency. Methods could include: considering the adequacy of existing security measures and procedures, including whether any relevant standards are met training staff in privacy procedures ensuring adequate IT security, such as installing firewalls, cookie removers and anti-virus scanners on work IT systems checking that all personal information has been removed from electronic devices before you sell or destroy them keeping hard copy files in properly secured cabinets allowing staff to access personal information on a ‘need to know’ basis only regularly monitoring your information handling practices to ensure they are secure. Depending on the size of your organisation and the information it collects, it may be prudent to have an external privacy audit done.
8. Don’t keep information you no longer need or that you no longer have to retain
If you no longer need personal information and there is no law that says you have to retain the information, then destroy it. Shred, pulp or destroy the personal information paper records. Dispose of files in security bins. Delete electronic records or files securely so that they can’t be retrieved.
9. Keep personal information accurate and up to date
The accuracy and currency of personal information you hold can change. Your organisation or agency needs to take reasonable steps to keep the personal information it holds current. Amend your records to reflect changes and make sure both hard copy and electronic files are updated. If you know that some personal information is likely to change regularly, go through the files periodically to ensure that your records are accurate and up to date.
10. Consider making someone in your organisation or agency responsible for privacy
This could be a designated person (often called a Privacy Contact Officer or Chief Privacy Officer) who: knows your organisation or agency’s responsibilities under the Privacy Act, and is willing and able to handle complaints and enquiries about the personal information handling practices of your organisation or agency. This person could also be responsible for implementing a complaint handling process, staff training programs and promoting Privacy Act compliance.
Don’t leave privacy to chance.
In tomorrow’s Privacy Awareness Week 2013 post – we look at the Privacy Reforms aimed at protecting individuals, and their credit file from identity theft.