The aim of this 10 step guide is to help your organisation or agency protect other people's personal information.
Personal information is defined in s 6 of thePrivacy Act 1988 (Cth) (Privacy Act) and means information that identifies or could reasonably identify an individual. There are some obvious examples of personal information, such as a person's name and address. Personal information can also include medical records, bank account details, photos, videos, and even information about what an individual likes, their opinions and where they work.
The 10 step guide gives a snapshot of some of the:
- privacy rights for individuals, and
- obligations that organisations and Australian, ACT and Norfolk Island Government agencies have under the Privacy Act.
1. Only collect information you need
Make sure individuals know what personal information your organisation or agency collects and why. Also ensure that:
- each piece of information is necessary for any of the functions or activities of the organisation or agency, and
- the information is required in the circumstances.
Sometimes, activities can be carried out without collecting personal information. This allows individuals to interact anonymously with your organisation or agency.
2. Don't collect personal information about an individual just because you think that information may come in handy later
Only collect information that is necessary at the time of collection, not because it may become necessary or useful at a later date. If you need it later, collect the information then.
3. Tell people how you are going to handle the personal information you collect about them
Have a publicly available policy that tells people how you handle personal information.
Also, when you collect personal information, always let people know why you need to collect the information, how you plan to use it, who you are going to give it to. Make sure they know your contact details and, if they want to, how they can get access to their personal information.
4. Think about using personal information for a particular purpose
Generally, organisations should not use personal information for a secondary purpose unrelated to the main purpose for which they collected the information.
Unless your organisation has consent from the individual concerned or authorisation under law, it should generally only use personal information if it is:
- related to the purpose your organisation collected it for, and
- within the reasonable expectations of the individual.
Similarly, agencies must:
- only use personal information for a relevant purpose, and
- take reasonable steps to ensure that personal information is accurate, up to date and complete before using it.
The OAIC website has more information on the obligations organisations and agencies have under the Privacy Act.
5. Think before disclosing personal information
The Privacy Act allows organisations and agencies to disclose personal information in some circumstances.
Sometimes, organisations and agencies disclose personal information when they don't need to, or without considering whether the disclosure is authorised under the Privacy Act.
Always think about whether a purpose can be achieved without disclosing personal information.
Good practice: Get consent from the individual if you want to disclose their personal information for a reason that is different from the reason you collected it.
6. If people ask, give them access to the personal information you hold about them
Organisations and agencies have a general duty to give individuals access to their personal information. Here are some things to consider:
- Be as open as possible by giving individuals access to their personal information in the form they request.
- If you deny access to personal information, give the reason — consistent with the Privacy Act — to the individual as soon as you can.
- An individual also has an alternative path when seeking information from an agency. If an individual seeks access under the Freedom of Information Act 1982 ((Cth)) (FOI Act), the agency is obliged to consider the request under the FOI Act rather than the Privacy Act. Access under the FOI Act may be subject to specific exemptions. This alternative applies only to agencies, not organisations.
The OAIC website has more information for agencies regarding the FOI Act.
7. Keep personal information secure
It is important that you keep personal information safe and secure from unauthorised access, modification or disclosure and also against misuse and loss.
How you do this depends on the sensitivity of the information you hold, and the circumstances of your organisation or agency.
Methods could include:
- considering the adequacy of existing security measures and procedures, including whether any relevant standards are met
- training staff in privacy procedures
- ensuring adequate IT security, such as installing firewalls, cookie removers and anti-virus scanners on work IT systems
- checking that all personal information has been removed from electronic devices before you sell or destroy them
- keeping hard copy files in properly secured cabinets
- allowing staff to access personal information on a ‘need to know' basis only
- regularly monitoring your information handling practices to ensure they are secure.
Depending on the size of your organisation and the information it collects, it may be prudent to have an external privacy audit done.
8. Don't keep information you no longer need or that you no longer have to retain
If you no longer need personal information and there is no law that says you have to retain the information, then destroy it.
- Shred, pulp or destroy the personal information paper records.
- Dispose of files in security bins.
- Delete electronic records or files securely so that they can't be retrieved.
9. Keep personal information accurate and up to date
The accuracy and currency of personal information you hold can change. Your organisation or agency needs to take reasonable steps to keep the personal information it holds current. Amend your records to reflect changes and make sure both hard copy and electronic files are updated.
If you know that some personal information is likely to change regularly, go through the files periodically to ensure that your records are accurate and up to date.
10. Consider making someone in your organisation or agency responsible for privacy
This could be a designated person (often called a Privacy Contact Officer or Chief Privacy Officer) who:
- knows your organisation or agency's responsibilities under the Privacy Act, and
- is willing and able to handle complaints and enquiries about the personal information handling practices of your organisation or agency.
This person could also be responsible for implementing a complaint handling process, staff training programs and promoting Privacy Act compliance.