Publication date: 16 March 2017

Introduction

The Office of the Australian Information Commissioner (OAIC) is providing this self-assessment checklist to assist service providers in considering their privacy obligations under the Data Retention Scheme.

Background

Pursuant to legislative amendments introduced by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), service providers must retain certain telecommunications data for a period of two years. This legislation also requires all service providers that collect and retain telecommunications data under the Data Retention Scheme to comply with the Privacy Act 1988 (Cth) in relation to that data. Since October 2015, the Data Retention Scheme has operated in an implementation period to allow service providers to prepare for compliance with the scheme. The implementation period will end in April 2017.

The OAIC’s preferred regulatory approach is to facilitate compliance with privacy obligations and to work with entities to ensure best privacy practice and prevent privacy breaches. We have previously published a resource to inform service providers about their privacy obligations under the Data Retention Scheme.

Why use the checklist?

The self-assessment checklist will help your organisation:

  • identify how to meet these privacy obligations
  • identify how to improve your existing privacy management framework
  • identify potential areas of privacy risk
  • mitigate these risks by improving compliance with the Privacy Act, in light of the Data Retention Scheme.

For example, this may include creating or updating your organisation’s policy documentation or changing some of your organisation’s business processes for handling personal information. The checklist may also assist you in regularly reviewing your organisation’s privacy management framework and practices.

How to use the checklist

Each question in the checklist prompts a ‘yes’ or ‘no’ answer. Alongside each question, there is guidance on how to interpret the question, including some links to relevant OAIC resources. There are also some examples of answers that may be suitable for certain questions, and some key terms are defined in footnotes throughout.

Where your organisation has answered ‘yes’ to a question, you should generally be able to point to a policy or procedural document from your organisation that supports your response. For example, if you answer that your organisation has access controls to protect the personal information you hold, you should be able to refer to written policies or business rules that explain what those access controls are. If you are unable to identify a document that supports your response, you should consider creating one for your organisation, or updating existing documentation to ensure that your organisation’s privacy management is up to date.

Some questions may not apply to your organisation directly. For example, if your organisation is small, there may not be a specific privacy officer role. However, you could interpret the question as asking whether there is someone responsible for overseeing the privacy responsibilities within your organisation.

We are open to discussing this checklist and/or your organisation’s responses with you. Should you wish to do so, please contact us.

Question

Y/N

Details/documentation

OAIC guidance

1 – Overall privacy management

Does your organisation have someone responsible for overall privacy management?

 

e.g. the Chief Information Officer is accountable to the CEO for privacy matters and reports on privacy matters fortnightly

Organisations should appoint key roles and responsibilities for privacy management, including a senior[1] member of staff with overall accountability[2] for privacy. Small-sized service providers may have one person occupying this role at the same time as other management roles.

The OAIC’s Privacy Management Framework provides steps the OAIC expects organisations to take to meet their ongoing obligations to manage personal information[3] in an open and transparent way.

2 – Day-to-day privacy management

Does your organisation have someone to manage privacy issues on a day-to-day basis?

 

e.g. we have a privacy officer who is involved in the development of new information handling processes / we have a member of staff who has privacy compliance written into their KPIs

Depending on the size of their operations, organisations should have one or more staff responsible for managing privacy, including a key privacy officer. These staff should be responsible for handling internal and external privacy enquiries, complaints, and access and correction requests. Small-sized service providers may have one person occupying this role at the same time as other operational roles.

3 – Privacy reporting

Does your organisation record and report on privacy risks[4] and issues?

 

e.g. we have a privacy risk register to record any issues / management reviews the risk register / we include privacy issues as a standing agenda item in team meetings

Organisations should facilitate effective reporting mechanisms at all levels, and have an established process for reporting privacy risks to management.

Your organisation may also have done, or be considering doing, a privacy impact assessment of your business systems and processes operating under the Data Retention Scheme. The Guide to undertaking privacy impact assessments may be useful.

4 – Privacy training

Does your organisation integrate privacy into training and induction processes[5] for staff?

Are staff provided with regular and clear guidance on how to handle personal information in their day-to-day work?

 

e.g. all new staff are inducted to privacy and privacy training is provided annually to staff. Privacy resources are published on the intranet for staff to access and a privacy officer is available to answer enquiries from staff.

The OAIC has a number of training resources to help your organisation with this. The OAIC also has a number of business resources that may be useful.

5 – Privacy policies

Does your organisation have a clearly expressed and up to date privacy policy?[6]

 

e.g. we have a privacy policy, and we ensure that we update this.

Your organisation should ensure your privacy notices are also up to date and consistent with your privacy policy. The privacy policy must explain how your organisation manages individuals’ personal information, including retained data. The Guide to developing an APP privacy policy[7] provides tips and a checklist to help your organisation develop and assess your privacy policy.

6 – Consumer access to personal information

Does your organisation have processes for receiving and responding to privacy enquiries, complaints or requests for access to personal information from consumers?

 

e.g. we ensure that the information about how to make a privacy complaint is easy to find. Privacy complaints are then identified and directed to the appropriate staff. We regularly review the issues raised by privacy complaints.

The OAIC’s Handling privacy complaints resource provides information to help your organisation address a privacy complaint.

Chapter 12 of the OAIC’s APP Guidelines provides guidance on the reasonable steps organisations can take to ensure individuals have access to their personal information on request.

APP 12 contains some minimum access requirements, including the time period for responding to an access request, how access is to be given, and that a written notice, including the reasons for the refusal, must be given to the individual if access is refused.

7 – Disclosure of personal information to law enforcement

Does your organisation have processes in place to respond to requests for access to personal information from law enforcement agencies?

  

A limited group of enforcement and security agencies are authorised to obtain telecommunications data, including personal information, in certain circumstances. The Attorney-General’s Department’s data retention website contains some guidance on service provider obligations under the data retention scheme.

8 – ICT security

Does your organisation have ICT security processes and controls in place to protect personal information?

 

e.g. we have processes and controls regarding:

  • software security
  • encryption
  • network security
  • whitelisting
  • blacklisting
  • testing
  • backing up
  • email security.

The OAIC’s Guide to securing personal information sets out a number of ICT security steps that organisations should consider taking to protect the personal information they hold.

Organisations should take particular note of their processes for encrypting personal information. Encryption is a specific security requirement under the data retention scheme.

9 – Access security

Does your organisation have access controls in place to protect personal information?

 

e.g. we have an access control policy which applies to everyone handling personal information.

Access security and monitoring controls help your organisation protect against internal and external risks by ensuring that personal information is only accessed by authorised persons.

To minimise this risk, your organisation should, when possible, limit internal access to personal information to those who require access to do their job. Your organisation should use mechanisms to identify that users requesting access to your systems are authorised users.

The OAIC’s Guide to securing personal information has more information about access security.

10 – Data breach response

Does your organisation have a data breach[8] response plan?

 

e.g. we have a data breach response plan document / we have a wider crisis management plan, which includes how to respond to a data breach

The OAIC’s Guide to developing a data breach response plan will help your organisation to develop its data breach response plan.

The OAIC’s Data breach notification — A guide to handling personal information security breaches also provides guidance to assist your organisation respond effectively to data breaches.

11 – Accuracy of personal information

Does your organisation have processes in place to ensure that personal information you hold is accurate and kept up-to-date?

 

e.g. we have processes regarding:

  • systems to monitor and audit the quality of personal information
  • ensuring information collected is recorded in a consistent format
  • ensuring newly collected personal information is added to relevant existing records
  • reminding individuals to update their personal information at regular intervals
  • contacting individuals to verify the quality of personal information, particularly if there has been some time since collection
  • ensuring that third parties that collect personal information on the organisation’s behalf have processes to ensure quality.

Chapter 10 of the OAIC’s APP Guidelines provides guidance on the reasonable steps organisations can take to ensure the personal information they collect is accurate, up-to-date and complete.

12 – De-identification or destruction of personal information

Does your organisation have processes in place to ensure that personal information is de-identified[9] or destroyed once it is no longer in use (after the mandatory retention period)?

 

e.g. we have processes regarding:

  • making staff aware of the need for de-identification or destruction and related processes
  • enforcing data destruction periods
  • putting the information ‘beyond use’
  • identifying de-identification and re-identification risks
  • maintaining a data governance[10] policy
  • auditing de-identified data to ensure it remains de-identified

The OAIC’s Guide to securing personal information sets out steps organisations can take to destroy or de-identify personal information.

13 – Reviews of privacy practices

Did your organisation undertake any reviews to assess the compatibility of your personal information handling processes with the Data Retention Scheme?

 

e.g. we have reviewed our processes to ensure the encryption of personal information, and to protect it from unauthorised interference or unauthorised access, under s 187BA of the Telecommunications (Interception and Access) Act 1979 (Cth)

Organisations should monitor and review their privacy processes regularly. This could include assessing the adequacy and currency of your practices, procedures and systems, including your organisation’s privacy policy and privacy notices, to ensure they are up to date and being adhered to.

14 – Feedback on privacy practices

Does your organisation have channels for customers and staff to provide feedback on privacy issues related to the Data Retention Scheme?

 

e.g. we have a suggestion box / feedback form

Your organisation should facilitate accessible channels for reporting issues and providing feedback on your privacy management of the retained data.

15 – Process improvement

Has your organisation incorporated any review findings or feedback to improve personal information handling practices under the Data Retention Scheme?

 

e.g. we have devised a plan of actions to address the recommendations made in a recent privacy impact assessment on our new business processes under the Data Retention Scheme.

Your organisation may have reviewed and updated your public facing policy documents to reflect any changes to your practices brought about by the Data Retention Scheme, and any subsequent feedback.

16 – Monitoring

Does your organisation monitor and address new security risks and threats that may be relevant to the personal information you hold?

  

Your organisation can keep informed of issues and developments in privacy law and changing legal obligations by subscribing to the OAIC’s news email list for updates. Your organisation can also participate in privacy seminars, including the OAIC’s webinars.

Organisations should monitor and address new security risks and threats. Subscribe to the Stay Smart Online Alert Service and follow the steps it suggests for ensuring online security, including implementing software updates and patches. The Australian Cyber Security Centre and CERT Australia also provides guidance on cyber security issues.

Footnotes

[1] Senior: someone in a prominent position within the organisational structure.

[2] Accountability: being responsible for a process or outcome.

[3] Personal information: information or an opinion about an identified individual or an individual who is reasonably identifiable.

[4] Privacy risks: the risks associated with not managing, collecting, using, or securing personal information in accordance with the Privacy Act.

[5] Processes: outlines for the measures, steps, and procedures used in achieving outcomes or responding to events.

[6] Privacy policy: an accurate description and summary of how your organisation currently handles personal information.

[7] APPs: Australian Privacy Principles. Found in the Privacy Act.

[8] Data breach: when personal information held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.

[9] De-identification: personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.

[10] Governance: the structure, system, or manner of controlling something.